The UK government is taking cybersecurity seriously and proving it with a new version of the Product Security and Telecommunications Infrastructure Act (PTSI).
The new PTSI requirements—which went into effect on April 29—ensure every manufacturer, importer, or distributor of smart devices must either include a randomized password or generate a password upon initialization. And that’s not all.
The initial included password can’t be “password” (or any variation of the word) anymore. It also can’t be related to public information in an obvious way (Media Access Control (MAC) addresses or Wi-Fi network names.) Devices should also have a simple mechanism that enables users to change their passwords regularly.
The goal is to ensure all devices have sufficient protection to withstand brute-force access attacks like credential stuffing.
While most cybersecurity experts agree that the measures are sorely needed (and, truthfully, a first step to stronger protection), they will have implications for tech companies—not just in the UK but around the globe—which specifically have a combination of hardware and connected software in their products.
New password laws
The UK has become the first country in the globe to introduce these laws, which puts some of the responsibility on product development and manufacturers to protect consumers against cybercriminals attempting to access their devices, including smartphones, consoles, and IoT appliances.
Key provisions include:
- Manufacturers are prohibited from using weak, easily guessable, default passwords like “admin” or “12345.” If a common password exists, users will be forced to change it upon startup.
- Manufacturers are required to publish contact details to report security vulnerabilities.
- Manufacturers must be transparent about the timeframe for providing critical security updates to their devices.
- Retailers and manufacturers must inform consumers about the expected duration of security updates for their smart devices.
- Consumers can report products that seem to violate the new regulations to the Office for Product Safety and Standards (OPSS).
The ban on weak passwords and improved communication about security updates should make it more difficult for hackers to exploit vulnerabilities in smart devices. The government has also stated it hopes that increased transparency around security measures will give consumers more confidence when purchasing and using smart devices.
The laws apply to manufacturers across the world of any of the following products with the ability to connect to the Internet:
- Smart TVs
- Smart doorbells, baby monitors, cameras (CCTV)
- Streaming devices
- Wearable devices and fitness trackers
- Smart domestic appliances, e.g., plugs, thermostats, fridges, ovens, washing machines, etc.
Companies violating the law could face fines of up to $12.5 million, recalls, or 4% of their global revenues.
Why target passwords?
The new law bans the use of common passwords like “12345” or “admin” (which no one should be using anyways) and with a good reason. Hackers can easily guess weak or common passwords through automated attempts (brute-force attacks). If a hacker gains access to one device with a weak password, they could potentially use it to access other accounts the user has. In the case of smart devices, this could give them control over an entire home network or personal data.
According to a 2021 study by UK consumer watchdog group Which?, a home with multiple smart devices can be exposed to more than 12,000 hacking attacks within a week. There are often nearly three thousand attempts to guess weak passwords on five devices alone.
Hacking tools can crack 96% of the most common passwords in less than a second. A standard, six-character lowercase password can be cracked in 10 minutes. We also know that stolen, weak, or reused passwords are the root cause of more than 80% of data breaches and that 61% of hacked passwords were shorter than eight characters. Adding just one special character to a 10-character password will increase the time it takes to crack it by 1.5 hours. Suffice it to say, it’s worth putting stronger passwords in place.
The most common passwords in the UK include:
- 123456
- password
- qwerty
- liverpool
- 123456789
- arsenal
- 12345678
- 12345
- abc123
- chelsea
Because nearly all of UK adults (99%) own smart devices, and because UK households own an average of 9 smart/connected devices, including smart TVs, voice assistants or smart watches, the new laws aim to make the UK a safer place for all.
A potential ripple effect
While the UK is the first country to introduce these laws, it’s expected others will follow. Despite it being a known problem, cybersecurity laws are in their infancy, and lawmakers typically learn from other policies when developing and proposing their own.
While most businesses can agree that the law benefits consumers (and their own reputations), it won’t be easy to implement. Adapting existing systems and manufacturing processes to comply with the new regulations will require significant adjustments and costs—particularly in the area of software development for connected devices.
We also have to wonder whether or not the law will have the desired outcome. After all, the success of this initiative hinges on user awareness. UK product companies, along with the government, will need to invest in clear communication strategies to educate consumers about creating and managing strong passwords. You may not be able to stop someone from reusing their old password or deciding to fool a hacker by changing the password on their smartwatch to 7654321. You could, however, argue that the law itself is doing wonders when it comes to raising user awareness. If users—in the UK and beyond—are more aware of the dangers of common passwords, they are less likely to use them, creating a more secure digital environment for all.
And, if the UK laws set a precedent for stricter password regulations across the globe, we will very likely experience a domino effect of new laws that will reach the US sooner rather than later.
If you are in the manufacturing industry and your products have the ability to connect to the Internet via software, don’t wait for the law to force your hand. Take steps to improve password safety across your devices and incorporate user education in your communications before laws are passed.
If formal laws are passed elsewhere, you’ll be compliant and ahead of the game. You’ll also have a reputational, competitive advantage.
