According to the update, manufacturers will have to make it easier for people to report security issues. The PSTI now also requires them to give clear expectations about when filers can expect acknowledgment and status updates later. Violations of the law can result in fines of up to £10 million (about $12.5 million) or 4 percent of your “qualifying worldwide income,” depending on which is greater.
The law would apply to a wide range of products, but a big target here would likely be IoT devices like smart TVs, smart plugs, or smart speakers. Many of these, particularly the cheaper and more widely traded ones, end up as targets online, thanks to lax security practices, which made them part of devastating attacks like the Mirai-based DDoS botnet seen years ago. This doesn't necessarily address all of those practices, but bad default passwords are low hanging fruit that needs to be addressed.
In the US, the FCC is trying something similar with its next Cyber Trust Mark Program. Like the federal Energy Star program, the Cyber Trust Mark logo indicates which products meet the program's requirements, including strong default passwords.
But like Energy Star, no one is forcing companies to accept it. And while Energy Star has clear and explainable benefits, like lower utility bills, it's a little harder to make clear that a smart light bulb connected to your router can pose a security risk to your other devices, so It's hard to know how effective it will be. when it comes into force.
