All engineers developing Internet-related technologies will need to ensure that their products do not use default passwords under a new law introduced by the UK government. Why has security lacked in the IoT industry, what does the new law regulate, and what can engineers do to ensure they comply?

Why has security historically been lacking in internet technologies?

Ever since the development of the first computers, there have been bad actors trying to find ways to gain unauthorised access, whether it is to goof around, steal personal information, or for financial gain. Despite continual developments in encryption and other protection mechanisms, hackers eventually find workarounds that either directly attack security systems or find ways to circumnavigate them.

And yet, for all of the advances made in computer security, many devices worldwide still lack basic security protection mechanisms. There are many reasons why this is the case, but security ignorance is generally the culprit. Many designers look at their design and rarely think beyond the application that the device will be used in.

For example, an IoT thermometer could be considered benign as all it does is record temperature and then stream the data to some remote server. This will result in a lack of attention over security, and thus the designers may not encrypt passwords on the device. However, the very fact that the device needs to connect to a local network already makes it a potential access point for criminals who could reverse engineer the thermometer, obtain the network credentials, and then access the internal network. This is precisely what happened to one casino with an unprotected IoT aquarium fish tank thermometer that allowed hackers access to internet servers.

Default passwords are another issue for many millions of internet-enabled devices around the world. One typical example includes internet routers that often use default passwords such as “admin” and “password”. As most customers do not change these passwords, hackers can easily drive around neighbourhoods and attempt to connect to such networks.

UK government introduces PSTI bill against default passwords

Recognising the challenges faced with default passwords (as well as other cybersecurity threats), the UK government has recently introduced a new bill that has made the use of default passwords by some internet-enabled devices illegal. Furthermore, the bill also requires that customers are told the minimum time that security updates will be available for their device and provide customers with a public point of contact for reporting flaws and bugs.

To ensure compliance with the new regulations, the UK government is also forming a new regulatory body that will have the power to issue fines for non-compliance. The legislation states that companies can be fined up to £10m or 4% of their global turnover and £20,000 a day for not complying with the new regulations.

However, engineers should also be aware that these rules do not just apply to manufacturers of tech devices; it also applies to importers of tech devices. This means that those who import devices abroad will also have to ensure that those devices comply with the new regulations.

The legislation does not apply to vehicles, smart meters, medical devices, desktop computers, and laptops. This is most likely because these devices are rarely a point of attack for hackers and are highly personal (i.e. IoT devices and routers are far more vulnerable to attack).

What can engineers do to ensure compliance?

This new legislation means that engineers absolutely must incorporate security features into their products, including random passwords for each product produced. Engineers also need to decide how long they will support security updates for their products and appoint either an individual or department to be the public point of contact for reporting bugs and flaws.

Considering the increasing importance of security and privacy, engineers should plan for the future and consider adding far more security measures introduced by law. For example, default passwords are currently the only requirement, but adding on-device encryption of sensitive data and secure boot methods can help future-proof devices.

When governments introduce legislation, it generally holds back innovation while introducing red tape. However, this new law is overwhelmingly positive as it directly addresses the issues faced with insecure internet-enabled devices manufactured in the UK and abroad.