When smart devices go bad

Furthermore, the UK Government has recognised that it is due to such vulnerabilities that major cyber threats can occur, such as the Mirai botnet cyber attack back in 2016, which was the largest coordinated IoT Distributed Denial of Service (DDOS) attack in history at the time. The attack was orchestrated through the use of what was estimated to be 100,000 compromised IoT devices to launch a DDOS attack, which disrupted the services of major organisations such as CNN and Netflix, as well as other large organisations in Europe and USA.

The UK has recognised that it needs to combat these risks (especially with the significant increase in smart devices), and has thus introduced the world’s first smart device laws protecting UK consumers from hacking and cyber-attacks, in the form of: the Product Security and Telecommunications Infrastructure Act 2022 (PSTI 2022), complemented by the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI 2023). These have set a new benchmark for product security and consumer safety. As of 29 April 2024, provisions of Part 1 of the PSTI 2022, together with the provisions of PSTI 2023 (collectively referred to as the "PSTI” below) have come into immediate effect.

What are the implications?

The PSTI establish a set of baseline security requirements for manufacturers, importers, and distributors of consumer connectable products, namely smart devices or IoT devices. They address the need for cyber protection, which includes aspects such as:

• Unique Passwords: Devices must be sold with unique passwords to prevent unauthorised access, but there are further caveats with regards to this, as illustrated below. Alternatively, the passwords must be defined by the user of the product.
• Security Update Information: Consumers must be informed about the duration of security updates.
• Vulnerability Disclosure: A clear point of contact must be provided for reporting vulnerabilities.

As a result, by way of example, it is now no longer possible for manufacturers, distributors and importers to have certain consumer products being made available which have:

• Generic passwords: guessable passwords like “password” or “admin” are prohibited.
• Incremental counter passwords: passwords like “password1” and “password2” are prohibited.
• Serial numbers as passwords: passwords based on, or derived from, unique product identifiers, such as serial numbers are prohibited (with certain limited exceptions where encryption or cryptographic techniques are used to prevent reverse engineering the password).

There are also obligations with regards to security assurance, as well as facilitating reporting of security vulnerabilities to manufacturers so that they can address them.

What does this mean for organisations?

Getting PSTI compliance wrong can result in both reputational and financial loss for organisations. The enforcement authority in respect of the PSTI is the Office for Product Safety and Standards (OPSS). The OPSS can issue fixed penalty fines for breaches of the PSTI of up to the greater of: (1) £10 million; or (2) 4% of the company’s global turnover. In addition to the significant fines mentioned, there can be additional daily fines of up to £20,000 per day, for each day that the breach continues beyond the date set for the payment of the fixed penalty fine.

From a reputational perspective, it can be a disaster for an organisation to lose consumer confidence in the security of its products, and this in itself could far exceed any fines, as it could give rise to the risks to the ongoing viability of a business.

Organisations will therefore, need to pay close attention to the requirements of the PSTI, as it is effective already. So, existing smart devices which are being imported or distributed, should have already been designed, manufactured and made available in accordance with it. When it comes to new smart devices which are being put on the market in the UK (irrespective of whether any payment is applicable for them by the consumer), they need to have met all of the compliance requirements (with only a limited exception to certain smart devices which fall outside the scope of the remit of the PSTI). This will require careful coordination between design, technical, engineering, compliance and legal teams, to appreciate the technical and legal requirements of the PSTI.

In addition to the in-built security requirements, there are obligations relating to the provision of Compliance Statements which must contain mandatory information, including details about the manufacturer and the support period for which the smart device will receive security updates. Importers and distributors of consumer smart devices will also be responsible for ensuring that they are not making available non-compliant products, by ensuring that they have been provided with appropriate Compliance Statements, and checking that they have no reason to believe that the respective products are non-compliant with the PSTI. The law therefore, clearly has supply chain implications for consumer smart devices.

Thus organisations in the supply chain, must ensure that they undertake appropriate due diligence and have contractual protection for certain of the risks which may manifest as a result of the PSTI.

How can we can help?

We have already been helping organisations get to grips with the PSTI. We can work closely with the in-house technical as well as legal or compliance teams of organisations to help decipher certain of the key legal requirements of the PSTI, to help them design and build their products in a manner which is required by the PSTI. We can also assist organisations with contractual protection, as part of the supply chain arrangements which they are involved in.

For further information, or if you would like to arrange a consultation, please feel free to contact us.