Easy-to-guess default device passwords are a step closer to being banned

New plans designed to protect IoT devices from cyberattacks will ban default passwords and require manufacturers to tell users how long smart devices - including phones - will receive security updates for.
Written by Danny Palmer, Senior Writer

Easy-to-guess default passwords will be banned and smart device manufacturers will be required to tell customers how long their new product will receive security updates under plans to protect Internet of Things (IoT) devices and their users from cyberattacks.

Laws will also require manufacturers of smart devices including phones, doorbells, cameras, speakers, TVs and more to provide a public point of contact to make it simpler for security vulnerabilities in the products to be reported – and fixed with software updates.

Households and businesses are increasingly connecting IoT products to their networks – but while they're being deployed with the aim of providing benefits, insecure IoT devices can be exploited by cyber criminals.

SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)

That can lead to malicious hackers using insecure smart devices as a stepping stone onto corporate or personal networks and using that access as a means of conducting cyberattacks, as well as potentially invading the privacy of users.

In an effort to protect smart devices, the UK government's department for Digital, Culture, Media and Sport has announced the need for IoT devices to be Secure by Design will become law. DCMS had previously proposed the idea, but now it has moved another step towards actually becoming legislation – and smartphones will be included in the plans.

Under the planned new laws, customers must be informed at the point of sale as to the length of time for which a smart device will receive security software updates in a move designed to encourage people to buy devices that are going to receive security patches for a long time – making them more resilient to cyber threats that exploit new vulnerabilities.

This will also apply to smartphones, which are now going to be included in any legislation designed to boost the defences of connected devices. 

The addition of smartphones comes following a government call for views on smart device security in which respondents suggested the amount of personal information on smartphones, and the way they're so widely used, means they should be included in smart device safety legislation.

Manufacturers will also be banned from using default passwords such as 'password' or 'admin'in an effort to protect users from opportunistic cyberattacks that take advantage of common or weak passwords to gain control of devices.

The proposed legislation builds on a previously published code of practice for IoT device manufacturers – although now the suggestions would be required, not just recommended.

"Consumers are increasingly reliant on connected products at work and at home. The COVID-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough," said Ian Levy, technical director at the National Cyber Security Centre (NCSC).

"To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now," he added.

SEE: Hackers are actively targeting flaws in these VPN devices. Here's what you need to do

The NCSC has previously provided advice for consumers on how to keep their IoT devices secure

There's currently no indication of when the proposals will be made law, but the government says the legislation will be introduced "as soon as parliamentary time allows" and businesses will be given time to adjust to the laws once they're introduced.

There's also no details as yet about how the legislation will be enforced, or what measures will be taken against smart device manufacturers or retailers that aren't compliant.


Editorial standards