This week, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act went into effect. The law introduces significant cybersecurity measures to protect consumer connected devices, like smart TVs appliances, from cyber threats. This legislation mandates stringent requirements on manufacturers, importers, and distributors to ensure the security of devices capable of connecting to the internet.
One of the key components of the PSTI is the new password requirements. The regulations stipulate that all new devices must feature unique passwords or allow users to set their own. Additionally, these passwords cannot be simple or derived from readily accessible information, such as serial numbers, unless they are encrypted using industry-recognized methods. This measure aims to eliminate common vulnerabilities associated with weak default passwords that are often targeted by hackers.
This law is a step in the right direction, but it does not go far enough to protect consumer data. Device passwords are targeted by hackers to do a remote takeover of the device, and then use the device for their own purposes, like accessing the camera and microphone to spy on you.
However, your viewing data and habits are not only available on the device itself, they are also available via API. The principles of securing access through strong authentication methods are similar. API vulnerabilities often involve inadequate security measures like weak authentication, which can be mitigated by enforcing stronger password policies and encryption, similar to what the PSTI requires for devices.
While the PSTI does enhance security for devices, its direct impact on improving API security is limited since the act does not specifically address API management practices. But the same issues abound with APIs – missing or weak default password requirements. Moreover, APIs often have other misconfiguration issues, like transmitting more personal data than is necessary to the requester.
The new law is a step in the right direction, focused on improving hardware and firmware. But it’s incomplete without also addressing software and connectivity.