Why it matters: No matter how many hacks we see that are perpetrated via unchanged, weak default passwords on devices, manufacturers continue to use the likes of "password" and "admin" for login credentials. That's no longer going to be the case in the UK, which has become the first country in the world to ban makers from using easily guessable default credentials on connected devices.
An update to the UK's Product Security and Telecommunications Infrastructure Act (PSTI) states that every device with online connectivity must either ship with a randomized password or generate a password upon initialization.
According to the requirements, pre-installed passwords cannot be incremental (password1, password2) and cannot be related in an obvious way to public information such as MAC addresses or Wi-Fi SSIDs.
There are also rules to ensure devices are protected against brute-force attacks, including a limitation on the number of authentication attempts within a certain time. Changing passwords, meanwhile should be performed using a "simple mechanism."
Software that hasn't been updated is another common way hackers compromise systems and devices. The PSTI states that software components should be securely updateable, check for updates, and update either automatically or in a way that is simple for users to apply. There's also a section on implementing means to manage reports of vulnerabilities, which instructs manufacturers to continually monitor for, identify, and rectify security vulnerabilities within products and services they sell.
These aren't just recommendations that manufacturers can ignore if they wish. Violating the law can result in a fine up to £10 million (around $12.5 million) or 4% of a company's, "qualifying worldwide revenue," depending on which is higher.
The updated rules are designed to mitigate against incidents like the Mirai botnet in 2016 that caused huge outages across the internet, including Twitter, Netflix, and Reddit. The botnet consisted of hundreds of thousands of infected devices that were designed to flood websites with junk traffic. It resulted in one of the largest distributed denial-of-service (DDoS) attacks ever recorded.
In July last year, the Biden administration announced the Cyber Trust Mark program, designed to help Americans identify which connected devices meet government cybersecurity requirements, including having strong default passwords. Unlike in the UK, though, companies' participation is voluntary, and the fine details of the bill are still being debated before it is implemented.
UK becomes first country to outlaw easily guessable default passwords on connected devices
