UK bans default guessable passwords in new cybersecurity rules

30 Apr 2024

Image: © cunaplus/Stock.adobe.com

These UK rules ban manufacturers from having weak, easily guessable default passwords such as ‘admin’ or ‘12345’, but one expert believes these new rules don’t go far enough.

New consumer protections have come into force in the UK, giving smart device manufacturers more cybersecurity responsibilities.

These new laws aim to set minimum security standards for all internet-connected smart devices in the country. Under these rules, manufacturers will be legally required to protect consumers from hackers and cybercriminals and prevent these malicious entities from accessing devices with internet or network connectivity.

These UK rules also ban manufacturers from having weak, easily guessable default passwords such as ‘admin’ or ‘12345’. If there is a common password on a device, users will be prompted to change it when they first use their smart device.

The UK government said yesterday (29 April) that these new rules will help prevent threats similar to the Mirai attack in 2016. This massive attack compromised roughly 300,000 smart products due to weak cybersecurity features. These products were later used to attack major internet platforms and services with distributed-denial-of-service – or DDoS – attacks.

The government said the new laws are a “significant step” towards boosting the UK’s cyber resilience, as almost all adults in the country own at least one smart device. The UK estimates households in the country own an average of nine connected devices.

“As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater,” said UK minister for cyber Viscount Camrose. “Consumers will have greater peace of mind that their smart devices are protected from cybercriminals, as we introduce world-first laws that will make sure their personal privacy, data and finances are safe.

Tim Callan, chief experience officer at Sectigo, said the rules are a step in the right direction but that there are still major gaps in the country’s smart device defences.

“While a good starting point, it’s nowhere near enough,” Callan said. “UK IoT security laws will only require devices to meet three out of 13 standards from the European Telecommunications Standards Institute.

“That still leaves a major gap in our defences for hackers to infiltrate our smart devices. If the UK wants to get truly serious about securing our devices, they must push businesses to do more.”

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com