Proving the Business Case for the Internet of Things

UK law to ban default IoT passwords

William Payne
February 27, 2020



The British Government has introduced legislation to ban default passwords in IoT devices. According to the UK's Minister for Digital Security, Matt Warman, the measures are intended to increase popular trust in IoT technology and devices, and help accelerate their use throughout society.

The UK Government believes that current security standards of many IoT devices are low and the security and privacy risks are too great.

Matt Warman described the new legislation as "pro-innovation regulation". 

The responsibility for ensuring the new measures are implemented is to fall on firms both manufacturing and stocking internet-connected devices. 

The new measures require that all IoT passwords pre-programmed in internet-connected devices must be unique and not resettable to any universal factory setting.

They also place a responsibility on manufacturers of IoT devices to make sure a public point of contact is always available as part of a disclosure policy so any security vulnerabilities found with the device can be reported quickly.

"Too often manufacturers do not state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online, meaning people’s devices might not be safe. The new rules will make this a thing of the past," said Mr Warman.

According to Mr Warman, "Robust standards will be built in from the design stage and mean people have confidence in the power of technology to improve people’s lives."