Starting Monday, the UK will enforce new laws banning the sale of devices with weak default passwords such as “admin” or “12345.” This groundbreaking regulation requires all smart devices, including phones, TVs, and smart doorbells, to meet minimum security standards to protect against cybercriminal attacks.
The Department for Science, Innovation and Technology announced these measures as part of the broader initiative to enhance consumer protection in the digital age. Manufacturers are now mandated to ensure that internet-connected devices are secured against unauthorized access by prompting users to change common, easily guessable passwords upon setup.
In addition to the password security requirements, companies must also provide clear contact details for reporting bugs and vulnerabilities and maintain transparency about the timing of security updates. These steps are designed to increase accountability and improve the overall security posture of products available to consumers and businesses, which have increasingly been targeted by hackers.
Consumer advocacy group Which? has played a significant role in advocating for these regulations. Rocio Concha, Director of Policy and Advocacy at Which?, emphasized the importance of clear guidance for the industry and robust enforcement of the laws to ensure compliance. She also highlighted the responsibility of smart device brands to support their customers by making information readily available on how long devices will be supported, enabling more informed purchasing decisions.
Jonathan Berry, the Science and Technology Minister, remarked on the importance of these laws: “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater.” He added that these “world-first laws” will significantly enhance the safety of consumers’ personal privacy, data, and finances, underscoring the UK’s commitment to becoming the safest place in the world to be online.
The new regulations are part of the Product Security and Telecommunications Infrastructure (PSTI) regime, aimed at strengthening the UK’s resilience against cybercrime and ensuring a safer digital environment for all.
