Gadget-makers face ban on easy-to-guess passwords

Image source, Getty Images

Image caption, Smart home devices can pose a security risk if their vendors do not take adequate care in securing them

Internet-connected gadgets will have to come pre-set with a unique password, or require the owner to set one before use, as part of plans for a UK cyber-security law.

Manufacturers could face being forced to recall non-compliant products and could also be fined.

The government is now seeking feedback from consumer groups and industry experts to shape its final legislation.

One expert said the new rules would need "strong enforcement".

The "call for views" is the latest step to introduce a cyber-security bill, which was first outlined in May 2019.

Other proposals include a requirement that manufacturers state the minimum amount of time they will continue to provide security updates for a product after purchase.

Digital infrastructure minister Matt Warman said that until the law was passed, households should ensure they had changed all internet-linked devices' default passwords to "protect themselves from cyber-criminals".

Hijacked gear

Millions of so-called "internet-of things" (IoT) devices are already in use in the UK, ranging from smart speakers and thermostats to security cameras and televisions.

But the government is concerned that the brands behind these products sometimes pre-load them with one of a few dozen common passwords, which are not subsequently reset by the owners.

As a consequence, cyber-attackers can easily break in and steal personal data, spy on users and even remotely take control of the products.

In some cases, this involves hijacking the devices to stage follow-up attacks, as part of what is known as a "botnet".

In 2016, the Mirai botnet, made up of hundreds of thousands of hacked internet-of-things products, flooded targets with data, causing Reddit, Spotify and Twitter among other services to go offline.

The new rules propose financial penalties for businesses that fail to abide by the rules. Courts would also be able to order that their products be confiscated or destroyed.

It is suggested that manufacturers would be banned from allowing users to reset their devices back to an easy-to-guess "universal factory setting".

Device makers would also have to tell the public how to contact them to report a security vulnerability.

If required, the authorities could order a temporary sales ban while an issue was being investigated and fixed, or permanently pull items from stores if they deem it necessary.

"Some smart device manufacturers are improving their product security, but by no means all," commented Ken Munro of Pen Test Partners, a Buckingham-based firm responsible for exposing many high-profile gadget flaws.

Video caption, Rory Cellan-Jones sees how Cayla, a talking child's doll, can be hacked to say any number of offensive things.

"We need regulation and strong enforcement. If consumers are confident that IoT products are secure, more people will be confident to buy them."

A government spokesman said the law would apply UK-wide and could be enforced as early as 2021 or 2022, but this will depend on how soon it is given parliamentary scrutiny.