To prevent another mass internet attack like the great Mirai hack, the UK has just become the first country to ban weak default passwords on IoT devices.
The law, which went into effect Monday, prohibits IoT manufacturers from setting default passwords like “admin” or “12345” on their devices, a practice that makes them easy prey for hackers, The Register reports.
The vulnerability targeted by the new UK law opened the door to the infamous Mirai hack of 2016, in which a massive botnet of hundreds of thousands of hijacked IoT devices managed to briefly knock much of the East Coast offline.
This news is part of TechHive’s in-depth coverage of the best smart home systems.
In addition to banning weak default passwords, the Product Security and Telecommunications Infrastructure Act 2022 requires IoT manufacturers to publish their contact information to make it easier to report bugs and other issues.
The law also says smart home device manufacturers must be “upfront” with users about when security updates are available.
According to The Register’s report, manufacturers who fail to comply with the rules could be fined up to £10 million, or 4 percent of their global turnover. Companies may also have to recall products that do not comply with the new law.
While many smart device manufacturers have improved their password security through mandatory two-factor authentication and similar measures, many routers, security cameras, and other IoT devices still ship with weak default passwords such as “0000,” “12343,” or “0000” Administrator .”
These weak passwords make it easier for users to access their new IoT devices for the first time. The problem, of course, is that too many users never bother to change passwords.
In the case of the Mirai attack, a self-replicating worm pinged IoT devices across the internet, looking for products protected with only the weakest default passwords.
Once a vulnerable IoT device was hijacked, it was drawn into an ever-growing army of compromised smart gadgets, causing botnet attacks to accelerate and intensify.
The Mirai attack was so widespread that internet access across the country was unstable for about a week.
The perpetrators behind the hack were ultimately caught, but as long as IoT manufacturers continue to release products with weak default passwords, the vulnerability that enabled the Mirai attack will remain a threat.
As The Register notes, the EU is considering legislation containing similar provisions to the UK’s new law, but the US currently lacks its own provisions against weak standard IoT passwords.