Brits Ban Default Passwords — and More IoT Stupidity
2024-5-1 02:12:47 Author: securityboulevard.com(查看原文) 阅读量:7 收藏

‘Union Jack’ bunting in Balham after the Queen’s Platinum Jubilee celebrations, June 2022The UK’s Product Security and Telecommunications Infrastructure Act aims to make net-connected consumer gear more secure.

British lawmakers want to stop the sale of insecure devices. In addition to banning insecure passwords, says the Product Security and Telecommunications Infrastructure Act (PSTI), vendors must say how long the device will be supported. And device makers must follow the law as of right now.

Compliance failure could mean big fines. In today’s SB Blogwatch, the ‘S’ in IoT stands for Security.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: How phones used to work.

Nice Cup of IoTea?

What’s the craic? Aunty Beeb’s Lucy Hooker reports: Tougher rules for sellers of internet-enabled devices

Three new requirements
The government said the laws were a “world first.” … The National Cyber Security Centre said firms making the products needed to take responsibility.

The new law makes three new requirements:

    • that password procedures are more secure, including ensuring any set by the manufacturer are not left blank or using easy-to-guess choices like “12345” or “admin”
    • that there is clarity around how to report “bugs” or security problems that arise
    • that manufacturers and retailers inform customers how long they will receive support, including software updates

Will this law really help? Hadlee Simons says maybe: This law might help

Major problems
Tired of non-existent updates and poor password hygiene on your smart TV or baby monitor? So is the UK government. … Any companies breaching these requirements would face fines, including penalties of up to £20,000 (~$25,073) for each day the breach continues.

We hope similar legislation comes to other countries: … Opaque/non-existent update policies and poor password hygiene are two major problems in the connected gadget space. Problems like these are why there’s been no shortage of stories about connected products being hacked.

AIE

Techstrong Podcasts

Let’s hear from the horse’s mouth. The National Cyber Security Centre’s mysterious Carla V: New law helps citizens to choose secure products

Important steps
The law, known as the … PSTI act, will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks. [It] also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence, with fines up to £10 million or 4% of qualifying worldwide revenue (whichever is higher).

The NCSC has produced a ‘point of sale’ … leaflet for retailers to distribute in-store to their customers. … The reverse side of the leaflet explains the important steps consumers should follow before they start using their smart devices.

Wait. Pause. How much is that fine? Actually, starglider would be king:

4% of … worldwide revenue.
This is the key point and actually means manufacturers will actually comply with the law. If I were king for a day, I’d pass a law that every regulatory body in the US must only communicate fines as a percentage of … revenue.

Instead of “We fined Facebook ELEVENTYGAGILLION DOLLARS,” … the news alert would have to read, “We fined Facebook 0.00002% of global revenue uh screw it, nevermind.”

But will consumers care? hoola’s comment needed a little Bowdlerizing:

Whilst people continue to buy and setup all this ***** without a care in the world, because it enables them to see who is at the door, switch the oven on, view the dog or power up a ********, nothing will change. … I simply don’t give a **** if I can see who is at the door when I am out or know what the temperature of the fridge is on an app. If it is any of the **** delivery people they just leave it on the doorstep anyway. Having a recording of them doing it is worthless.

And will manufacturers take notice? laughingskeptic sounds slightly skeptical:

Many IoT widgets are delivered with test code compiled-in that has comments … along the lines of /* DO NOT DELIVER THIS CODE */. I have seen releases where this happened, hackers took advantage, the test code was removed and then a year later reappears in an update.

IoT product vendors spend more money on their box design than they do on the contract engineers that deliver the source code for their widget. There is some minimal level of QA that they need to be held responsible for or this is not going change.

Is that entirely fair? JoeAltmaier was one such contractor:

Good luck! I tried to put a password on a device I contracted to make.

Just the serial number: The installer reads it off and types it into their phone. Simple! Different for every device! The manufacturer said, “Too much trouble for the installers. Just leave it open.”

Sigh. I compromised, made the Bluetooth connection work for 10 minutes after power-up, to give the installer time to … initialize the device. … They accepted that. It was something, … at least the window of vulnerability was smaller.

Remind me why I should care? Because hacked IoT things can be misused as proxies, as close reminds us:

If you don’t hold responsible the companies who abuse their services, they will keep abusing their services.

Your device could be facilitating pedophiles and terrorists (for real). Any software that allows your device to be used without your knowledge as storage, processing, or traffic of other people’s data should come with a disclaimer where you have to type, “I understand that my device can now be used for traffic, processing, or storage of other people’s data including illegal purposes.”

Meanwhile, u/iprocrastina takes the red eye:

Damnit, now I have to change the combination on my suitcase lock next time I go to the UK.

And Finally:

Ask your parents

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: John Cameron (via Unsplash; leveled and cropped)

Recent Articles By Author


文章来源: https://securityboulevard.com/2024/04/uk-iot-psti-act-richixbw/
如有侵权请联系:admin#unsafe.sh