Default passwords for smart home devices and wireless routers will have to be made stronger in order to comply with new cybersecurity laws in both the UK and EU …

When you buy a smart home device – or even something as critical as a wireless router – it often arrives out of the box with a pre-configured password, and that password is often laughably weak. Some routers, for example, arrive with ‘admin’ preset for both username and password.

That will no longer be legal in Europe, after both the UK and EU passed separate cybersecurity laws.

The Record reports on the UK law.

On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for […]

Under the PSTI, weak or easily guessable default passwords such as “admin” or “12345” are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.

Products that fail to comply with the rules could face being recalled, and the companies responsible could face a maximum fine of £10 million ($12.53 million) or 4% of their global revenue, whichever is higher.

The EU’s Cyber Resilience Act (CRA) hasn’t yet come into effect, but will include a similar requirement for better default security.

The CRA aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.

The latter is expected to come into force later this year.

The US doesn’t yet have anything similar, but global brands are likely to apply the same standards for their products sold around the world.

Photo by Sebastian Scholz (Nuki) on Unsplash

Default passwords for smart home devices and wireless routers will have to be made stronger in order to comply with new cybersecurity laws in both the UK and EU …

When you buy a smart home device – or even something as critical as a wireless router – it often arrives out of the box with a pre-configured password, and that password is often laughably weak. Some routers, for example, arrive with ‘admin’ preset for both username and password.

That will no longer be legal in Europe, after both the UK and EU passed separate cybersecurity laws.

The Record reports on the UK law.

On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for […]

Under the PSTI, weak or easily guessable default passwords such as “admin” or “12345” are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.

Products that fail to comply with the rules could face being recalled, and the companies responsible could face a maximum fine of £10 million ($12.53 million) or 4% of their global revenue, whichever is higher.

The EU’s Cyber Resilience Act (CRA) hasn’t yet come into effect, but will include a similar requirement for better default security.

The CRA aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.

The latter is expected to come into force later this year.

The US doesn’t yet have anything similar, but global brands are likely to apply the same standards for their products sold around the world.

Photo by Sebastian Scholz (Nuki) on Unsplash