The UK has become the first country to legally mandate cybersecurity standards for IoT devices. The new laws, which came into force recently, aim to shield consumers from cyber threats and boost the nation’s resilience against rising cyber-crime.
Under the Product Security and Telecommunications Infrastructure (PSTI) regime, manufacturers will be legally required to build security protections into any product with internet connectivity. Easily guessable default passwords like “admin” or “12345” will be banned to prevent vulnerabilities exploited in past attacks like the devastating 2016 Mirai botnet incident.
“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world-first laws that will make sure their personal privacy, data, and finances are safe,” stated Viscount Camrose, Minister for Cyber.
The urgency for such protections is clear. According to consumer advocacy group Which?, a typical smart home could face over 12,000 hacking attempts in a week, with nearly 2,700 attempts to guess weak passwords on just five devices. With 99% of UK adults owning at least one smart device and households averaging nine connected products, unsecured IoT tech poses significant risks.
“Businesses have a major role in protecting the public by ensuring smart products provide ongoing protection against cyber-attacks,” said Sarah Lyons, Deputy Director for Economy and Society at the NCSC cybersecurity agency. “This landmark Act will help consumers make informed decisions.”
Beyond prohibiting easy-to-guess passwords, the new regime requires manufacturers to:
● Publish vulnerability disclosure policies for reporting security flaws
● State minimum periods for providing security updates
● Provide mechanisms for securely updating software
The cybersecurity standards are part of the UK’s £2.6 billion National Cyber Strategy. They reflect the government’s commitment to making Britain the world’s safest place for online activities as cyber threats rise alongside IoT adoption rates – over half of UK households now own smart TVs, while around half have voice assistants or wearables.
David Rogers, CEO of consultancy Copper Horse, welcomed the standards: “Manufacturers should not provide products so weak and insecure that they are trivial to hack into and takeover. This stops now.” Industry collaboration was key to developing the “transformative protections,” said officials. Consumers can also report non-compliant products to the regulator. However, enforcement will be crucial.