The UK has just banned default passwords, and so should we

The image for the article titled UK has just banned default passwords, and so should we

Picture: Eric Piermont (Getty Images)

British lawmakers are tired of it shit internet stuff passwords and pass laws with harsh punishments and prohibitions to prove it. New legislation, introduced in the UK Parliament this week, would ban universal default passwords and work to create what supporters call a “firewall around everyday technology”.

In particular, the law, called the Product Safety and Telecommunications Infrastructure Act (PSTI), would require unique passwords for Internet-connected devices and prevent those passwords from being reset to universal factory settings. The bill would also force companies to increase transparency when their products require security updates and patches, a practice currently used by only 20 percent of firms, according to a statement attached to the law.

These heightened security proposals would be overseen by a sharp-toothed regulator: companies that refuse to adhere to safety standards could reportedly face fines of £ 10 million or four per cent of their global revenue.

“Hackers are trying to break into people’s smart devices every day,” said Julia Lopez, Britain’s media, data and digital infrastructure minister. statement. “Most of us assume that a product is safe and secure if it is for sale. However, many are not, which puts too many of us at risk of fraud and theft. ”

The rules would try to deal meaningfully with what has become a scourge of weak IoT passwords that are increasingly vulnerable to attackers. And we are not talking about weak, but helpful passwords. According to In a 2020 report conducted by cybersecurity company Symantec, 55% of the IoT passwords used in IoT attacks were “123456”. Another 3% of attacked devices had an “admin” password. IoT devices are known beyond passwords. Recently report Palo Alto Networks has found that 98% of all IoT device traffic is unencrypted.

The problem is only getting worse, especially as smart home devices are gaining mass popularity and becoming more affordable. Although estimates vary, the total number of global IoT devices could rise to over 20 billion by 2030. This is already turning into more attacks. Just two months ago, Kaspersky Labs said Threat Post it there was detected 1.5 billion IoT attacks in the first half of 2021 alone. That’s twice as many as were detected in the last six months of 2020.

IoT companies also routinely try to shift the blame on customers when their poor security practices lead to breaches or hacks. That was, perhaps the most famous, case with the security company Ring for smart homes, which tried it TO CLAIM the increase in compromised accounts was the result of password reuse. In response, Ring and its owner Amazon found themselves under attack by a class action lawsuit lawsuit filed in late 2019 accusing the company of negligence for failing to properly insure its devices. For how much it’s worth, Ring has since it made some sense improvements in the security department, including requesting two-factor authentication on new devices and, more recently, end-to-end additions encryption.

The British approach to passwords without nonsense could serve as an example for copying in the US and elsewhere. The United States actually passed a significant account for IoT security last year, but has stopped issuing penalties or bans on weak passwords. Instead, the legislation, the so-called Law on Improving Cyber ​​Security of the Internet of Things, instructs the National Institute of Standards and Technology of the Ministry of Trade to establish a minimum set of safety requirements for IoT devices and to update these standards every five years.

The law also requires contractors to establish a vulnerability detection policy. But while these provisions are a step in the right direction, they are largely limited firms doing business with the federal government.

In contrast, a bill proposed by the UK would cover a far wider scope division and producers and, more importantly, provide clear monetary sticks to achieve compliance. Incentives and carrots are just useful until a certain point. Security is failing, however, especially with the cheap ones IoT devices, are nothing new and so far have mostly not responded to any market nudges. Instead, clear penalties, or at least a threat to them, could offer a path to real change.

Source link

Naveen Kumar

Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button