Skip to main content


The UK has made history as the first nation to ban the sale of IoT devices with default passwords through new legislation effective April 29, 2024. This law encompasses a wide range of IoT devices and potential scenarios, with its primary provisions clearly outlined by the UK National Cyber Security Centre (NCSC). In an announcement which almost speaks for itself, the NCSC said:

“The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared. If the default password is used, a criminal could log into a smart device and use it to access a local network, or conduct cyberattacks.”

The new UK law known as the Product Security and Telecommunications Infrastructure Act (PSTI), will compel vendors and manufacturers to adopt a long-overdue security standard for IoT devices.


IoT devices face significant security challenges. While the specific challenges are new, the overall problem of hackers is something we’ve dealt with since the Internet began. Here are the main IoT security risks that we need to contend with:

  • Weak Authentication – Passwords are critical for device security, but default and user-chosen passwords are often weak. Many IoT devices lack robust authentication, making them easy targets for hackers and potential entry points into larger networks.
  • Legacy Assets – Older applications not designed for cloud connectivity struggle with modern cyber threats. Upgrading these legacy systems is challenging due to their outdated infrastructure.
  • Inconsistent Security Standards – The IoT industry lacks universal security standards, leading to varied and often insufficient security protocols. This inconsistency complicates securing devices and safe machine-to-machine communication.
  • Lack of Encryption – Many IoT devices do not encrypt data transmissions, exposing sensitive information to potential interception.
  • Missing Firmware Updates – Devices often contain bugs that create security vulnerabilities. The ability to issue timely firmware updates is crucial, yet remote updates are not always feasible, sometimes requiring physical access.


The first step in protecting IoT devices is through authentication, which verifies the identity of a user or process. Access to a device is granted using an identifier (such as a username) and is authenticated to prove the user’s identity. Authentication methods include:

  • Something you know – such as a password
  • Something you have – such as a smart card
  • Something you are – such as a fingerprint or other biometric feature

Weak passwords pose a significant risk, emphasizing the importance of not using universal default passwords. Every device has attack surfaces, which are the points that unauthorised users can exploit to access or retrieve data from the device.

Weak passwords typically have the following vulnerabilities:

  • Easily brute-forced – Short passwords such as those with fewer than six characters, predictable sequences, like 123456, or common words, such as “administrator”
  • Susceptible to social engineering – Using easily guessed information such as a password like Peter01 if your name is Peter
  • Unchangeable – Passwords that can be found in the software’s source code and cannot be altered


The fledgling PSTI act means that the days of weak or universal passwords for IoT devices are numbered, if not over altogether. According to the NCSC, the law will help consumers choose smart devices that have been designed to provide ongoing protection against cyberattacks. The law requires manufacturers to ensure that all their smart devices meet basic cybersecurity standards. Specifically:

  • Manufacturers must not supply devices with default passwords that are easily found online and shared. If such passwords are used, criminals could log into a smart device and use it to access a local network or conduct cyberattacks.
  • Manufacturers must provide a point of contact for reporting security issues. If these issues are ignored, devices could become exploitable by cybercriminals.
  • Manufacturers must specify the minimum period during which the device will receive critical security updates. Once updates are no longer provided, devices become more susceptible to hacking and may stop functioning as intended.


The law aims to enforce a set of minimum security standards across various internet-connected products to prevent vulnerable devices from being exploited in DDoS botnets like Mirai. It applies to:

  • Smart speakers, smart TVs, and streaming devices
  • Smart doorbells, baby monitors, and security cameras
  • Cellular tablets, smartphones, and game consoles
  • Wearable fitness trackers, including smartwatches
  • Smart home appliances, such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines

Companies that do not comply with the PSTI Act face potential recalls and financial penalties, with fines up to £10 million ($12.5 million) or 4% of their global annual revenues, whichever is higher.


The future is potentially a bright one for SMEs that incorporate IoT into their processes and strategies. Izak Oosthuizen, the Founder and CEO of Zhero, says in his latest bestseller, You Don’t Need a £1 Million Cybersecurity Budget:

“SMEs are starting to buy into IoT technology. In 2021, 70% of UK small businesses were already looking into using IoT platforms to optimise operations, improve customer experience, and monitor their inventory.”

That said whether an SME is simply dripping its toe into the IoT pool, or taking the plunge, cybersecurity should be at the forefront of every decision it makes. Zhero is London’s #1 end-to-end cybersecurity and IT support company for SMEs. Our cybersecurity and risk solution, Protect IT Better,  has been carefully crafted and developed to proactively nurture and build a sustainable cybersecurity environment giving your business a competitive advantage. Reach out to us today and find out how we can crush your IT chaos.

Leave a Reply