The UK's first global ban on default, easy-to-guess passwords for connected devices is a welcome step, but only the first towards protecting the rapidly expanding Internet of Things (IoT) landscape.
While banning passwords like “admin” and “12345” raises the security baseline, the legislation does not go far enough in requiring firmware updates and built-in security capabilities. Therefore, enterprise administrators should remain alert to other glaring gaps in smart office devices.
With IoT attacks quadrupling over the past five years and the threat of IoT botnets growing, administrators cannot afford to wait for regulators. This is how you can strengthen cybersecurity and regain control over your company's device ecosystem.
The war against weak passwords
This kind of decision has been a long time coming for default passwords, and that's because they are extremely dangerous. Simple username and password combinations are easy to guess or crack, making devices potential entry points or compromised online assets.
Recent research is sobering: Attackers only need five sets of common passwords to access approximately 10% of all Internet-connected devices. The Mirai malware, which hijacked more than 100,000 home routers for massive distributed denial of service (DDoS) attacks, used only 62 username and password combinations.
This is a problem that is increasing. IoT botnets have become a major generator of DDoS traffic, as compromised devices spread malware, steal data, and enable other cyberattacks. The number of DDoS devices controlled by botnets increased from around 200,000 last year to approximately 1 million today, representing more than 40% of all that traffic.
Implemented in April, the UK's Product Security and Telecommunications Infrastructure Act 2022 (PSTI) aims to address this issue by requiring devices to have a random password or generate a unique one during initialisation. Non-compliance is a criminal offense with penalties of up to £10 million or 4% of global revenue, whichever is greater.
For years, experts hoped that market forces would force device makers to improve password practices. But, without them stepping forward, the government is stepping in and also directing manufacturers to establish means of reporting security issues and detailing the schedule of security updates for their connected products.
Companies, don't wait for regulators
This does not mean that the act is perfect. For example, there are no specific rules that dictate the minimum timeline for reporting previous security updates. Worse yet, the standards lag behind comparable regions and regulations. The PSTI only meets 3 of the 13 IoT security guidelines of the European Telecommunications Standards Institute. Furthermore, the regulation does not reach the Cyber Resilience Law, the most rigorous in Europe. This set of rules for connected devices, scheduled for 2027, goes a step further by requiring hardware and software support throughout the product lifecycle, as well as automating updates.
Make no mistake, the PSTI is a positive step and addressing generic passwords is crucial. It is also well above the optional consumer checkmark solution introduced in the United States. But for businesses operating today, regulations can only provide so much protection, and what they protect and how far they go will depend on where you are. The responsibility for comprehensive protection ultimately falls on IT professionals to protect their ecosystems of connected devices.
This means adopting cutting-edge tools and best practices now. There are no excuses: unique credentials and multi-factor authentication are the minimum. Or consider eliminating passwords altogether and opting for public key infrastructure (PKI). This method uses asymmetric cryptography to establish an initial trust setup between the client and the target device, where a generated key replaces the password and provides authentication. Not only is this a much more secure form of single-factor authentication, but it also makes brute force attacks impossible.
But that's just the beginning. Rigorous asset discovery, network segmentation, and continuous monitoring are critical. Likewise, redouble efforts to block connections by encrypting all data in transit and guaranteeing direct communication between peers. Lastly, don't assume and always verify following zero trust principles.
The future of secure devices depends on administrators
The security imperative is immediate for administrators. Don't wait for policy to slowly pivot: the future of your connected infrastructure depends on taking decisive action today.
This starts with the basics like the security checks above. It also requires thinking critically about the origins of the device. Where does a certain device come from? Who is the manufacturer and what are their safety priorities and track record? These considerations cannot be discounted in our landscape of widespread supply chain risks.
Also, examine the operating system and internal workings. Is it a complete, high-end Linux distribution with a complex attack surface and possible backdoors? Or a real-time operating system (RTOS) specifically optimized for the dedicated task? Managers must weigh whether the benefits of advanced capabilities justify the increased risk. Simplicity and security restraint may be the smarter path for many IoT use cases.
It's encouraging to see regulators catching up to the harsh realities of modern device cybersecurity. However, top-down mandates can only go so far to protect you and your company. Ultimately, securing your connected future requires judicious device choices: rigorously examining device origins, favoring secure-by-design architectures, and customizing defaults. Until the standards fully mature, you are the last line of defense.
We have listed the best business password manager.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
