Everything you need to know about the Product Security and Telecommunications Infrastructure Act

IoT Security concept image showing interconnected devices linking on a digital interface.
(Image credit: Getty Images)

With the UK’s Product Security and Telecommunications Infrastructure Act (PSTI) set to come into force at the end of April, security experts are urging organizations to prepare for the new legislation. 

Informally known as the Connected Devices Act, the new rules will set out minimum cyber security requirements for all digitally connected products or telecommunications infrastructure across the country.

The legislation builds on the voluntary Code of Conduct for consumer IoT products introduced in 2018. These initial guidelines failed to deliver impact or significantly improve security of connected products, lawmakers said.

However, the new rules will affect a broad array of products ranging from IoT devices and smart televisions, to Wi-Fi routers and even connected cars.

The legislation comes amid a period of heightened security threats for connected device users globally. Recent research from Kaspersky found hackers are increasingly carrying out Distributed Denial of Service Attacks (DDoS) attacks against network services through IoT botnets.

In the first half of 2023, analysts spotted more than 700 ads for DDoS attack services on various dark web forums, with the cost of these services ranging from £15 per day to £8,000 per month.

Over the same period, Kaspersky honeypots recorded that nearly 98% of password brute-force attempts focused on Telnet, the popular unencrypted IoT text protocol.

Here’s everything you need to know about the new Connected Devices Act.

Product Security and Telecommunications Infrastructure Act: Key requirements

The act sets out three main requirements, relating to passwords, vulnerability reporting, and record-keeping and disclosure, with the penalty for serious examples of non-compliance set at £10 million or 4% of the company’s worldwide revenue.

Passwords must either be unique to each individual product, or capable of being reset by the user. They mustn't be based on incremental counters or publicly available information.

Nor can they be based on, or derived from, unique product identifiers such as a serial number, unless that's done using an encryption method or keyed hashing algorithm that's accepted as part of industry best practice.

Meanwhile, manufacturers must provide information on how to report product security issues - as well as information on how long they'll take to acknowledge receipt of the report.

They must also give status updates until the situation's resolved. This information should be made available without prior request in English, free of charge, and should be accessible, clear, and transparent.

There's also a focus on security updates, which must be published and made available to the consumer in a clear, accessible, and transparent manner.

Connected Devices Act: What do security experts think?

David Emm, principal security researcher at Kaspersky, said the introduction of the new rules marks a positive step toward improving connected device security. 

Manufacturer reporting rules, he noted, are a welcomed aspect of the Act, but will require robust enforcement if they are to have a tangible positive impact on consumers and users of connected devices.

"It is positive that the Act is requiring manufacturers to say how long they will support the product for," he said.

"However, as things stand, this could be hidden away on their websites, which could easily be missed by consumers. This is something that should be available at the point-of-sale.

RELATED WHITEPAPER

“We urge legislators to consider the implications of this in the light of a complex threat landscape."

Cade Wells, business development director at CENSIS, echoed Emm’s comments, adding that the legislation “underscores the UK government’s commitment to strengthening the security of consumer-connectable devices”.

“By banning default or easy-to-guess passwords, requiring a statement of the minimum period during which security updates are provided as part of a product ,and mandating vulnerability disclosure policies, the legislation aims to safeguard consumers from potential cyberattacks,” he said.

For some, the Act doesn't go far enough, with only three of 13 recommendations actually adopted.

Consumer group Which?, for example, has called for it to be extended to online marketplaces, and suggested that the provisions on update support should mandate how long different types of products should be supported as a minimum.

Meanwhile, the consumer group said it should be clearly set out that owners of an insecure smart device should be able to argue it is faulty and then get a refund or replacement, as per their legal rights under the Consumer Rights Act 2015.

Other omissions include a requirement to provide secure communications over the internet.

"The recommendations clearly haven’t provided enough incentive for manufacturers to secure these devices, and for that reason, the Act is welcome," Emm said. "However, it is a shame that not all 13 [recommendations] have found their way into the legislation, with only three being given legal force."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.