ICAEW.com works better with JavaScript enabled.

New laws to bolster smart device security

Author: ICAEW Insights

Published: 07 May 2024

Ban on default passwords part of legislation to help protect consumers from having their internet-enabled devices interfered with by hackers or cybercriminals.

A ban on weak and easily guessable default passwords is among the rules that came into force last week, after new laws were introduced forcing manufacturers to beef up the security of their internet-enabled products.

Manufacturers of devices with internet or network connectivity are now legally required to protect consumers from hackers and cybercriminals, following the introduction of new rules that require all internet-connected smart devices to meet minimum security standards.

Under the new regime, manufacturers of smart devices – anything from smartphones and games consoles to smart doorbells and connected fridges – are banned from having weak, default passwords like ‘admin’ or ‘12345’. If there is a common password, the user will be prompted to change it on start-up. 

It is hoped this will help prevent threats like the Mirai attack in 2016, which led to 300,000 smart products being compromised due to weak security features and subsequently used to attack major internet platforms and services. The attack left much of the US East Coast without the internet. 

Since then, similar attacks have occurred on UK banks including Lloyds and RBS, leading to disruption to customers. An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.

The new laws are part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which aims to improve the UK’s resilience from cyber attacks and ensure malign interference does not impact the wider UK and global economy.

Casino fish tank hack

A government factsheet on the PSTI regime cites a 2018 example whereby attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details including bank details.

Other improved security protections introduced this week include the requirement for manufacturers to publish contact details so bugs and issues can be reported and dealt with. Manufacturers and retailers must also be open with consumers on the minimum time they can expect to receive important security updates.

Minister for Cyber, Viscount Camrose, says the growing prevalence of smart tech means new protections are needed to give consumers peace of mind: “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater. 

“We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”

The new laws come against a backdrop of growing use of smart devices by UK consumers. Recent figures show that 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. The government hopes the new regime will help give customers confidence in buying and using products, which will in turn help grow businesses and the economy.

Public protection

Sarah Lyons, Deputy Director for Economy and Society at the National Cyber Security Centre (NCSC), says: “Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber attacks. This landmark Act will help consumers to make informed decisions about the security of products they buy.

“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new PSTI regulation affects them and how smart devices can be used securely.” 

Ian Pay, ICAEW’s Head of Data Analytics and Tech, says any business involved in the manufacture, import, distribution or sale of internet or network-connected devices needs to take action to ensure it complies or risk falling foul of the law. “The scope of devices covered by the legislation is broad and we would encourage our members to reflect on how it might impact them and their organisations,” Pay says.

However, just because default passwords are now banned, that doesn’t mean devices are automatically more secure and usual best practices around complex passwords and multi-factor authentication still apply. “Given the lifespan of many smart devices and the difficulty in updating them – particularly those in the home – it is likely to take many years before all devices in homes and businesses meet the legislative requirements,” Pay adds.

Jim Gee, Cybercrime and Fraud Specialist and former head of Forensic Services at Crowe UK, says: “The launch of the PSTI regime marks a good step forward towards preventing one aspect of cybercrime. It should help to safeguard UK consumers and businesses from some of the more basic cyber threats. Generally and relative to other countries, the UK does quite well – especially the NCSC – but an awful lot more still needs to be done.”

Latest cyber security articles

Further resources

Resources
Cyber Security Awareness month 2023
Cyber security awarness

ICAEW marked the 20th anniversary of global Cyber Security Awareness month with a series of resources to help you know what to do when a cyber attack happens.

Browse resources
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
Elearning
Finance in a Digital World - support for ICAEW members and students on digital transformation and technology
Finance in a Digital World

ICAEW has worked with Deloitte to develop Finance in a Digital World, a suite of online learning modules to support ICAEW members and students, develop awareness and build understanding of digital technologies and their impact on finance.

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250