The UK government takes cyber security seriously and is proving it with the new version of the Product Security and Telecommunications Infrastructure Act (PTSI).
New PTSI requirements that went into effect on April 29 require all manufacturers, importers, or distributors of smart devices to include randomized passwords or generate passwords during initialization. That's not all.
The first password contained cannot be “password” (or any variation of that word). It also cannot be tied to public information (such as media access control (MAC) addresses or Wi-Fi network names) in any obvious way. The device also requires a simple mechanism that allows users to change their passwords periodically.
The goal is to provide all devices with sufficient protection to withstand brute force access attacks such as credential stuffing.
Most cybersecurity experts agree that this measure is desperately needed (and is, in fact, the first step to better protection), but especially for hardware and hardware. will have an impact on technology companies (not just in the UK but around the world) who combine Connection software for our own products.
new password method
The UK has become the first country in the world to introduce these laws, placing some of the responsibility on product developers and manufacturers to protect consumers from cybercriminals seeking to access devices such as smartphones, consoles and IoT appliances. I am.
The main provisions are as follows.
- Manufacturers are prohibited from using weak and easily guessed default passwords such as “admin” or “12345”. If a common password exists, users will be forced to change their password on startup.
- Manufacturers must provide contact details to report security vulnerabilities.
- Manufacturers need to be transparent about how long they will provide critical security updates to their devices.
- Retailers and manufacturers must inform consumers about the expected duration of security updates for smart devices.
- Consumers can report products they believe violate the new regulations to the Office for Product Safety and Standards (OPSS).
Banning weak passwords and improving communication about security updates should make it more difficult for hackers to exploit vulnerabilities in smart devices. The government also said it hopes increased transparency around security measures will give consumers more confidence when purchasing and using smart devices.
This law applies to manufacturers worldwide of the following products that can connect to the Internet:
- smart tv
- Smart doorbells, baby monitors, cameras (CCTV)
- streaming device
- Wearable devices and fitness trackers
- Smart home appliances (plugs, thermostats, refrigerators, ovens, washing machines, etc.)
Companies that violate the law could face fines of up to $12.5 million, recalls, or 4% of global revenue.
Why target passwords?
The new law prohibits the use of common passwords like “12345” and “admin” (which no one should use anyway), and for good reason. Hackers can easily guess weak or common passwords through automated attempts (brute force attacks). Once a hacker gains access to one device using a weak password, he can potentially use that password to access other accounts you have. For smart devices, this can potentially give you control over your entire home network and personal data.
A 2021 study by British consumer watchdog Which? found that households with multiple smart devices could be exposed to more than 12,000 hacking attacks within a week. On five devices alone, he could make nearly 3,000 attempts to guess a weak password.
Hacking tools can crack 96% of the most common passwords in under 1 second. A standard 6-character lowercase password can be cracked within 10 minutes. We also know that stolen, weak, or reused passwords are the root cause of over 80% of data breaches, and 61% of hacked passwords were less than 8 characters long. Adding just one special character to a 10-character password increases cracking time by 1.5 hours. Suffice it to say, it's worth setting a stronger password.
The most common passwords in the UK are:
- 123456
- password
- kwerty format
- liverpool
- 123456789
- armory
- 1 2 3 4 5 6 7 8
- 12345
- abc123
- chelsea
The new law comes as almost all UK adults (99%) own a smart device and UK households own an average of nine smart/connected devices such as smart TVs, voice assistants and smart watches. We aim to make Britain a safer place. all.
Potential ripple effects
The UK is the first country to introduce these laws, but other countries are expected to follow suit. Despite being a known issue, cybersecurity law is still in its infancy, and lawmakers typically learn from other policies as they develop and propose their own policies.
While most companies can agree that this law will benefit consumers (and their reputations), it will not be easy to enforce. Adapting existing systems and manufacturing processes to new regulations will require significant adjustments and costs, especially in the area of software development for connected devices.
One must also question whether this law will have the desired results. Ultimately, the success of this initiative depends on user awareness. UK product companies, along with the government, need to invest in a clear communications strategy to educate consumers about creating and managing strong passwords. You may not be able to stop someone from reusing an old password or changing your smartwatch password to 7654321 to fool hackers. However, it can also be argued that the law itself is working wonders when it comes to raising user awareness. If users in the UK and abroad are more aware of the dangers of common passwords, they will be less likely to use them, creating a safer digital environment for everyone.
And if the UK law sets a precedent for stricter password regulations around the world, we are very likely to experience a domino effect of new laws applying to the US sooner or later.
If you are in the manufacturing business and your product has the ability to connect to the Internet via software, don't wait for the law to force you to do so. Before legislation is passed, take steps to improve password security across devices and incorporate user education into your communications.
If formal legislation is passed elsewhere, you can comply and get ahead of the game. It also provides reputational and competitive advantages.
*** This is a blog written by Kevin Smith – a syndicated blog from the Security Bloggers Network by Coro Cybersecurity. Read the original post: https://www.coro.net/blog/compliance/what-the-uks-new-password-laws-mean-for-global-cybersecurity
