Although there are news every day about successful computer attacks because users don't change the default passwords on their devices, many manufacturers continue to sell devices that use standard credentials such as 'password' or 'admin'. But that is coming to an end in the United Kingdom, which became the first country to ban easy-to-guess default passwords on devices that connect to the internet.
Recently, an update to the United Kingdom's Product Safety and Telecommunications Infrastructure (PSTI) Act was published, which requires all devices that can connect to the Internet to be sold with a random password or to generate a password when connected for the first time.
As per new PSTI requirementsDefault passwords are incremental (Admin1, Admin2, etc.) and cannot be associated with public information such as MAC addresses or SSIDs of wireless networks.
Rules are defined to ensure devices are protected against brute-force attacks, including a limit on the number of authentication attempts within a certain period of time. Changing passwords by users should also be done through “simplified mechanisms”.
In addition to using weak passwords, lack of software updates is used by hackers to steal information from devices and networks. According to PSTI, software components can be updated easily and securely. This can be done by automating updates or using simple methods that users can understand. The new law requires implementing ways to manage vulnerability reports and instructs manufacturers to monitor, identify and fix all vulnerabilities in the products and services they sell.
The new rules are not optional. Manufacturers who breach them, or ignore them, face fines of up to £10m or 4% of turnover across all markets they operate in, whichever is higher.
The update to these rules is designed to reduce incidents like the Mirai botnet that occurred in 2016 and caused many online services to stop working. This botnet is made up of hundreds of thousands of infected devices that flood many websites and services with traffic. It was one of the worst DDoS attacks in Internet history.
