Manufacturers are now banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’. If there is a common password, the user will be prompted to change it on start-up.
The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyberattacks.
The new measures will also introduce other security protections including manufacturers needing to publish contact details so bugs and issues can be reported and dealt with, as well as needing to be open with users on the minimum time they can expect to receive important security updates.
Viscount Camrose, the minister for cyber, said, “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater.
“From today, consumers will have greater peace of mind that their smart devices are protected from cybercriminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe. We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”
Julia Lopez, the data and digital infrastructure minister, added, “Today marks a new era where smart devices, such as phones and broadband routers, are shielded from cyberthreats, and the integrity of personal privacy, data and finances better protected.
“Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”
The government anticipates that these measures will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features.
In those attacks, smart devices were used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS.
The move marks a significant step towards improving the UK’s resilience towards cybercrime, with 99 per cent of UK adults now owning at least one smart device and UK households owning an average of nine connected devices.