New UK IoT law means huge fines and a ban on default passwords


November 25, 2021

Promo Protect all your devices, without slowing them down.
Free 30-day trial
New UK IoT law means huge fines and a ban on default passwords

The United Kingdom government has introduced new legislation designed to improve the security of "smart" internet-connected devices used in people's homes.

With all manner of Internet of Things (IoT) gizmos - from smart TVs and internet-connected light bulbs to smart speakers and IoT washing machines - cluttering millions of Britons' homes, the Product Security and Telecommunications Infrastructure (PSTI) Bill requires manufacturers and sellers of IoT devices and gadgets to meet new cybersecurity standards to better protect customers' privacy and security.

The UK says that the new legislation will allow it to force firms into being transparent with customers about what they are doing to fix security flaws, create a better public reporting system for vulnerabilities, and ban universal default passwords.

And any organisation which fails to abide by the rules once the new bill comes into force could find itself fined up to £10 million or 4% of their global turnover, as well as up up to £20,000 a day in the case of an ongoing contravention.

In addition, a newly-created regulator will be able to require companies that fail to comply with security requirements to recall products, or stop selling or supplying them altogether.

Holding manufacturers and vendors to account for the poor quality of their internet-connected devices is long overdue, with an average UK household owning nine connected tech products.

According to the bill, devices that will have to abide by the new security requirements include:

  • smartphones
  • connected cameras, TVs and speakers
  • connected children’s toys and baby monitors
  • connected safety-relevant products such as smoke detectors and door locks
  • Internet of Things base stations and hubs to which multiple devices connect
  • wearable connected fitness trackers
  • outdoor leisure products, such as handheld connected GPS devices that are not wearables
  • connected home automation and alarm systems
  • connected appliances, such as washing machines and fridges
  • smart home assistants

Other internet connected devices - such as cars, smart meters, medical devices, and desktop and laptop computers - do not appear to fall within the bill's remit.

"Every day hackers attempt to break into people's smart devices. Most of us assume if a product is for sale, it's safe and secure. Yet many are not, putting too many of us at risk of fraud and theft," said Julia Lopez, the UK minister for media, data and digital infrastructure. "Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards."

Will this legislation be enough to stop IoT devices being sold that lack proper security?  Definitely not. But it is an important step in the right direction, and if the UK government evolves the law to handle the ever more complex world of security flaws, there is hope that things will begin to get better.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like