In the context: It is not uncommon to see consumers using the default password of their devices, which leaves themselves vulnerable to possible cyber attacks. To remedy this situation, the UK government has passed legislation that will, among other things, prevent tech companies from using default passwords on their devices.
UK government Product Security and Telecommunications Infrastructure Bill (PSTI) is divided into two parts. As the name suggests, the first part consists of product safety measures to protect consumers and companies from cyber attacks. The second part includes telecommunications infrastructure guidelines created to expedite the installation, use and updating of such equipment.
The first part of the bill presents three requirements to achieve this goal: to prohibit passwords by default, to require a vulnerability disclosure policy in products, and to be transparent about how long the products will receive important security updates.
The list of devices subject to security requirements includes smartphones, connected consumer electronics and home appliances, connected safety-critical products and alarm systems, IoT hubs, smart home assistants, and home automation products. Oddly enough, computers are not included in the list. Once adopted, the government will give manufacturers, importers and distributors at least 12 months to adapt to the new legislation.
Telecommunications infrastructure measures aim to facilitate the implementation of new gigabit broadband and 5G networks. These rules will encourage the use of alternative dispute resolution instead of going to court, allow operators to share and update hidden infrastructure components, and simplify the renewal process after agreements have expired.
The bill has yet to receive royal approval, which is the final step before becoming effective law. We have not heard of any other region applying similar legislation at this point, but it is not surprising that some will follow suit. Google and Microsoft have already introduced some of their own measures to improve user security. Google, for example, used accounts to use two-step verification by default and improved password protection in Chrome 88, while Microsoft added a no password option for its accounts.