UK government plans to make weak gadget passwords illegal in 2021

According to the UK’s minister for digital transformation Matt Warman MP, the problem of poor Internet of Things (IoT) device security needs to be addressed urgently.

By the end of 2021, weak passwords for such gadgets could be made illegal.

At this point, billions of IoT devices have already been released, and by 2025, the number is expected to reach 41 billion.

These devices include:

  • Smart speakers
  • Voice assistants
  • Smartwatches for dementia patients
  • Smart lightbulbs
  • Smart security systems
  • Smart TVs

Therefore, something ought to be done about the weak pre-set passwords that come with them.

These are neither strong nor unique, and to make matters worse, sometimes the user is not even presented with the option to change them.

Even if they were, however, not everyone would bother changing them, as IoT gadgets are often marketed as ‘fire and forget’.

While an IT-savvy user is likely to change the password and update the firmware upon acquiring it, the same cannot be said for the rest.

Since the former group is outnumbered by the latter, this creates a thriving attack landscape for hackers to take advantage of.

Worse yet, hacking one’s way through a device with an unmodified default password does not take much effort.

Once compromised, these devices could be used for data theft, setting up botnets, or performing DDoS attacks.

In an effort to protect consumers, the UK has proposed a law that would make universal passwords for IoT devices illegal.

Moving forward, alternative authentication mechanisms will be encouraged as an alternative.

To increase security, even unique passwords that are considered to be easily guessable will no longer be allowed.

Another requirement would be to provide vulnerability reporting mechanisms for the end-user.

Failure to remain compliant could result in temporary sales bans or seizure of the devices.