Under these laws, manufacturers are now legally obligated to integrate security measures into any product that connects to the internet. Notably, default passwords that are easy to guess, such as “admin” or “12345,” are banned to prevent vulnerabilities exploited in past attacks, like the infamous 2016 Mirai botnet incident
The UK has set a global precedent by implementing laws that mandate cybersecurity standards for Internet of Things (IoT) devices. These new regulations, introduced under the Product Security and Telecommunications Infrastructure (PSTI) regime, aim to safeguard consumers from cyber threats and bolster the nation’s defences against the increasing incidence of cybercrime.
Under these laws, manufacturers are now legally obligated to integrate security measures into any product that connects to the internet. Notably, default passwords that are easy to guess, such as “admin” or “12345,” are banned to prevent vulnerabilities exploited in past attacks, like the infamous 2016 Mirai botnet incident.
Viscount Camrose, Minister for Cyber, emphasised the significance of these measures, stating, “From today, consumers will have greater peace of mind that their smart devices are protected from cybercriminals, as we introduce world-first laws that will make sure their personal privacy, data, and finances are safe.”
The necessity for such safeguards is evident. According to the consumer advocacy group Which?, a typical smart home could face over 12,000 hacking attempts in a week, with nearly 2,700 attempts to guess weak passwords on just five devices. With a staggering 99 per cent of UK adults owning at least one smart device and households averaging nine connected products, the risks posed by unsecured IoT technology are significant.
Sarah Lyons, Deputy Director for Economy and Society at the NCSC cybersecurity agency, highlighted the role of businesses in protecting consumers and praised the landmark Act for enabling informed decisions.
In addition to banning easily guessed passwords, the new regime requires manufacturers to publish vulnerability disclosure policies, specify minimum periods for providing security updates, and offer mechanisms for securely updating software.
These cybersecurity standards are a part of the UK’s £2.6 billion National Cyber Strategy, underscoring the government’s commitment to making Britain the safest place for online activities amid rising cyber threats and IoT adoption rates.
David Rogers, CEO of consultancy Copper Horse, welcomed the standards, emphasising the need for manufacturers to prioritize security. Industry collaboration played a crucial role in developing these transformative protections, according to officials. Consumers are encouraged to report non-compliant products to the regulator, although enforcement will be key to ensuring compliance.
