In response to the growing threat posed by insecure digital devices, The Product Security and Telecommunications Infrastructure Act (PTSI) arrives on Monday 29th April, requiring manufacturers, importers and distributors to ensure that minimum cybersecurity requirements are met for any digitally connected product or telecommunication infrastructure in the UK.
Ahead of the Act coming into force, Kaspersky Principal Security Researcher, David Emm, welcomes the new requirements for IoT devices but believes more has to be done to protect consumers: “The new PSTI Act seeks to give teeth to the 2018 Code of Conduct for consumer IoT, which laid out 13 recommendations for manufactures of IoT devices – items like routers, cameras and smart home devices, all of which is multiplying every year with Statista predicting they will exceed 29 billion by 2030”, explains Emm. “The recommendations clearly haven’t provided enough incentive for manufactures to secure these devices, and for that reason, the Act is welcome. However, it is a shame that not all 13 have found their way into the legislation, with only 3 being given legal force.”
As these connected device numbers increase, so too does the need for protection against various threats which follow two main infection routes: brute-forcing weak passwords and exploiting vulnerabilities in network services. Compelling retailers to improve the complexity of passwords by law, and providing information on how to report security issues is a huge step forward, but it still needs to go further.
Recent Kaspersky research found that Distributed Denial of Service Attacks (DDoS) attacks orchestrated against network services through IoT botnets were found to be in high demand among hackers. In the first half of 2023, Kaspersky analysts identified over 700 ads for DDoS attack services on various dark web forums with the cost of these services ranging from £15 per day to £8,000 per month. Over the same period, Kaspersky honeypots recorded that 97.91% of password brute-force attempts focused on Telnet, the popular unencrypted IoT text protocol.
“It is positive that the Act is requiring manufacturers to say how long they will support the product for,” Emm continued. “However, as things stand, this could be hidden away on their websites, which could easily be missed by consumers. This is something that should be available at the point-of-sale. We urge legislators to consider the implications of this in the light of a complex threat landscape.”
Whilst the new Act is a welcome update, it remains very important for people to take their own precautions when it comes to safeguarding themselves against cyber threats.Emm concludes:“Do not assume the new legislation is enough to protect your connected activities. We advise that all customers use two factor authentication where possible on their connected devices, in addition to enabling encryption on their home routers. These are just two examples of how people can protect against cyber risk. Further actionable advice on securing home networks can be found here.”
The PSTI Act, which passed into law on 6 December 2022, will come into full force on 29th April 2024, ushering in a new era of accountability and protection in the digital realm.
