The UK Government has this morning announced that new laws, which are designed to help protect consumers from cyber criminals, such as by requiring that network devices, like broadband ISP routers, receive greater protection (e.g. regular security updates and stronger default passwords), have finally come into force.
The related Product Security and Telecommunications Infrastructure Act (PSTI) received royal assent in late 2022, which among other things included measures to make broadband and mobile infrastructure sharing, as well as network upgrades and related dispute resolution, easier to deliver (see our summary). But those elements, which involve changes to the Electronic Communications Code (ECC), are being implemented separately via Ofcom.
The PSTI also included measures to implement many of the original Secure by Design proposals (i.e. ensuring connected devices are better able to resist cyberattacks), which introduces tougher security standards for device makers and the ability to hit those that fail to comply (both retailers and manufacturers) with financial penalties.
Some examples of the changes include banning easily guessable default passwords (“admin“, “123456” etc.), as well as prompting users to change the default password, not to mention improved support for security issues and a requirement for related network products to state how long they will be supported by vital security patches (firmware updates) etc.
Some of the Improved Security Protections
➤ Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking.
➤ Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with.
➤ Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates.
The changes touch everything from consumer broadband routers to phones, TVs, game consoles, internet-connected fridges and smart doorbells etc. However, the government allowed the industry a couple of years to adapt to all this, but from today the manufacturers of all such devices will now be required, by law, to implement minimum security standards against cyber threats.
The hope is that these measures will help to prevent threats, like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features – included routers from various ISPs, like TalkTalk and KCOM etc. (here and here) – and used to attack major internet platforms and services. Since then, similar attacks have occurred on UK banks including Lloyds and RBS, leading to disruption to customers.
The government claims that the new regime will help to give customers confidence in buying and using products, “which will in turn help grow businesses and the economy.”
Julia Lopez, UK Data and Digital Infrastructure Minister, said:
“Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.
Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”
The government added that consumers and cyber security experts can also help by playing an “active role in protecting themselves and society from cyber criminals” by reporting any products which don’t comply to the Office for Product Safety and Standards (OPSS). But take note that the government is also beginning the legislative process for certain automotive vehicles to be exempt from the product security regulatory regime, as they will instead be covered by alternative legislation.
The changes might also have an impact on cheaper imported products, which might not normally adhere to UK rules as closely as they perhaps should. In addition, it’s possible there may be some problems around retailers that need to sell older stock, which might not offer the same length of support to those who buy them.
The UK Product Security and Telecommunications Infrastructure (Product Security) regime
https://www.gov.uk/../the-uk-product-security-and-telecommunications-infrastructure-product-security-regime
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Making companies selling these devices have in the instruction manual in big letters “Only use your guest network for this device” would be more beneficial.
The catch being that a lot of people may not have that feature or know how to set it up.
The issue with that is guest networks have client isolation, which breaks many things
Seems utterly pointless me. Routers are attacked due to holes
In the firmware, not always weak passwords. Leave the router plugged in and force updates from manufactures. But then they’ll probably charge more for their equipment.
And what planet are this government on (don’t answer) expecting consumers to report to them which routers are not following their guidelines? How is Jo Bloggs going to know that! I think they need some context on that as it reads as all members of the public, not just the tech savvy ones.
@Me I agree that many of these software updates and security changes can seem pointless or unnecessary, especially for tech-savvy individuals who have a deeper understanding of how technology works. However, we must acknowledge that a significant portion of consumers lack this level of technical knowledge, leaving them unaware of the intricacies involved in maintaining a secure computing environment.
The saying “Perfect is the enemy of good” is particularly relevant in this context. While these updates may not represent a perfect solution, they are incremental steps toward improving overall security. Even seemingly small changes can contribute to a more robust security posture, especially when targeting a broad consumer base with varying levels of technical expertise.
It’s important to recognise that cyber threats are constantly evolving, and the need for continuous enhancements and updates is crucial. What may appear insignificant to some could be a critical safeguard for those less knowledgeable about potential vulnerabilities and attack vectors. By embracing these regular updates and security improvements, we can collectively raise the bar for online safety and protect those who may not fully comprehend the underlying complexities.
@Anonymous, yes very well said, in my mind I was thinking yes they can change the default passwords etc. but the key thing will be those security updates which router manufactures release, or should, anyway. However I guess I’m missing the fact many ISP routers do not receive regular updates. And a lot of people plug those in and use them as default and never change them. So your reply is very relevant.
a few things they should change Universal plug-in play should off by default some are on but are off they be all off. Specially ISP Routers like the Vodafone’s Wi-Fi Hub it’s on by default universal plug in play is a major security risk.
Sorry the spelling
They likely leave it enabled because certain devices/services can have issues if port forwarding isn’t enabled e.g. IoT, games, etc.
Remember, we’re talking about devices aimed at the general consumer.
The problem with “weak default passwords” is as much the “default” as the “weak”. Devices need to insist a user sets a strong password on first usage. Good point about the UPnP. Damn thing should have been strangled at birth.
May I just say?
“LOVE THIS PHOTO!”
Thanks
Ditto! I feel seen!
You can thank Microsoft Copilot’s / Dall-E 3 AI image generation for that one, it gave me plenty of good options to work with :).
Security begins at home, use pfsense or opnsense.
Indeed. Give that to your average home broadband customer: what could go wrong?
KISS.
I would sooner recommend a decent consumer orientated router with decent update support and features for the typical consumer over those two.
For example, Asus on their higher end routers seems ok, at least parents RT-AC68U has received a decades worth of support so far.
Even then though, I expect most people to just use the ISP router as the gateway.
Little bit extreme, just a little, for the millions of nine tech savvy Joe Bloggs in the UK.
I have to agree with tech3475 routers support and updates for longer instead 3 years it be 5 to 6 years support
Keeping the routers and modems turned-off, until you need them, would assist security (As well the electricity bill) . . the less time they are on, they less time some wrong’un can attempt to break in.
Have any these comms devices got a standby-mode in which they don’t respond to requests from outside the home network and from which they can only be aroused to action by a validated request coming from a device on the home network ? – like WOL with desktops, in reverse i.e. turning on your desktop, laptop, tablet or phone wakes the comms device. Perhaps a request for the supply of a second factor authorisation from another device (A dedicated key-pad or another device at your home that is connected to the home network could generate a random number authorising the comms device start-up).
My ISP supplied router had none of the above. |Additionally, it was burning so much power that it heated the room in winter and tested the function of the air con in summer. So I swapped it out for separate modem and router . . .both of which run without generating any perceivable heat (5 microprocessor cores now doing the work done by one previously)
Answering this fully would be a very lengthy process as there are a lot of things to cover.
No device inside a home network will accept requests from outside unless an inside device opens the path first. Requests won’t reach them, they’ll be stopped by the router.
Neither modems or routers should be reachable from outside. Modems shouldn’t be able to route outside, should only answer on the local network with no gateway, routers should never accept connections from the Internet only forward them.
Switching the modem and router off will accelerate their failure but are unlikely to add security. We are all constantly probed.
This might have been practical a couple of decades ago, but these days with the increased reliance on the internet, this could potentially cause more problems than it solves. For example, streaming, communication (VOIP, Imessages, WhatsApp. Etc.), IoT, etc.
It could also potentially stop software updates being installed, which ironically could also decrease security.
Although there may be ways to do it such as parental controls, adjusting firewall settings, etc.
As for the power usage, I’d expect newer SoCs to be more power efficient, although I wouldn’t rely on heat alone and instead get an actual power meter or if supported monitor the actual processor e.g. if it under clocks.
Really, was it a class A amp?