World-first laws protecting businesses and consumers from hacking and cyber-attacks have come into force.
Manufacturers of products such as phones, TVs and smart doorbells are now required to implement minimum security standards against cyber threats.
Under the new regime manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be prompted to change it on start-up.
The UK Government says this will help prevent threats like the Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet.
Recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices.
An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.
The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.
The new measures will also introduce a series of improved security protections to tackle the threat of cyber-crime:
- Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking.
- Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with.
- Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates.
Rocio Concha, Which? Director of Policy and Advocacy, said:
“Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information.
“The Office for Product Safety and Standards (OPSS) must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law. But we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.”
National Cyber Security Centre (NCSC) Deputy Director for Economy and Society, Sarah Lyons, said:
“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy.
“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new PSTI regulation affects them and how smart devices can be used securely.”
