From the BBC via Bruce Schneier: Huge fines and a ban on default passwords in new UK law

The headline is misleading - this law the UK is doing is just for IoT devices (The “S” in IoT stands for “security”) which are things like dishwashers, lightbulbs, or camera doorbells. Personally, I believe that this law should be applied at the federal level in the United States and expanded to “default passwords - period”. No hardware or software or practice should comes with a default password under penalty of steep fines. Should be an easy ask, as the Biden administration (like administrations before it) claimed that improving information security would be a top priority.

IoT devices are notoriously cheaply made with security as a complete afterthought, and loads of them have shipped with default passwords that the manufacturer leaves up to the consumer to a) know how to change and b) actually do. If not, the Internet connected device on their home (or business) network is essentially a new front door on a house where many, many people have the key.

But this really should be understood for the people in the UK (and please here in the USA too) as a start. In the county that I used to live in one day opened up a phone bill that was for tens of thousands of dollars more than it should have been. What had happened was, for years, the IT department of that government had been issuing it’s Cisco VoIP desk phones with the same voicemail password for every line. Whether or not they even bothered telling people that they could change their password, let alone should, is unclear. Someone from the Caribbean had started calling the lines after hours, trying standard voicemail PINs, and got in. And set several of the outgoing voicemail messages to something to the effect of, “Of course, I’ll accept the charges, operator,” and then would call back collect and then make additional international calls from there.

The FCC issued a warning about this, but it would have never happened if default passwords were not used to start with, or users were forced to change their PIN on first use.