A new United Kingdom cybersecurity law requires Apple and other smart device makers to enhance security protections or face massive penalties.
The legislation, known as the Product Security and Telecommunications Infrastructure (PSTI) Act, requires all internet-connected smart devices to meet minimum security standards.
Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity – from smartphones to games consoles and connected fridges – as the UK becomes the first country in the world to introduce these laws.
The law mandates three major changes in current security measures: the elimination of default passwords, a clear protocol for reporting security vulnerabilities, and detailed consumer information on the length of product support and software updates. All companies manufacturing or selling smart devices in the UK must obey the new rules.
Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be promoted to change it on start-up. This will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers.
Apple will be required to review how its devices comply with the enhanced security measures. While Apple devices do not use default passwords, it will need to clearly communicate the duration of security support to customers in the UK. Affected companies are expected to establish or refine their contact points for security issue reporting.
Apple retail stores will be required to provide customers with information at the point of sale related to how the cybersecurity practices are relevant to the devices they purchase. Non-compliance with the new rules could result in fines that can reach up to £10 million ($12.5 million USD) or 4% of the offending company’s global turnover.