The UK Just Banned Default Passwords

 

UK lawmakers are sick and tired of shitty internet of things passwords and are whipping out legislation with steep penalties and bans to prove it. The new legislation, introduced to the UK Parliament this week, would ban universal default passwords and work to create what supporters are calling a “firewall around everyday tech.”

Specifically, the bill, called The Product Security and Telecommunications Infrastructure Bill (PSTI), would require unique passwords for internet-connected devices and would prevent those passwords from being reset to universal factory defaults. The bill would also force companies to increase transparency around when their products require security updates and patches, a practice only 20% of firms currently engage in, according to a statement accompanying the bill.

These bolstered security proposals would be overseen by a regulator with sharpened teeth: companies refusing to comply with the security standards could reportedly face fines of £10 million or four percent of their global revenues.

“Every day hackers attempt to break into people’s smart devices,” UK Minister for Media, Data and Digital Infrastructure Julia Lopez said in a statement. “Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.”

The rules would attempt to meaningfully tackle what’s become a scourge of weak IoT passwords increasingly susceptible to attackers. And we’re not talking about weak, but serviceable passwords either. According to a 2020 report conducted by cybersecurity company Symantec, 55% of IoT passwords used in IoT attacks were “123456.” Another 3% of the attacked devices featured the password “admin.” IoT devices are notoriously insecure outside of passwords as well. A recent report from ​​Palo Alto Networks found that 98% of all IoT device traffic was unencrypted.

The problem is only getting worse, especially as smart home devices gain mass popularity and become more affordable. Though estimates vary, the total number of global IoT devices could swell to over 20 billion by 2030. That’s already translating into more attacks. Just two months ago, Kaspersky Labs told Threat Post that it had detected 1.5 billion IoT attacks in the first half of 2021 alone. That’s double what it detected in the last six months of 2020.