New UK Law Spotlights Weak Security Features in Smart Devices

New UK Law Spotlights Weak Security Features in Smart Devices

Cybercriminals exploit various avenues to target consumers, with one particularly vulnerable point being bad default passwords.

The United Kingdom has taken a step toward closing this security gap by introducing a consumer protection law. Considered the first of its kind globally, the rule sets a precedent in safeguarding consumers against exploitation of weak security features.

The new law, known as the Product Security and Telecommunications Infrastructure Act, went into effect Monday (April 29) and mandates that all internet-connected smart devices, from smartphones and connected fridges to gaming consoles, must meet minimum security standards by law, according to a U.K. government press release.

“Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345,’ and if there is a common password, the user will be [prompted] to change it on startup,” the release said.

By implementing this regulation, the government aims to avoid a repeat of incidents like the Mirai attack in 2016, which compromised 300,000 smart products with weak default passwords, resulting in major disruptions in internet services, per the release. The attack left parts of the East Coast of the United States without connectivity. Subsequent attacks on U.K. banks, including Lloyds and RBS, underscored the urgency of addressing this issue, the statement further noted.

The significance of this move extends beyond immediate security concerns. Government data showed that 99% of U.K. adults own at least one smart device, with households averaging nine connected devices, the release said.

This aligns with research from PYMNTS Intelligence, which indicated that the average consumer now owns six connected devices, with millennials and bridge millennials leading the charge with an average of seven devices each.

Against this backdrop, the U.K. seeks to reinforce its defenses against rising cybercrime, propelled by the widespread adoption of smart devices. By instilling consumer trust in purchasing and using these products, the country expects to spur business growth and boost the national economy, according to the release.

In parallel, the private sector is stepping up to improve smart device security. Microsoft, for instance, is prioritizing cybersecurity. Chairman and CEO Satya Nadella emphasized a “doubling down” on security “above all else — before all other features and investments” during the company’s third-quarter earnings call April 25.

Nadella added that Microsoft’s Secure Future Initiative, launched in November, underscores this commitment, focusing on areas such as identity protection, threat detection and response capabilities.

Meanwhile, the Connectivity Standards Alliance, comprising nearly 200 member companies including industry giants like Amazon and Google, launched the IoT Device Security Specification 1.0 in March. This global cybersecurity standard and certification program aims to bolster the security of connected devices, thereby increasing consumer confidence in their use.

“As consumers embrace the convenience and value of IoT [Internet of Things] devices, the alliance is dedicated to helping to create more comprehensive protection for consumers,” Steve Hanna, chair of the product security working group steering committee, explained at the time, adding that the Product Security Verified Mark and IoT Device Security Specification 1.0 “will make it easier for manufacturers to address consumer IoT security requirements around the world.”