Hefty fines await UK smart device consumers using default passwords

Under new legislation, default passwords for internet-connected devices will be banned, and firms that do not comply will face huge fines.
26 November 2021

Hefty fines and an outright ban for smart devices with default passwords in the UK. Source: Tobias Schwarz/AFP/Getty

  • The heavy punishments include outright bans, aiming to curtail attacks on household smart devices
  • The Product Security and Telecommunications Infrastructure (PSTI) Bill is a suite of new regulations designed to improve security on smart home devices
  • Fines could hit up to £10 million or 4% of a company’s gross revenue — with up to £20,000 a day levied for persistent infractions

When Kevin Ashton coined the term Internet of Things (IoT) 22 years ago, only 4% of the world’s population was online and connected devices in the market very virtually non-existent. Today, well over half (60%, or 4.72 billion) of the world’s population is online with an estimated 11.3 billion smart devices out there. Those connected devices are no doubt revolutionary for homes and companies, but they also open the floodgates to a whole list of security vulnerabilities.

The vulnerability surrounding smart devices is not something new but limited actions are being taken by end-users to ensure its security. Naturally, IoT devices collect a lot of data and that is why it is becoming a key target for hackers. To top it off, the often poor security of end-user IoT devices allows them to function as backdoors for a bad actor to gain access into the wider network.

The matter shouldn’t be taken lightly simply because the ownership and use of connected tech products has shot up dramatically in recent years. On average, there are nine connected devices in every UK household, with forecasts suggesting there could be up to 50 billion worldwide by 2030. 

Unfortunately, consumers generally assume these devices are secure, but only one in five manufacturers have appropriate security measures in place for their connectable products, the UK government said in a blog posting.

Britons care less about their smart device security

Research from NordVPN indicated that UK users are taking the least action to secure their devices compared to those in Australia, US, Germany, Canada, France, and Netherlands. It’s a statistic that shows the potential scale of the problem, yet about a quarter (24%) aren’t taking any measures to protect those devices. 

NordVPN’s Digital Privacy Expert, Daniel Markuson, reckons that “IoT device makers are in a rush to sell the gadgets as quickly as possible. This means that they are shipping them out with the minimum features required for them to function, shortening the development process and cutting costs as much as possible.”

UK govt wants to switch focus on smart devices

The UK government decided to take matters into their own hands by introducing the Product Security and Telecommunications Infrastructure (PSTI) Bill which first bans easy-to-guess passwords for internet-connected devices and firms which do not comply will face huge fines. 

The law would be applicable not only to manufacturers, but also businesses that import tech products into the UK. Products include smartphones, routers, security cameras, games consoles, and home speakers, along with internet-enabled appliances and toys. 

Originally proposed a year ago following a long period of consultation, the rules also require manufacturers to tell customers at the point of sale and keep them updated about the minimum time requirement for security patches and updates.

Should a product not come with them, that fact must be disclosed. Finally, manufacturers must also provide a public point of contact for security researchers so they can easily disclose flaws and bugs.

“Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards,” UK Minister Julia Lopez said.

The aim of the UK government is to curtail attacks on household devices, citing 1.5 billion attempted compromises of IoT devices in the first half of 2020 alone. Once the bill comes into law, it will be overseen by a regulator. Fines could hit up to £10 million (US$13.3 million) or 4% of a company’s gross revenue — with up to £20,000 a day levied for ongoing infractions.