Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

UK PSTI Act is a milestone for IoT security and passwords

Vincent Saporito, Vice President, Product Marketing | May 2, 2024

The growth of Internet of Things (IoT) devices is reshaping our digital landscape. From smart thermostats to industrial sensors to IP cameras to smart toilets, these devices drive efficiency through innovation. But they aren’t secure by nature.

A new UK law aims to make IoT products much more secure. On April 29, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act became official and is now enforcing compliance across IoT assets.

“The development makes the UK the first country in the world to outlaw default usernames and passwords from IoT devices,” explains The Hacker News.

This law is important since IoT devices are expected to skyrocket globally to over 29 billion by 2030. And it’s no secret that IoT products are insecure. It’s well documented by governments and security researchers, including our Forescout Research – Vedere Labs. The new law has major implications for all IoT manufacturers and could spur other governments to enact similar laws.  

Each connected device represents a potential entry point for malicious activities. The diverse nature and rapid proliferation of IoT devices mean that many remain undetected by conventional discovery tools. This invisibility poses a significant risk as undetected or unmanaged devices can easily become targets for cyber-attacks. Without comprehensive visibility, it’s impossible for organizations to assess their full security posture. 

Securing IoT Products Without the UK PTSI Act Has Been Tough

Engineering solutions company, Copper Horse, has been trying to make an impact in IoT security directly with manufacturers. Progress without this law has been slow. Over six years, the UK-based company has been able to increase the number of all IoT manufacturers that accept research to help improve their products from 10% to 24%. The company puts it this way :

“That might sound like progress, but it is really, really bad. If we flip that around – we’ve gone from 90% of manufacturers not doing much on security to 76% not doing much on security. It’s not as if the world has stood still in those six years, technology has improved and governments across the world have stated repeatedly that they want to see products secured – and even told manufacturers how to do it.”

It’s why there is new hope that can help strengthen the collective security posture against unmanaged devices. The UK’s implementation of the PSTI Act is a landmark move and a pioneering piece of legislation that addresses the urgent need for better security measures in IoT devices. It’s very early days, but it’s a milestone for consumer product security.

Understanding the UK PSTI Act

The PSTI Act is focused on safeguarding consumers and companies from known IoT risks. The law focuses on these five areas:

Security By Design

Manufacturers are now required to adopt ‘security by design’ approaches. Moving from the long-cherished ‘S’ in the IoT standard for security model, manufacturers are mandated to integrate secure design principles into the build process rather than keeping them as an afterthought. 

Default Credentials

Factory-set usernames and passwords have long been a gaping security flaw, offering an easy entry point for cyber attackers. Devices must come with unique passwords or require users to set up a password upon setup.

Software Update Timelines

Customers must be made aware of the minimum amount of time the device will be supported with updated security patches. If the product will not receive updates, that must be disclosed. 

Encrypted Protocols

Moving away from clear text communications and unencrypted storage, manufacturers should move towards encrypting their devices at rest and in transit. 

Vulnerability Disclosure Process 

Manufacturers must provide points of contact to allow security researchers to report and disclose vulnerabilities.

Manufacturers in breach of this new legislation will face fines up to £10m or 4% of global turnover, as well as up to £20,000 a day for ongoing contraventions. The rules apply to the following set of smart devices: 

  • Smart speakers, smart TVs, and streaming devices
  • Smart doorbells, baby monitors, and security cameras*
  • Cellular tablets, smartphones, and game consoles
  • Wearable fitness trackers including smart watches
  • Smart domestic appliances, including light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines

*Go deeper: Read our R4IoT research. We showed how IP cameras can be used to carry out ransomware, cryptominer and physical attacks.

Moving Forward With the PSTI Act

The PSTI Act is a significant step forward in securing the IoT landscape for the UK. For businesses, it means adapting to the new law by ensuring all IoT devices meet the required security standards. Plus, it’s an opportunity for cybersecurity firms to further innovate and provide solutions that meet these evolving needs. Security can become more built-in with the right approach.

At Forescout, we specialize in providing solutions that bridge security gaps. Our cybersecurity platforms are designed to provide visibility across traditional and IoT devices. We help businesses detect and manage every device on their network effectively using advanced network segmentation and policy enforcement tools. This capability is crucial for securing today’s IoT assets that are insecure by design. 

The Forescout Platform Is Informed by Our Research

Vedere Labs is no stranger to witnessing the dangers of insecure IoT devices and default passwords. We publish regularly on IoT product vulnerabilities and attacks – especially within Operational Technology (OT) environments. We recently reported on the growth of IoT devices from China in the US and other countries despite government bans – with some using insecure IoT within critical infrastructure and government networks.

Our research is fed directly into the Forescout Platform and shared with the cybersecurity community, including CISA and other cybersecurity agencies, CERTs, ISACs, open-source projects, device manufacturers, universities and other researchers.  

Demo RequestForescout PlatformTop of Page