UK tackles cybercrime with PSTI Act

The United Kingdom is taking on cybercrime, becoming the first nation to pass a law banning the use of universal passwords on smart devices. With the Product Security and Telecommunications Infrastructure (PSTI) Act, which took effect in April 2024, the UK leads the charge to protect consumer devices from cyber threats including malicious actors that find vulnerabilities in internet-connected devices.

The PSTI Act is part of a set of laws aimed at expanding cybersecurity protections for consumers and users of internet-connected devices or Internet of Things (IoT) devices, which are ubiquitous throughout the nation. The UK government estimates that 99% of adults in the UK own an internet-connected device such as a smartphone, internet-connected tablet or various smart home IoT devices. The upcoming Cyber Resilience Act in the European Union is another expected mandate to protect consumers throughout Europe by setting standards for both hardware devices and software. 

The PSTI Act puts the responsibility for the universal password ban on manufacturers and distributors. Still, organizations must be aware of how to evaluate internet-connected devices and related products that they’re using in light of these changing cybersecurity mandates. 

Along with choosing secure devices, organizations must also take steps to be proactive about choosing secure software and products that connect with these devices. Even before devices, software security is paramount, as software vendors are at the core of security that enables others to comply with advanced cybersecurity standards. 

Let’s take a look at what businesses and organizations need to know about the PSTI Act and what devices and areas are affected. 

What is the PSTI Act?

The PSTI Act took effect in the UK on April 29, 2024, to protect consumers from cybersecurity issues that often come with IoT devices. This law, among the first of its kind, specifically bans manufacturers from using default or easily-guessed passwords from a wide range of internet-connected devices. According to the mandate, “manufacturers, importers, and distributors of consumer connectable products must comply” with the new law. 

Meanwhile, the law also puts other protections in place to ensure that consumers have a way to report cybersecurity issues with devices. The PSTI Act puts the responsibility on manufacturers and retailers to communicate with consumers regarding security fixes. 

While there is a second component to the law regarding Telecoms Infrastructure according to the Center for Cybersecurity Policy, the product security segment of the law is affecting both consumers and businesses more directly. 

The new legislation “bans devices from accepting default or easily-guessed, insecure passwords, and forces manufacturers to publish contact details so that bugs and issues can be reported,” according to news reports on the act. The PSTI Act also forces manufacturers and retailers to inform consumers about the minimum time that they should be receiving security updates and software patches.

While most smart devices are manufactured outside of the UK, importers and product retailers that supply or do business in the UK market must also comply with the new law. 

Along with banning universal passwords, the law also requires manufacturers to state the minimum period for device software security updates and patches. Finally, the law mandates manufacturing devices with security built into the design, similar to the Secure By Design approach by the Cybersecurity and Infrastructure Security Agency (CISA) in the US. 

What devices are affected?

The PSTI Act covers IoT, various smart devices as well as their software components that can connect to the internet and are particularly vulnerable to hackers and other malicious actors. The law specifically bans universal default passwords (UDP), or manufacturer-set universal passwords that have been widely associated with cybersecurity breaches. Each device must be secured “out of the box” by a unique password. Easily-guessed passwords are banned by the legislation. 

Universal default passwords are especially risky in devices because they make it easy for attacks to take place “at scale.” 

“As the name suggests, a UDP is a password used as a default setting for a mass-produced consumer device,” the Cybersecurity Tech Accord notes. “UDPs not only put individual devices at risk, but they also make attacks easier to conduct at scale as one piece of malware can use common passwords to attack many devices at once.”

Devices mandated under the PSTI Act  

The PSTI legislation lists the devices that are mandated under the PSTI Act. The law also covers the software components that are installed as part of the device. The list includes popular devices that are used by businesses, as well as consumers of a wide range of ages.

Devices covered include:

• TVs, streaming devices, speakers
• Games consoles, smartphones, tablets
• Base stations and hubs
• Home automation and alarm systems
• “Wearables”: smartwatches, fitness trackers, etc.
• Home appliances (thermostats, washing machines, light bulbs, refrigerators, home assistants, etc.)
• Security devices (doorbells, security cameras, baby monitors, etc.)
• Children’s toys 

Security measures must extend beyond devices 

The PSTI Act is a significant step to mitigate cyber risk connected with UDP in devices and place the responsibility on manufacturers and distributors. Securing hardware and devices is a key first step but it doesn’t end there.

Organizations must also commit to implementing secure integrations with other software and devices that are interconnected. Software companies and products play a key role in helping device manufacturers comply with mandates such as the PSTI Act and other upcoming regulations. 

It’s also imperative for organizations and software product companies of all types to create and implement strict standards for securing APIs when integrating any type of software that works on the device or devices.

According to a report in The FinTech Times, “Weakly secured APIs can be exploited to gain unauthorised access to sensitive data or disrupt critical functionalities within connected devices.”

Meanwhile, data breaches continue to affect organizations. During the first quarter of this year, significant data breaches due to API vulnerabilities were reported in several industries. The US government is looking ahead to new regulations to protect data affected by API breaches that continue to escalate. Next regulations on the horizon are likely to cover APIs, industry observers note. 

Organizations need to make progress now on developing standards to secure APIs to integrate with software and devices. However, choosing software that is built with security in the design is a beneficial next step to securing the entire process from a true end-to-end standpoint, including platforms that allow for secure integration of apps and devices to combat various security risks.