UK's new Act boosts security of digital devices & telecom infrastructure
The United Kingdom's new legislation, the Product Security and Telecommunications Infrastructure Act (PTSI), has been enacted today to enhance the security of connected devices in response to the escalating threat posed by insecure digital devices. This Act necessitates that manufacturers, importers, and distributors ensure that minimum cybersecurity necessities are satisfied for any digitally connected product or telecommunication infrastructure within the UK.
David Emm, Principal Security Researcher at Kaspersky, acknowledges the PSTI Act as a significant development that strengthens the 2018 Code of Conduct for consumer IoT. The code presented 13 recommendations for IoT device manufacturers, including those manufacturing routers, cameras, and smart home devices. Interestingly, these items are anticipated to surpass 29 billion by 2030, as per Statista's predictions. "The recommendations clearly haven't provided enough incentive for manufacturers to secure these devices, and for that reason, the Act is welcome. However, it is a shame that not all 13 have found their way into the legislation, with only 3 being given legal force," explained Emm.
With escalating numbers of connected devices, the need for defence against threats has also amplified. These threats often pursue two main infection routes: brute-forcing weak passwords and exploiting vulnerabilities in network services. The Act calls for retailers to enhance password complexity and provide relevant information on reporting security issues. However, Emm considers that these measures need to be expanded.
Kaspersky's recent study revealed that Distributed Denial of Service Attacks (DDoS) performed via IoT botnets were highly sought-after by hackers. In the first half of 2023, Kaspersky analysts saw more than 700 ads for DDoS attack services on numerous dark web forums, with these services' cost ranging from £15 per day to £8,000 per month. Concurrently, Kaspersky honeypots showed that approximately 97.91% of password brute-force attempts targeted Telnet, the widely used unencrypted IoT text protocol.
"It is positive that the Act is requiring manufacturers to say how long they will support the product for," Emm argued. "However, as it stands, this could be hidden away on their websites, which could easily be missed by consumers. This is something that should be available at the point-of-sale. We urge legislators to think through the implications of this in the context of a complex threat landscape."
Emphasising the need for personal responsibility in protecting against cyber threats, Emm highlighted, "Do not presume the new legislation is enough to guard your connected activities. We advise all customers to utilise two-factor authentication where feasible on their connected devices, in addition to enabling encryption on their home routers. These are merely two instances of how individuals can shield against cyber risk."
Enacted on 6 December 2022, the PSTI Act was fully effective from 29 April 2024, signifying a new phase of digital accountability and protection.