Init0

Internet of Things (IoT) devices — essentially, electronics like fitness trackers and smart lightbulbs that connect to the internet — are now part of everyday life for most.

However, cybersecurity remains a problem, and according to Kaspersky, it’s only getting worse: there were 1.5 billion breaches of IoT devices during the first six months of 2021 alone, according to the antivirus provider, almost double from 639 million for all of 2021. This is largely because security has long been an afterthought for the manufacturers of typically inexpensive devices that continue to ship with guessable or default passwords and insecure third-party components.

In an effort to try to improve the security credentials of consumer IoT devices, the U.K. government this week introduced the Product Security and Telecommunications Infrastructure bill (PST) in Parliament, legislation that requires IoT manufacturers, importers, and distributors to meet certain cybersecurity standards.

The bill outlines three key areas of minimum security standards. The first is a ban on universal default passwords — such as “password” or “admin” — which are often preset in a device’s factory settings and are easily guessable. The second will require manufacturers to provide a public point of contact to make it simpler for anyone to report a security vulnerability. And, the third is that IoT manufacturers will also have to keep customers updated about the minimum amount of time a product will receive vital security updates.

This new cybersecurity regime will be overseen by an as-yet-undesignated regulator, that will have the power to levy GDPR-style penalties; companies that fail to comply with PSTI could be fined £10 million or 4% of their annual revenue, as well as up to £20,000 a day in the case of an ongoing contravention.

On the face of it, the PSTI bill sounds like a step in the right direction, and the ban on default passwords especially has been widely commended by the cybersecurity industry as a “common sense” measure.

“Basic cyber hygiene, such as changing default passwords, can go a long way to improving the security for these types of devices, Rodolphe Harand, managing director at YesWeHack, tells TechCrunch. “With a new unique password needing to be provided by manufacturers, this will essentially offer an additional layer of protection.”

But others say the measures — particularly the ban on easy-to-guess passwords — haven’t been thought through, and could potentially create new opportunities for threat actors to exploit.

“Stopping default passwords is laudable, but if each device has a private password, then who is responsible for managing this?” said Matt Middleton-Leal, managing director at Qualys. “It’s common for end-users to forget their …….

Source: https://techcrunch.com/2021/12/04/uk-internet-of-things-cybersecurity-bill/