The U.K. National Cyber Security Centre (NCSC) has introduced a new law, the Product Security and Telecommunications Infrastructure (PSTI) act, effective from April 29, 2024, compelling smart device manufacturers to avoid default passwords to enhance ongoing protection against cyber attacks
The legislation mandates manufacturers to eliminate guessable default passwords, provide a security issue reporting contact, and disclose the duration for security updates. Default passwords pose a security risk as they are easily accessible online, serving as an entry for threat actors. The law permits unique default passwords but prohibits easily guessable ones. This measure targets products like smart speakers, TVs, baby monitors, smartphones, and other devices connected to the internet. Non-compliance can result in product recalls and hefty fines up to £10 million or 4% of the company's global annual revenues. The law positions the U.K. as the first nation to outlaw default usernames and passwords in IoT devices, aiming to establish minimum security standards across the industry and prevent devices from being exploited in DDoS botnets like Mirai. Despite the takedown of the original Mirai botnet in 2016, its variants continue to be a prevalent threat, as highlighted in Cloudflare's DDoS threat report. The U.S. Federal Communications Commission's fines against major telecom carriers for unlawfully sharing customers' real-time location data further underscore the importance of data privacy and regulatory compliance in the cybersecurity landscape. https://thehackernews.com/2024/04/new-uk-law-bans-default-passwords-on.html