IoT Device Cybersecurity: PSTI Act 2024, Default Password Rules and Advice Installers Should Give Clients
Quick Answer: The UK Product Security and Telecommunications Infrastructure (PSTI) Act 2024 (effective 29 April 2024) requires consumer IoT devices sold in the UK to meet three mandatory security requirements: no universal default passwords, a published vulnerability disclosure policy, and transparency about the minimum security update period. Installers should confirm that devices being specified carry UKCA marking or evidence of PSTI compliance, change any remaining default credentials at commissioning, and advise clients to update device firmware before handover.
Summary
Smart home devices — cameras, doorbells, smart locks, smart speakers, thermostats, and the routers and hubs that connect them — are among the most commonly compromised devices in UK household networks. Unlike computers and phones, which receive regular security patches and operating system updates, many IoT devices are configured once during installation and never touched again. Security vulnerabilities accumulate, firmware goes unpatched, and default credentials remain unchanged for years.
The PSTI Act 2024 established the UK's first binding legal framework for IoT device security. From April 2024, manufacturers, importers, and distributors of consumer connectable products in the UK are required to meet minimum security standards or face fines of up to £10 million or 4% of global turnover. This shifts legal responsibility towards the supply chain, but installers who specify and commission smart home equipment still have a duty-of-care obligation to clients to deliver a secure installation.
For residential tradespeople, the practical implication is straightforward: specify PSTI-compliant devices, change default passwords at commissioning, segment IoT devices onto their own VLAN, and hand the client a written record of what was installed, what credentials were set, and where to check for firmware updates.
Key Facts
- PSTI Act 2024 (Product Security and Telecommunications Infrastructure Act) — primary UK legislation for IoT device security; effective 29 April 2024; administered by OPSS (Office for Product Safety and Standards)
- PSTI mandatory requirements — three obligations for all covered consumer connectable products:
- No universal default passwords (each device has a unique password, or user must create one on first use)
- Published vulnerability disclosure policy (manufacturer provides a point of contact for reporting security vulnerabilities)
- Stated minimum support period (manufacturer must declare how long security updates will be provided)
- UKCA marking — from 1 January 2025, PSTI-compliant products carry UKCA marking; pre-existing CE-marked products in stock can be sold through stock until exhausted
- Covered products — smartphones, tablets, smart TVs, smart speakers (Alexa, Google Home), IP cameras, doorbells, baby monitors, smart locks, routers, Wi-Fi extenders, smart home hubs, and any internet-connectable device; excluded: medical devices, smart meters, EV chargers (covered by other regulations)
- Non-compliant products — OPSS can order product withdrawals and issue civil penalties; manufacturers and importers face enforcement action; distributors (including trade installers) who supply non-compliant products may face liability
- Default password — a pre-set credential shared across all devices of the same model; e.g. "admin/admin" or "admin/1234"; explicitly prohibited by PSTI; non-compliant devices from pre-2024 stock still exist in distribution
- Credential hygiene — changing default passwords, disabling unused admin ports, disabling UPnP on routers; basic steps that dramatically reduce attack surface
- Firmware update — manufacturer's mechanism for patching security vulnerabilities; updates should be applied before installation and kept current; auto-update settings should be enabled where available
- Network segmentation — placing IoT devices on a separate VLAN from personal data devices; prevents a compromised camera or smart speaker from accessing a client's laptop, NAS, or banking sessions
- WPA3 — current Wi-Fi security standard (replaces WPA2); provides stronger encryption and forward secrecy; all new Wi-Fi APs and smart home devices from 2020+ should support WPA3
- Port forwarding — opening a router port to allow external access to a device; creates significant attack surface; advise clients against enabling port forwarding for cameras or smart home systems; use VPN instead
Quick Reference Table
Spending too long on quotes? squote turns a 2-minute voice recording into a professional quote.
Try squote free →| Security Practice | Why It Matters | Installer Action |
|---|---|---|
| Unique device passwords | Prevents bulk brute-force using leaked default credentials | Change during commissioning; document securely |
| Firmware update | Patches known security vulnerabilities | Apply latest firmware before handover; enable auto-update |
| Network segmentation (VLAN) | Compromised IoT device can't access personal data | Implement IoT VLAN during network setup |
| WPA3 Wi-Fi | Stronger encryption protects network access | Configure WPA3 on IoT Wi-Fi SSID |
| Disable UPnP on router | Prevents IoT devices from automatically opening firewall ports | Disable in router admin settings |
| No port forwarding | External attacks can't reach cameras/devices directly | Use VPN or manufacturer cloud relay instead |
| Two-factor authentication | Secures manufacturer cloud accounts for cameras, doorbells | Enable on all manufacturer app accounts at handover |
| Documented credentials | Client can update passwords and access devices after handover | Provide handover document with all device access details |
Detailed Guidance
PSTI Act: What Installers Need to Know
The PSTI Act primarily targets manufacturers, importers, and distributors. Installers who purchase from UK retailers and distributors are at the downstream end of the supply chain, but several implications are relevant:
Specifying compliant products: From April 2024, any new IoT device brought to market in the UK should be PSTI-compliant. However, pre-existing stock (pre-2024 manufactured products) may still be in distribution. When specifying products, verify that the manufacturer has published a PSTI compliance declaration (available on the manufacturer's website for compliant products).
Compliance evidence: The PSTI Act requires manufacturers to provide a Statement of Compliance. For products sold in UK retail, compliance should be assumed for purchases after April 2024 from reputable UK distributors. For grey-market or direct-import products (particularly from Chinese marketplaces), verify compliance independently.
Liability exposure: An installer who knowingly supplies and installs a non-compliant product could face OPSS enforcement action. More practically, if a non-compliant device is compromised and causes harm (e.g. a security camera is hacked and footage is accessed by an attacker), the installer may face civil liability for supplying inadequate equipment.
Commissioning Security Checklist
Follow this security checklist at commissioning for every smart home installation:
Before installation:
- Verify all devices are from reputable UK distributors and purchased post-April 2024 (or have confirmed PSTI compliance)
- Check manufacturer website for pending firmware updates; download latest firmware
During commissioning: 3. Change default admin passwords on all devices that allow it; set unique, strong passwords (minimum 12 characters, mixed case + numbers + symbols) 4. Change default Wi-Fi network names (SSIDs) from router-supplied defaults (e.g. "SKY12345") to a network name that doesn't identify the household 5. Create separate IoT Wi-Fi SSID (or VLAN) for smart home devices; give it a different password from the household Wi-Fi 6. Disable UPnP on the main router; check each device's admin interface for enabled port forwarding and disable it 7. Enable auto-firmware update on all devices that support it 8. Enable two-factor authentication on all manufacturer cloud accounts (camera apps, smart home apps, router admin)
At handover: 9. Provide a written handover document with: list of all devices installed; access credentials (stored securely — not in plain text email); instructions for firmware update checking; manufacturer contact details for security issues
Specific Device Security Concerns
IP cameras and doorbells: Historically the most compromised IoT category. Pre-PSTI budget cameras (Reolink, TuYa-branded, unbranded cameras) frequently had universal admin/admin or 123456 default credentials. Post-PSTI, verify unique default credentials or forced password change on first use. Advise against port forwarding for remote access — use the manufacturer's encrypted cloud relay or a client VPN instead.
Smart speakers (Amazon Echo, Google Nest): These devices capture audio in the home. The security risk is primarily the manufacturer's cloud infrastructure and data privacy rather than local network security. Advise clients about:
- Reviewing the device's microphone access settings and data retention options
- Ensuring the device is on the IoT VLAN, not the main household VLAN where it could interact with other devices
- Voice purchasing controls (PIN required for purchases via Alexa)
Smart locks: A compromised smart lock is a physical security issue, not merely a data issue. Verify the lock vendor has a strong security track record; prefer locks with offline code backup (ability to operate without connectivity); ensure the app account has 2FA enabled.
Smart routers/mesh systems: The router manages the entire network. Prioritise router security above all other devices: change admin credentials, keep firmware updated, enable WPA3, disable unused admin interfaces (Telnet, SSH if not needed), and use a strong, unique Wi-Fi password.
GDPR Considerations for Smart Home Cameras
Smart security cameras that capture images beyond the property boundary (public street, neighbour's garden) involve personal data processing under UK GDPR. While installers are not data controllers, they should advise clients:
- Position cameras to minimise capture of public areas or neighbouring properties
- Display a privacy notice sign if cameras cover public spaces (required by ICO guidance)
- Check the camera manufacturer's privacy policy regarding cloud storage and data retention
- Register with the ICO as a data controller if using cameras beyond domestic/household purposes
See smart security camera installation and GDPR for detailed guidance on CCTV compliance.
Advising Clients: What to Say at Handover
Clients rarely think about IoT security beyond "does it work?" The handover conversation should include:
What to tell clients:
- "I've changed the default passwords on all your devices. The list of credentials is in this handover document — keep it somewhere safe, not in your email inbox."
- "All your smart home devices are on a separate network from your computers and phones. If anything gets hacked, it can't access your personal data."
- "The cameras are accessed through the app — do not enable port forwarding on your router, as that would expose the cameras directly to the internet."
- "Firmware updates are set to automatic where possible. For [specific devices that require manual updates], check for updates in the app every few months."
- "Two-factor authentication is enabled on your [camera app, smart lock app] accounts. You'll need your phone to log in."
Frequently Asked Questions
Which types of devices are NOT covered by the PSTI Act?
Products excluded from PSTI requirements include: smart meters, large-scale connected industrial products, medical devices, vehicles, and products already covered by other security regulations (e.g. EV chargers, desktops, laptops). The Act focuses on consumer connectable products — devices sold to individuals for personal use in the home.
Can I still sell and install pre-2024 stock that may not be PSTI-compliant?
Manufacturers, importers, and distributors are responsible for compliance. Pre-2024 stock in legitimate UK distribution channels was legal when manufactured/imported and can continue to be sold through. However, given the liability risk of installing non-compliant equipment (particularly security cameras), installers should transition to confirmed-compliant products as existing stock depletes.
Does PSTI compliance mean a device is secure?
No — PSTI sets a minimum baseline (no universal default passwords, vulnerability disclosure policy, stated update period). Many compliant devices still have vulnerabilities in firmware, inadequate encryption, or insecure cloud backends. PSTI compliance is a floor, not a ceiling. Installers should additionally assess whether a manufacturer has a credible security track record.
What should I do if a client's existing device doesn't meet PSTI standards?
Document it in the handover and advise the client. If the device was installed before April 2024, it may be pre-PSTI stock. Recommend the client apply any available firmware updates, change default credentials, and consider replacement when the device reaches end-of-life. If the device has a known unpatched vulnerability, advise immediate replacement.
Regulations & Standards
Product Security and Telecommunications Infrastructure (PSTI) Act 2022 — primary legislation; came into force 29 April 2024; enforced by OPSS
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 — the secondary legislation setting out the three mandatory security requirements
UK GDPR / Data Protection Act 2018 — applies to CCTV cameras capturing images of individuals; residential CCTV for domestic household use is exempt but cameras covering public spaces are not
ICO CCTV Code of Practice — guidance for residential and small business CCTV compliance
OPSS — PSTI Act Guidance for Manufacturers and Businesses — official compliance guidance
NCSC — Security Guidelines for Smart Devices — National Cyber Security Centre guidance on securing smart home devices
ICO — CCTV and Smart Cameras — ICO guidance on residential CCTV and GDPR
ETSI EN 303 645 — the international consumer IoT security standard that PSTI is based on
smart security camera installation — CCTV positioning, PoE wiring, and GDPR requirements
home networking and VLAN segmentation — the network infrastructure that isolates IoT devices
commissioning and handover documentation — documenting credentials and security settings at handover
voice control integration — privacy considerations for smart speakers and voice assistants