LEGISLATION FORBIDS DEFAULT PASSWORDS
The UK has made history as the first nation to ban the sale of IoT devices with default passwords through new legislation effective April 29, 2024. This law encompasses a wide range of IoT devices and potential scenarios, with its primary provisions clearly outlined by the UK National Cyber Security Centre (NCSC). In an announcement which almost speaks for itself, the NCSC said:
“The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared. If the default password is used, a criminal could log into a smart device and use it to access a local network, or conduct cyberattacks.”
The new UK law known as the Product Security and Telecommunications Infrastructure Act (PSTI), will compel vendors and manufacturers to adopt a long-overdue security standard for IoT devices.
IoT SECURITY RISKS
IoT devices face significant security challenges. While the specific challenges are new, the overall problem of hackers is something we’ve dealt with since the Internet began. Here are the main IoT security risks that we need to contend with:
- Weak Authentication – Passwords are critical for device security, but default and user-chosen passwords are often weak. Many IoT devices lack robust authentication, making them easy targets for hackers and potential entry points into larger networks.
- Legacy Assets – Older applications not designed for cloud connectivity struggle with modern cyber threats. Upgrading these legacy systems is challenging due to their outdated infrastructure.
- Inconsistent Security Standards – The IoT industry lacks universal security standards, leading to varied and often insufficient security protocols. This inconsistency complicates securing devices and safe machine-to-machine communication.
- Lack of Encryption – Many IoT devices do not encrypt data transmissions, exposing sensitive information to potential interception.
- Missing Firmware Updates – Devices often contain bugs that create security vulnerabilities. The ability to issue timely firmware updates is crucial, yet remote updates are not always feasible, sometimes requiring physical access.
WHY UNIVERSAL AND WEAK PASSWORDS ARE A BAD IDEA
The first step in protecting IoT devices is through authentication, which verifies the identity of a user or process. Access to a device is granted using an identifier (such as a username) and is authenticated to prove the user’s identity. Authentication methods include:
- Something you know – such as a password
- Something you have – such as a smart card
- Something you are – such as a fingerprint or other biometric feature
Weak passwords pose a significant risk, emphasizing the importance of not using universal default passwords. Every device has attack surfaces, which are the points that unauthorised users can exploit to access or retrieve data from the device.
Weak passwords typically have the following vulnerabilities:
- Easily brute-forced – Short passwords such as those with fewer than six characters, predictable sequences, like 123456, or common words, such as “administrator”
- Susceptible to social engineering – Using easily guessed information such as a password like Peter01 if your name is Peter
- Unchangeable – Passwords that can be found in the software’s source code and cannot be altered
PSTI AND UNIVERSAL PASSWORDS
The fledgling PSTI act means that the days of weak or universal passwords for IoT devices are numbered, if not over altogether. According to the NCSC, the law will help consumers choose smart devices that have been designed to provide ongoing protection against cyberattacks. The law requires manufacturers to ensure that all their smart devices meet basic cybersecurity standards. Specifically:
- Manufacturers must not supply devices with default passwords that are easily found online and shared. If such passwords are used, criminals could log into a smart device and use it to access a local network or conduct cyberattacks.
- Manufacturers must provide a point of contact for reporting security issues. If these issues are ignored, devices could become exploitable by cybercriminals.
- Manufacturers must specify the minimum period during which the device will receive critical security updates. Once updates are no longer provided, devices become more susceptible to hacking and may stop functioning as intended.
WHICH DEVICES ARE AFFECTED?
The law aims to enforce a set of minimum security standards across various internet-connected products to prevent vulnerable devices from being exploited in DDoS botnets like Mirai. It applies to:
- Smart speakers, smart TVs, and streaming devices
- Smart doorbells, baby monitors, and security cameras
- Cellular tablets, smartphones, and game consoles
- Wearable fitness trackers, including smartwatches
- Smart home appliances, such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines
Companies that do not comply with the PSTI Act face potential recalls and financial penalties, with fines up to £10 million ($12.5 million) or 4% of their global annual revenues, whichever is higher.
YOU DON’T NEED A £1 MILLION CYBERSECURITY BUDGET
The future certainly seems bright for the synergy between IoT and sustainability. That said, there are still those pesky cybersecurity issues to be considered. In his latest international bestseller, You Don’t Need a £1 Million Cybersecurity Budget, Izak, Zhero’s founder and CEO, takes an in-depth look at the security concerns arising from the proliferation of IoT, particularly for SMEs. In Izak’s words:
“Unfortunately – and particularly in the case of SMEs – there aren’t many rules or standards in place to keep IoT security in check. On top of that, most people don’t realize the risks that come with using IoT systems or how big of a challenge it is to keep them secure. It’s a bit of a wild west out there for IoT security.”
The chapter also includes an interview with Zhero’s own Head of Research and Development, Raj Rajarajan, about all things IoT and cybersecurity for SMEs. You Don’t Need a £1 Million Cybersecurity Budget is now available on Amazon. Any questions for Izak? Reach out here and now.