The UK government has unveiled a bill to protect millions of IoT devices from cyber attacks. He obliges everyone who sells such devices to supply them with a unique password. Primitive passwords like 1234 or admin will be denied.
A “strong” password significantly reduces the likelihood that a smart home device, such as a smart thermostat or a surveillance camera, will be remotely taken under the control of an attacker using malicious code. In addition, it fully protects against those hackers who simply scan many devices in a row, entering simple default passwords into them, and also looking for cases when there is no password at all.
The new bill also requires the manufacturer to provide a point of contact with him as part of a “vulnerability disclosure policy”. In addition, it should clearly define the minimum period during which the device will continue to receive protection updates.
Internet of Things devices are more vulnerable than traditional IT systems, because the power of their processors is often not enough for the operation of firewalls or antivirus software. Consumer devices often also have a “back door”, which is set by the manufacturer in order to automatically download updates.
The new law, if adopted, will be a continuation of the work that was embodied in the Code of practice approved in October 2018. It will demonstrate the British government’s seriousness in this issue and will draw public attention to the cybersecurity issues of the Internet of things. Experts, however, fear that the law may inspire the consumer with a false sense of security, since it applies only to the devices themselves, although the main threat is not in them.
Despite the fact that the UK is ahead of other countries in working on legislation in the field of the Internet of things, it did not become the first in the world in this matter. In the USA, in the state of California, in October a law was passed banning default passwords on network devices. It will come into effect in 2020.