Cybersecurity experts have weighed in on the introduction this week of the Product Security and Telecommunications Infrastructure (PSTI) Act, which requires manufacturers of electronic and smart devices to help protect consumers from cyberattacks by implementing minimum security standards within their products.
As part of that, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be promoted to change it on start-up.
In a statement, the government quoted an investigation conducted by Which? that showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.
The UK is the first country to introduce such laws.
The industry has welcomed the plans, though an overwhelming number maintain that stronger passwords alone are not enough to protect consumers.
Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University:
“The Internet of Things (IoT) exposes us all to some degree of risk. Despite their perceived simplicity, these devices hold unexpected power to disrupt when left unpatched or poorly managed. The widespread use of default passwords from manufacturers typically led to significant issues, with hackers increasingly exploiting this vulnerability. It’s encouraging to see growing emphasis on implementing best practices in securing IoT devices before they leave the factory.
“As well as stronger passwords, it’s essential to establish comprehensive preventative, detective and corrective controls through a combination of policies, standards, procedures, organisational structures, software technologies, and monitoring mechanisms. These measures are crucial for mitigating the risks related to the confidentiality, integrity and availability of information assets within an organisation.”
David Higgins, EMEA technical director at cybersecurity firm CyberArk:
“It’s been known for a long time that passwords don’t provide sufficient protection if used on their own. So, while these changes are welcome, they’re only a small part of the picture, and businesses need to look further than simply enforcing improved password management protocols, because a compromised employee is often a route into the organisation for an attacker.
“Identities are what attackers value most. They’re continually looking for ways to use identities to compromise accounts and coordinate sophisticated attacks. It makes sense, as they’re a fruitful gateway to sensitive data, critical systems and key organisational assets.
“Identity security requires more than just better password hygiene. We need to work towards a passwordless world that promotes more sophisticated means of authentication, embeds strict controls over who can access what, when, and how, as well as enforcing continuous monitoring and analysis of user activity. That’s how we’ll succeed in consistently detecting anomalies and stopping individuals becoming an attack vector into organisations.”
Matt Aldridge, principal solutions consultant at OpenText Cybersecurity:
“For many years now, it has been clear that the convenience gained through the Internet of Things (IoT) was going to come back and bite us, and indeed it has, with so many routers, webcams etc being turned into “zombies” on criminal botnets, and then hired out to take down target websites for profit, among other criminal activities. These devices are often sold at very low profit margins, but in high volumes, and adequate care is not given to their security by such manufacturers.
“It is fantastic to see the UK pioneering new legislation to help crack down on the myriad cybersecurity issues caused by IoT devices, and this can only make homes and small businesses more secure, while creating greater challenges for the criminals exploiting them. It’s also great to see that the government is in line with the industry on promoting cyber hygiene, it’s crucial that we remain vigilant and proactive in securing our digital footprints.
If you liked this content…
UK government announces law to protect smart devices from hackers
Police Scotland Hit by Multiple Data Breaches Involving Sensitive Personal Information
Third-Party Threats: The Supply Chain Risk You Can’t Afford to Ignore
The Ticking Clock on Windows 10: Public Sector at Risk
Protecting critical networks: Supply chain security in the utilities sector
“Although we may see the cheapest devices on the market go away or become more expensive as a result of this legislation, this is an unavoidable consequence of demanding a baseline of security from manufacturers and the security benefits significantly justify these changes.”
Kaspersky principal security researcher, David Emm:
“It is positive that the Act is requiring manufacturers to say how long they will support the product for. However, as things stand, this could be hidden away on their websites, which could easily be missed by consumers. This is something that should be available at the point-of-sale. We urge legislators to consider the implications of this in the light of a complex threat landscape.”
“Whilst the new Act is a welcome update, it remains very important for people to take their own precautions when it comes to safeguarding themselves against cyber threats. Emm concludes: “Do not assume the new legislation is enough to protect your connected activities. We advise that all customers use two factor authentication where possible on their connected devices, in addition to enabling encryption on their home routers.”
Andrew Rose, chief security officer at SoSafe:
“While we welcome the news about enhanced technological protections, they are not enough. Any solution that ignores the human side of cybersecurity is bound to have vulnerabilities. We need to equip people with knowledge needed to effectively protect themselves and their data.
“The smart devices may require more difficult passwords, but people may still choose a password that they use in multiple places, which poses the same security risk. At the end of the day, it all comes down to how well people are trained to use technology and how much they have made secure behaviour a routine – and cybercriminals will continue to use this to their advantage.
“Given enough time, clever hackers can penetrate any barrier. We need to ensure governments are encouraging – and requiring – education and training that teaches individuals how to correctly identify and react to security risks.”
Niall McConachie, regional director (UK & Ireland) at Yubico:
“What makes the persistent use of passwords remarkable is that they are broadly despised by both users and cybersecurity professionals – simple passwords are easily remembered, but also easily guessed. Policies requiring passwords to become increasingly complex and more regularly updated ask more of users’ memories and directly impacts their experience.
“Reliable protection from modern cyber threats requires modern, phishing-resistant passkey MFA such as hardware security keys, which can stop remote attacks by requiring something you know (a password) and something you have (a security key) to insert into the device and physically touch it to gain access to accounts. With convenient, secure authentication like this readily available, it’s time we forget about passwords permanently.”
Iain Davidson, senior product manager at Wireless Logic:
“This legislation aligns with the UK’s Code of Practice for Consumer IoT Security and the global standard ETSI EN 303 645, which sets the bar for consumer IoT. This suggests a smooth one, but some concerns have been raised around regards PSTI’s enforcement. It’s worth noting that these initial changes are just the beginning, and more legislative shifts are likely on the horizon. As such, organisations should remain proactive, ensuring they meet current requirements while also keeping an eye on sector-specific global standards or legislation.”
The PSTI Act, which passed into law on 6 December 2022, came into full force on April 29 2024.
