The UK will ban default universal passwords for IoT (Internet of Things) devices under its new technology security law, which includes severe penalties for companies that fail to comply.
Let’s talk about IoT devices
To understand better, it is necessary to be clear about what we are talking about. Surely at some point you’ve heard of IoT devices, because it’s a concept that has become fashionable, but what exactly is it?
This concept refers to the grouping and interconnection of devices or objects over a network (private, internet or networked network), where all can be seen and interacted.
The devices can be many, from mechanical devices to sensors in everyday objects such as refrigerators, toys or cell phones.
There are endless things that can be connected to the internet and interact without the need for human intervention. This is how we refer to machine-to-machine connections, known as M2M (machine-to-machine) interactions.
The scope of its application is very wide and every day more and more devices are developed that enable this technology. This technology stores data, which is then sent to the network for analysis.
It is in this communication process that the need to establish a protocol for the exchange of information arises.
British ban on default password
The UK Parliament passed a new technology security law to try to prevent users from being hacked through their IoT devices.
In such a move, the UK would ban the default password and work to create a ‘firewall around everyday technology’.
Accordingly, the bill called the “Telecommunications Infrastructure and Product Security Bill (PSTI)” will force manufacturers, distributors and enterprises to enter unique passwords on their IoT devices, thereby preventing those passwords from being reset to factory defaults.
Likewise, the bill would also force companies to increase transparency about when their products require security updates or patches, as currently only 20% of companies participate in this practice.
The technology security proposal will be overseen by regulators and companies that refuse to comply with the security standards can be fined up to 10 million pounds or 4% of their global revenue.
“Every day hackers try to break into people’s smart devices… most of us assume that if a product is for sale, it’s safe and secure. However, many don’t, which puts many of us at risk of fraud and theft »
Julia López, UK Minister for Media, Data and Digital Infrastructure
Therefore, this proposal aims to prevent hacking for weak passwords such as “12345”, “abc123” or “admin”. According to a Symantec company report, 55% of the passwords on IoT devices are “123456”, while 3% of hacked devices use the password “admin”.
On the other hand, it is also known that IoT devices are notoriously insecure because they do not have a data encryption system.
According to the “Palo Alto Networks” report 98% of device traffic is unencrypted.
England, an example for other countries
The steps taken by the UK government can set an example for other countries.
Last year the US passed IoT device security laws, but never set a monetary penalty for weak passwords.
The only thing they did with the law, which is called the “IoT Cybersecurity Enhancement Act” is to ask the “National Institute of Standards and Technology of the Department of Commerce” to set a minimum set of security requirements for IoT devices and ask them to update it every year. 5 years.