Seven years ago, the United States experienced a significant cyberattack, leaving popular websites like Twitter, CNN, and Netflix inaccessible on October 21, 2016. Initially, suspicions pointed towards a powerful state actor, but the reality revealed a distributed-denial-of-service attack targeting Dyn, a vital provider of Domain Name System (DNS) services.
Although the attack lacked sophistication, its impact was substantial. The assailants utilized a botnet named Mirai, composed of various internet-connected consumer devices, to flood Dyn’s servers with massive amounts of traffic. Mirai, created by a trio of young U.S. citizens, highlighted the dangers of lax security practices among Internet of Things (IoT) manufacturers, exploiting default usernames and passwords to infect around 300,000 devices.
In response to such vulnerabilities, the United Kingdom enacted the Product Security and Telecommunications Infrastructure Act 2022 (PSTI), prohibiting default guessable usernames and passwords on IoT devices. The legislation also establishes minimum-security standards for manufacturers and mandates transparency regarding security update durations.
Manufacturing flaws in IoT products have exposed home and business networks to additional risks, exemplified by instances like hackers breaching a casino’s network via an internet-connected fish tank temperature sensor, as reported by Darktrace.
Under the PSTI, manufacturers must eliminate weak default passwords and provide bug-reporting contact details. Non-compliant products risk recall and fines up to £10 million or 4% of global revenue.
Enforcement of the law falls under the Office for Product Safety and Standards (OPSS). Consumer-rights organization Which? calls for clear guidance and stringent enforcement against law-breaking manufacturers.
Viscount Camrose, serving as minister for cyber, underscores the importance of safeguarding consumers’ privacy, data, and finances. Similar legislation is under consideration elsewhere, such as the European Union’s Cyber Resilience Act, while the United States is developing federal laws like the IoT Cybersecurity Improvement Act of 2020 to address consumer IoT device security.