UK Becomes The First Country To Ban The Use Of Default Simple Passwords For IoT Devices

Seven years ago, a simple DDoS attack from the Mirai botnet completely paralyzed many well-known US websites such as Twitter, CNN and Netflix for several hours. This botnet virus developed by three young hackers had infected more than 300,000 IoT devices, highlighting the vulnerability of IoT security.

This case highlights the fact that IoT device manufacturers are lax on security, especially the common use of easily guessed default usernames and passwords, enabling the Mirai botnet to infect and control around 300,000 devices, and then launch attacks against any target connected to the Internet.

The British government decided to take measures and became the first country in the world to ban default guessable usernames and passwords from these IoT devices. The Product Safety and Telecommunications Infrastructure Act (PSTI) directly prohibits IoT devices from using weak and guessable default passwords, such as “admin” or “12345”. Manufacturers can only set unique default passwords. It also requires manufacturers to disclose how long their products will receive security updates. Manufacturers must also make their contact information public so that users can report bugs. PSTI sets strict standards and penalties. Companies that fail to comply may face penalties of up to £10 million or 4% of their total global revenue.

The law will be regulated by the Office for Product Safety and Standards (OPSS), which is part of the Department for Business and Trade rather than an independent body.

Source: therecord