Site navigation

New UK Law Means Fines for Default Passwords on Smart Devices

Victoria Roberts


smart devices
New legislation means smart devices will have added security and be better protected from hacking.

The UK government has introduced new legislation to protect users that have smart devices in their home from being hacked.

The Product Security and Telecommunications Infrastructure Bill (PSTI) implements three new rules, the first of which means generic default passwords, preloaded on smart devices, are to be banned.

All devices are now required to have unique passwords that cannot be reset to a factory default. All makers of digital products will be affected by this rule, alongside any businesses which sell cheap tech imports to the UK.

This comes after research from consumer watchdog Which? that revealed that smart devices could be exposed to more than 12,000 attacks in any single week.

Julia Lopez, minister for media, data and digital infrastructure, said: “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.

“Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security systems.”


Devices connected to the internet will no longer be allowed to use default passwords, and non compliant companies will face fines.

Included in the list of devices are smartphones, internet routers, home and security cameras, games consoles, home speakers and internet enabled toys and white goods, such as smart fridges.

Cybercriminals are increasingly pinpointing devices such as baby monitors, phones and smart TVs, home speakers and internet-connected dishwashers.

Once a vulnerable device has been infiltrated, hackers can go on to access the network of an entire home and steal personal data.

While these devices have strict rules to protect users from physical harm, such as preventing overheating and electric shocks or from containing sharp components, there are no rules to protect users from cyber-breaches.

Other legislation in the PSTI Bill dictates that upon purchasing a new device, customers must be told the minimum time it will take to receive vital security updates and patches.

In the case where a product doesn’t receive security updates or patches, the customer must be told this.

The new law will be overseen by a regulator appointed once it comes into force. The regulator will have the power to fine companies up to £10 million, or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.

Devices not included as part of the new legislation are desktop and laptop computers, as well as vehicles, smart meters and medical devices.

Get the latest news from DIGIT direct to your inbox

Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.

We will keep you up to date on the pivotal issues impacting the sector and let you know about key upcoming events to ensure that you don’t miss out on what’s going on across the Scottish tech community.

Click here to subscribe.

Victoria Roberts

Staff Writer

Latest News

Cryptocurrency Marketing
Digital Transformation Editor's Picks Featured Features
%d bloggers like this: