This new law of 2022 will ban the use of stupid passwords in smart devices
The UK government has, and not before, many would argue, proposed legislation that will ban the use of silly passwords in so-called smart devices.
The bill on product safety and telecommunications infrastructure (PSTI) has not yet been adopted; according to government sources that will occur as soon as parliamentary time permits. This means that we should see the law come into play in 2022.
However, what has already happened is that the law has been published, and we now know what months and years of consultation and industry expertise have brought.
What consumer safety protections will the new law introduce?
Indeed, the PSTI bill will provide for three regulatory steps to strengthen the security chasm as it applies to smart devices:
- Weak, factory-set default passwords will no longer be allowed. Instead, all affected devices will need to come with unique passwords that cannot be reset to a single universal factory setting.
- A contact for researchers, hackers, bug hunters, and others to report security vulnerabilities should be publicly posted.
- Consumers should be informed of when the device they are purchasing will receive security updates, and therefore informed at the time of purchase. If the device cannot or will not receive any such updates or fixes, it must be declared.
“One of the most commonly used attack vectors is default, easy-to-guess passwords preloaded on multiple devices,” said George Papamargaritis, director of Obrela Security Industries. “The fact that this new law prohibits default passwords is a big step forward and will encourage device manufacturers to consider security before releasing products, otherwise they could face fines for destroy businesses. “
“We are coming to a point where security by design will be a mandatory requirement and not an afterthought,” said Laurie Mercer, security engineer at HackerOne. âThis is an important step towards safer connected consumer products and shows that the UK is at the forefront of creating a secure digital connected society. “
What smart devices will be covered by this new law?
What devices are covered? Well that’s consumer goods law and covers routers, security cameras, game consoles, televisions, smart speakers and assistants, baby monitors, doorbells and, yes, smartphones. It does not cover laptops and desktops, medical devices, cars, or smart meters.
This is a good step forward as the law will apply to both manufacturers of devices and those who import and sell them. It will be overseen by a regulator who has yet to be appointed and will face fines of Â£ 10million or 4% of global revenues; pending infractions may result in a daily penalty of Â£ 20,000. Of course, California already has Senate Bill 327 which requires similar password rules and went into effect on January 1, 2020.
Overall this is a good thing but has limitations as many smart devices are pretty dumb when it comes to security and have no capability for firmware fixes; the law will only require that it be declared that there are none. Even for those that can be corrected, it doesn’t have to be automated. Without such automation, most consumers won’t bother to state that the vulnerability could make the device less secure, as threat actors will then find exploits.
Expert opinion: an interview with David Rogers MBE
I spoke with David Rogers MBE, CEO of Copper Horse and Chairman of the GSM Association (GSMA) Fraud and Security Group. Rogers also sits on the board of directors of the Internet of Things Security Foundation. With over 20 years of experience in in-vehicle device security, David volunteered to write a set of technical requirements, which culminated in the UK Code of Practice for Consumer IoT Security.
âThe government has always said that if it doesn’t see an improvement in the market situation it is ready to legislate and regulate,â says Rogers, âand we are here now where there is a demonstrable market failure. . He cites his company’s research which found that four out of five IoT device companies had no way for security researchers to contact them, for example. âIt’s a really shocking situation and it’s really the tip of the iceberg,â continues Rogers, âwhat does that say about the ability of these companies to secure their own products? “
An important first step
Rogers agrees that the new PSTI bill is a first step that addresses the three main mandates of the code of practice. âFor me this touches the major issues, and if we only solve those parts, we go much further to protect consumers,â he says. But this is far from the end of the story, and the key message to the industry must be, Rogers insists, “why wait?” What’s your excuse? Bad things happen, and it’s the IoT makers’ responsibility to be part of the solution, not the problem! “
Rogers admits this is a tough challenge because it should be an ever-changing target if you think about product safety. If a vulnerability is discovered, it should be patched and patched if possible. âThat’s why it really comes down to the length of time that vendors provide security updates,â he says, âand provide that information clearly to consumers and retailersâ.
A security base for all electronic devices?
But what about devices that are covered, or rather those that are not? âOf course I want to see a basic security for all electronic devices,â Rogers continues, âbut there are clearly industry differences and already existing regulations, especially in the automotive and medical industries. They cover safety aspects. that go beyond where we are here, and it doesn’t seem logical to grab those spaces. â
Rogers also believes an impact is being felt even before the law receives Royal Assent and becomes law. “Interest in industry IoT security compliance programs has exploded,” he says, “simply with the threat of legislation by a multitude of countries.” To be fair to responsible companies, Rogers points out that they have also lobbied for this. âThe excellent GSMA IoT security work was underway in 2014, already building on existing work in the mobile device space,â he says, âwhat we’ve seen is an alignment between government, industry and also the hacking community. Everyone knows the problems. are and, above all, how to fix them. So let’s go ! “
We can’t look back and mend the past
When it comes to the existing volume of smart devices already in the market, Rogers takes a pragmatic view. âOne thing many of us were aware of was not adding to the already existing mountain of IoT e-waste or unnecessarily penalizing people who can’t afford expensive products,â he says. âWe can’t look back and fix the past,â Rogers concludes, âbut we can look to the future, and the technology lifecycle is still very fast. More generally, it is more about bad practices that we seek to eliminate, and we are seeing a wide range of work that is intolerant of poor and unacceptable engineering practices, whether it is chain safety. procurement or the protection of personal privacy. “
“This is the start of a huge movement towards a safer online society, but that won’t change overnight,” concludes Jake Moore, cybersecurity specialist at ESET. “These proposals are exactly what is needed to help point people in the right direction after typical security measures by design have not been strong enough to help those who desperately need them.”