Default passwords banned for smart devices as part of hacking crackdown

Mike Wright
The move comes after investigations have found some internet-connected devices such as baby monitors are easily hacked - Photographer's Choice

Default passwords such as 1,2,3,4 are to be banned in smart devices, the Government has announced as part of a crackdown on hacking.

Manufacturers of internet-connected gadgets such as smart speakers and baby monitors will also have to tell customers by law how long they intend to provide security support for their products.

The shake-up comes as part of a drive to improve digital protections in the growing number of ‘smart’ household items, amid fears they can be hacked into and used to spy on people in their own homes. 

The Department for Digital, Culture, Media and Sport (DCMS), also announced that companies will now have to have a public point of contact where people can report vulnerabilities they find in their software.

The Government said it plans to draw up legislation to enforce the new standards and bring it before MPs “as soon as possible” when the parliamentary schedule allows.

Digital Minister Matt Warman said:  “We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.   

“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

Security experts have previously warned that smart devices with weak security could provide a route for hackers to get into owner’s connected smartphones and then steal sensitive personal information, as well as threaten corporate or state secrets.

Last year, the consumer watchdog Which? also found serious security flaws in six wireless cameras it tested at random from Amazon, some of which were marketed as baby monitors.

The organisation said security flaws like weak default password meant the cameras were vulnerable to hacking, allowing strangers to spy on victims without detection.

Which? welcomed the Government’s pledge to bring in legislation but said the new standards needed to be backed by strong sanctions.

Caroline Normand, Which? Director of Advocacy, said: “Which?'s product testing has exposed serious security flaws with a number of products that fail the most basic of security tests - including wireless cameras and popular children's smart toys - so regulation of mandatory security requirements must be a critical first step.

“Strong enforcement will be essential, and manufacturers, online marketplaces and retailers must be held accountable in order to prevent security-risk products ending up in people’s homes.”

The latest announcement comes after the Government released voluntary security best practice code in 2018 for manufacturers to follow.

Last year, it announced it was looking at plans to make all or parts of the code mandatory ahead of a consultation with manufacturers.

Following yesterday’s announcement the remaining 10 parts of the code that will not be made law will remain voluntary, but the Government said it was still considering introducing a ‘kitemark’ labelling scheme for products that meet all the requirements.

The code was developed with the National Cyber Security Centre, a branch of GCHQ, and has been signed up to by a number of large corporations including Centrica Hive, HP and Panasonic. 

Following the password ban announcement, Nicola Hudson, Policy and Communications Director at the NCSC, said: “Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed.

“It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.”