Looking to prevent another mass internet attack like the great Mirai hack, the United Kingdom just became the first country to ban weak default passwords on IoT devices.
The law, which took effect Monday, bars IoT manufacturers from setting default passwords such as “admin” or “12345” on their devices, a practice that makes them easy pickings for hackers, The Register reports.
The vulnerability that’s targeted by the new UK law opened the door to the infamous Mirai hack of 2016, in which a massive botnet comprised of hundreds of thousands of hijacked IoT devices managed to briefly knock much of the East Coast offline.
This news story is part of TechHive’s in-depth coverage of the best smart home systems.
Besides barring weak default passwords, the Product Security and Telecommunications Infrastructure Act 2022 mandates that IoT manufacturers publish their contact details to make bugs and other issues easier to report.
The law also says that smart-home device makers must be “open” with users about when security updates are on the way.
Manufactures who don’t follow the rules could be subject to fines up to £10 million or 4 percent of their global revenue, according to The Register’s report. Companies may also have to recall products that aren’t in compliance with the new law.
While many smart device manufacturers have beefed up their password security with mandatory two-factor authentication and similar measures, plenty of routers, security cameras, and other IoT devices still ship with weak default passwords, such as “0000,” “12343,” or “admin.”
These weak passwords make it easy for users to gain first-time access to their new IoT devices. The problem, of course, is that too many users never bother to change the passwords.
In the case of the Mirai attack, a self-replicating worm pinged IoT devices across the internet, looking for products that were protected only with the weakest of default passwords.
Once a vulnerable IoT device was hijacked, it was dragooned into an ever-growing army of compromised smart gadgets, allowing the botnet attacks to accelerate and intensify.
The Mirai attack was so widespread that internet access across the country became unstable for roughly a week.
The culprits behind the hack were ultimately caught, but as long as IoT manufacturers continue to release products with weak default passwords, the vulnerability that made the Mirai attack possible will remain a threat.
As The Register notes, the EU is considering legislation that includes similar provisions to the UK’s new law, but for now, the U.S. lacks its own provisions against weak default IoT passwords.
