Ban Bad Default Passwords On IoT Kit? Don’t Mind If You Do!

Hopefully The UK Is Just The First Of Many

There are many frustrating things about how companies treat the security of the IoT kit they sell, and the UK is addressing two of the biggest.  The first is the tendency to be lazy about passwords, as companies will often sell an entire line of products that all have the same password.  Even better, the password is usually something awful like admin, or it’s simply blank.  That is now illegal in the UK and companies found ignoring the new law will be subject to a fine of £10 million ($12.53 million) or 4% of their global revenue, which ever is higher.  The product would also be subject to a complete recall.

The second thing this law addresses is the practice of companies to simply abandon IoT devices with little to no notice.  This is often because the company switched to selling a newer model, but occasionally it is because of an bug that is hard to patch, if not impossible to get rid of.  The new law requires companies to be transparent about the length of time the devices will receive security updates.  This may hopefully help consumers make informed decisions when buying their next Internet attached fish tank thermometer or doorbell camera.