UK Law Aims To Boost Security For ‘Smart’ Devices

A new UK law that took effect on Monday requires basic security standards for smart devices sold in the country, in a move that may help cut off a security loophole that has exposed large numbers of consumer and business gadgets to hackers.

The Product Security and Telecommunications Infrastructure (PSTI) Act of 2022 takes aim at the internet-connected devices that have proliferated in homes and businesses in recent years, often with default passwords that are either easily guessed or have been shared online.

Such devices can create a security backdoor into a home or organisation, giving hackers a point of entry from which they can move laterally to other parts of the local network, security experts say.

They are also vulnerable to being co-opted into botnets which may then be used to launch further attacks, such as denial-of-service attacks, usually without the knowledge of the devices’ owners.

Security loophole

In 2016 the Mirai botnet, which launched DNS attacks that took down major websites such as Amazon, Twitter, GitHub, Spotify and Reddit, consisted largely of infected consumer routers from internet service provider TalkTalk.

In a report from around the same period, security firm Darktrace said were able to steal data from the network of a North American casino after breaking in via an internet-connected temperature sensor in a lobby fish tank.

The new rules aim to make it more difficult for hackers to access mass-produced internet-connected devices by outlawing the sale of devices with insecure default passwords such as “1234” or “admin”. Unique pre-installed passwords are still allowed.

Companies selling devices in the UK are now required to provide contact details for reporting bugs or security flaws, and must inform consumers of the minimum period for which they commit to providing security updates.

Smart devices

The law targets devices ranging from smart speakers to smart TVs and streaming devices, to doorbells, baby monitors and security cameras, and even domestic devices such as light bulbs, plugs, kettles, ovens and fridges.

Devices that do not comply may be recalled, and manufacturers may be fined up to £10 million or 4 percent of their global revenue, whichever is higher.

The law is to be administered by the Office for Product Safety and Standards (OPSS), part of the Department for Business and Trade.

Consumer group Which? said the government must be prepared to take “strong enforcement action”, but added that it expects smart device makers will comply “from day one”.

‘Peace of mind’

Viscount Camrose, the government’s minister for cyber, said the law would give consumers “peace of mind”.

“Security has notoriously been left to the consumer to take care of but this new requirement places the onus firmly back on the manufacturers to continue to protect their devices, especially if they are designed to last many years,” said ESET security adviser Jake Moore.

The EU is working on a Cyber Resilience Act with similar provisions, but these are not expected to take effect until 2027.