Under the update, manufacturers will have to make it easy for people to report security issues. The PSTI also now requires them to give clear expectations for when those filing the reports can expect acknowledgment and status updates afterward. Violations of the law can result in fines as high as £10 million (about $12.5 million USD) or 4 percent of their “qualifying worldwide revenue,” depending on which is higher.
The law would apply to a wide range of products, but a big target here is likely IoT devices like smart TVs, smart plugs, or smart speakers. Many of these, particularly the cheapest commodified ones, end up as targets online, thanks to lax security practices, that made them part of devastating attacks like the Mirai-based botnet DDoS seen years ago. This doesn’t necessarily address all of those practices, but bad default passwords are low-hanging fruit that should be tackled.
In the US, the FCC is trying something similar with its forthcoming Cyber Trust Mark program. Much like the federal Energy Star program, the Cyber Trust Mark logo indicates which products comply with the program’s requirements, including strong default passwords.
But also like Energy Star, nobody is forcing companies to go along with it. And while Energy Star has clear, explainable benefits like lower utility bills, it’s a little harder to make it clear that a smart bulb connected to your router can be a security risk for your other devices, so it’s hard to know how effective it will be when it goes into effect.