The UK Just Banned Default Passwords and We Should Too

The UK Just Banned Default Passwords and We Should Too
Image: Eric Piermont, Getty Images

UK lawmakers are sick and tired of shitty internet of things passwords and are whipping out legislation with steep penalties and bans to prove it. The new legislation, introduced to the UK Parliament this week, would ban universal default passwords and work to create what supporters are calling a “firewall around everyday tech.”

Specifically, the bill, called The Product Security and Telecommunications Infrastructure Bill (PSTI), would require unique passwords for internet-connected devices and would prevent those passwords from being reset to universal factory defaults. The bill would also force companies to increase transparency around when their products require security updates and patches, a practice only 20% of firms currently engage in, according to a statement accompanying the bill.

These bolstered security proposals would be overseen by a regulator with sharpened teeth: companies refusing to comply with the security standards could reportedly face fines of £10 million or four per cent of their global revenues.

“Every day hackers attempt to break into people’s smart devices,” UK Minister for Media, Data and Digital Infrastructure Julia Lopez said in a statement. “Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.”

The rules would attempt to meaningfully tackle what’s become a scourge of weak IoT passwords increasingly susceptible to attackers. And we’re not talking about weak, but serviceable passwords either. According to a 2020 report conducted by cybersecurity company Symantec, 55% of IoT passwords used in IoT attacks were “123456.” Another 3% of the attacked devices featured the password “admin.” IoT devices are notoriously insecure outside of passwords as well. A recent report from ​​Palo Alto Networks found that 98% of all IoT device traffic was unencrypted.

The problem is only getting worse, especially as smart home devices gain mass popularity and become more affordable. Though estimates vary, the total number of global IoT devices could swell to over 20 billion by 2030. That’s already translating into more attacks. Just two months ago, Kaspersky Labs told Threat Post that it had detected 1.5 billion IoT attacks in the first half of 2021 alone. That’s double what it detected in the last six months of 2020.

IoT companies also routinely try to throw the blame on customers when their lacklustre security practices result in breaches or hacks. That was, maybe most famously, the case for smart home security company Ring, which tried to claim a rise in compromised accounts was the result of customers reusing passwords. In response, Ring and its owner Amazon found themselves on the receiving end of a class-action lawsuit filed in late 2019 accusing the company of negligence for failing to properly secure its devices. For what it’s worth, Ring has since made some meaningful improvements in the security department, including requiring two-factor authentication on new devices and, more recently, adding end-to-end encryption.

The UK’s no-nonsense approach to passwords though could serve as an example for copycats in the U.S. and elsewhere. The U.S. actually passed a significant IoT security bill last year, but it stopped short of issuing penalties or bans on weak passwords. Rather, the legislation, called the IoT Cybersecurity Improvement Act, directs the Commerce Department’s National Institute of Standards and Technology to establish a minimum set of security requirements for IoT devices and for those standards to get a refresher every five years.

The law also requires contractors to put in place vulnerability disclosure policies. But while these provisions are a step in the right direction they are largely limited to firms that engage in business with the federal government.

By contrast, the UK’s proposed bill would cover a far wider scope of divides and manufacturers and, importantly, provide clear monetary sticks to drive compliance. Incentives and carrots are only useful up until a point. Security lapses though, particularly in cheap IoT devices, are nothing new and have thus far been mostly unresponsive to any market nudges. Clear penalties, or at least the threat of them, could instead offer an avenue for actual change.