The United Kingdom has become the first nation to prohibit default guessable usernames and passwords for Internet of Things (IoT) devices.

Under provisions of the Product Security and Telecommunications Infrastructure Act 2022 (PSTI), manufacturers of IoT devices are mandated to adhere to new security standards, compelling them to eschew weak or easily guessable default passwords such as “admin” or “12345”. However, the legislation does permit the installation of unique passwords by default.

In addition to banning default guessable passwords, the PSTI requires manufacturers to make available contact information for users to report any discovered vulnerabilities or bugs in their products. Moreover, companies are now obligated to be transparent with consumers regarding the duration of security updates for their products.

The law, according to UK’s National Cyber Security Centre (NCSC) applies to any ‘consumer smart device’ that connects either to the internet, or to a home network, such as: smart speakers, smart TVs and streaming devices, smart doorbells, baby monitors and security cameras, cellular tablets, smartphones and games consoles, wearable fitness trackers (including smart watches), smart domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners and washing machines).

Products that fail to comply with the PSTI face the risk being subject to recall, while the companies could incur substantial penalties. According to the legislation, fines could reach up to £10 million ($12.53 million) or 4% of the company's global revenue, whichever figure is higher.