The
UK
is
doing
away
with
bad
default
passwords.
With
updates
to
the
country’s
Product
Security
and
Telecommunications
Infrastructure
Act
(PSTI)
that
came
into
force
today,
regulators
say
that
tech
gadgets
that
can
connect
to
the
internet
or
a
local
wired
network
must
either
have
a
unique
default
password
or
be
definable
by
the
person
who
owns
it.
Under
the
update,
manufacturers
will
have
to
make
it
easy
for
people
to
report
security
issues.
The
PSTI
also
now
requires
them
to
give
clear
expectations
for
when
those
filing
the
reports
can
expect
acknowledgment
and
status
updates
afterward.
Violations
of
the
law
can
result
in
fines
as
high
as
£10
million
(about
$12.5
million
USD)
or
4
percent
of
their
“qualifying
worldwide
revenue,”
depending
on
which
is
higher.
The
law
would
apply
to
a
wide
range
of
products,
but
a
big
target
here
is
likely
IoT
devices
like
smart
TVs,
smart
plugs,
or
smart
speakers.
Many
of
these,
particularly
the
cheapest
commodified
ones,
end
up
as
targets
online,
thanks
to
lax
security
practices,
that
made
them
part
of
devastating
attacks
like
the
Mirai-based
botnet
DDoS
seen
years
ago.
This
doesn’t
necessarily
address
all
of
those
practices,
but
bad
default
passwords
are
low-hanging
fruit
that
should
be
tackled.
In
the
US,
the
FCC
is
trying
something
similar
with
its
forthcoming
Cyber
Trust
Mark
program.
Much
like
the
federal
Energy
Star
program,
the
Cyber
Trust
Mark
logo
indicates
which
products
comply
with
the
program’s
requirements,
including
strong
default
passwords.
But
also
like
Energy
Star,
nobody
is
forcing
companies
to
go
along
with
it.
And
while
Energy
Star
has
clear,
explainable
benefits
like
lower
utility
bills,
it’s
a
little
harder
to
make
it
clear
that
a
smart
bulb
connected
to
your
router
can
be
a
security
risk
for
your
other
devices,
so
it’s
hard
to
know
how
effective
it
will
be
when
it
goes
into
effect.
Original author: Wes Davis
Comments