IoT Device Cybersecurity: PSTI Act 2024, Default Password Rules and Advice Installers Should Give Clients

Quick Answer: The Product Security and Telecommunications Infrastructure (PSTI) Act 2024, in force from 29 April 2024, makes it illegal to sell connectable IoT products in the UK that have universal default passwords, lack a published vulnerability disclosure policy, or don't state the minimum period for which security updates will be provided. Installers should: (1) verify products carry a PSTI Statement of Compliance; (2) change all default passwords during commissioning; (3) place IoT devices on an isolated VLAN; (4) document the security update commitments to the client; (5) recommend periodic firmware updates as part of any maintenance contract.

Summary

For 15 years the smart-home industry sold devices with weak security practices: default passwords like "admin / admin", no firmware update mechanism, and no disclosure of how long the device would receive security patches. The Mirai botnet (2016), VPNFilter (2018) and a string of camera takeovers demonstrated that consumer IoT was a security catastrophe waiting to scale. The UK government responded with the Product Security and Telecommunications Infrastructure Act 2023, with the IoT product security regime fully in force from April 2024.

For installers the PSTI Act creates two clear obligations: only install compliant products, and follow good practices when commissioning them. The first is largely about product selection — most credible brands now produce PSTI Statement of Compliance documents — but cheap unbranded gear from Aliexpress, Wish or generic resellers may not be compliant and selling/installing them is now illegal.

This article covers the regulatory framework, the specific things installers must do during commissioning, the network architecture practices that limit damage if a device is compromised, and the advice installers should give clients about ongoing security maintenance. It assumes the reader already understands basic networking — see home networking for av for the network design context.

Key Facts

PSTI Act 2024 — Product Security and Telecommunications Infrastructure Act; IoT product security regime in force 29 April 2024
Statement of Compliance — manufacturers must produce a document attesting compliance for each product
Three minimum requirements — (1) no universal default passwords; (2) means to report security issues; (3) declared minimum support period
Universal default password ban — products cannot ship with the same default password (e.g. all "admin / 1234")
Vulnerability disclosure policy — manufacturer must publish a contact and process for reporting issues
Minimum support period — must be declared and visible on packaging or at point of sale
Penalties — up to £10 million or 4% of global turnover for non-compliance
OPSS (Office for Product Safety and Standards) — the regulator enforcing PSTI
Connectable products — wide scope: cameras, doorbells, smart speakers, hubs, sensors, lights with IP/Wi-Fi/Bluetooth
Excluded products — vehicles, medical devices, smart meters (other regimes apply)
Default password complexity — must be unique per device or sufficiently complex; meet established cryptographic standards
Firmware update mechanism — implied requirement; products must be patchable to address vulnerabilities
VLANs (Virtual LANs) — primary defence at network level; isolate IoT from main LAN
Wi-Fi guest network — basic isolation alternative; less granular than VLANs
mDNS / SSDP across VLANs — discovery protocols may need explicit allow-rules
Default deny outbound — best practice for IoT; allow only specific cloud services
Cloud account hygiene — strong password, MFA on smart-home cloud accounts (Google Home, Alexa, Hue Bridge cloud)
Local-first preference — devices that work without cloud have lower attack surface
Periodic firmware updates — manufacturer pushes critical; verify devices auto-update or schedule manual

Quick Reference Table

Spending too long on quotes? squote turns a 2-minute voice recording into a professional quote.

Try squote free →

Risk Category	Examples	Mitigation
Default credentials	Camera with admin/admin	Change at commissioning; PSTI requires per-device defaults
Cleartext communication	Telnet, HTTP web interfaces	Disable; HTTPS only; OR isolate device behind firewall
Outdated firmware	Unpatched 5-year-old camera	Schedule updates; replace if EOL
Cloud account takeover	Hue or Alexa account compromised	MFA, strong password, separate email
Lateral movement	Camera compromise → access server	VLAN segmentation, default deny
DDoS botnet (Mirai-style)	Camera enrolled in botnet	Isolation, firewall block outbound
Eavesdropping	Voice assistant transcripts	Mute microphones; review privacy settings
Camera compromise	Indoor camera streaming externally	Disable when home; LED indicator on

PSTI Compliance Indicator	Status
Statement of Compliance available	Brand published; check website
Per-device default password	Sticker shows unique password / QR code
Vulnerability disclosure policy	security@vendor.com or similar
Stated support period	"5 years from manufacture" or similar
Compliance Mark	UKCA conformity mark on packaging

Detailed Guidance

What the PSTI Act actually requires

The PSTI Product Security regime (Schedule 1 of the Act and the Product Security Regulations 2023) imposes three core obligations on manufacturers, importers and distributors of connectable products:

1. No universal default passwords

Each device must:

Ship with a unique per-device password, OR
Force the user to set a password on first use
Default passwords must not be derived from a public source (model number, MAC address) without sufficient unpredictability
Passwords must meet established complexity requirements

2. Vulnerability disclosure policy

Manufacturers must:

Publish a public contact (typically a web page or email) for reporting vulnerabilities
Document the process for reporting and the timeframes for response
The policy must be accessible without prior account creation

3. Minimum security update period

Manufacturers must:

Declare the minimum period during which security updates will be provided
Make this declaration visible at point of sale (packaging, listing, sticker)
Maintain the commitment for the declared period

For installers, this means asking suppliers for the Statement of Compliance for any connectable product. Most established brands (Amazon, Google, Philips Hue, Aqara, UniFi, Aeotec) now publish these. Generic / unbranded products often don't.

Commissioning IoT devices securely

Standard commissioning checklist:

Physical inspection — confirm device packaging, model number, security stickers
Initial setup — connect device, accept ToS, create cloud account if needed
Change default credentials — even if PSTI-compliant, set a new strong password
Update firmware — apply latest firmware before use
Configure network — assign to IoT VLAN, set static IP if needed
Disable unnecessary services — Telnet, SSH, UPnP, web interfaces if not needed
Configure cloud account — enable MFA, set unique password, separate email if possible
Document — record model, serial, MAC, IP, firmware version, cloud account email
Test — verify device works through normal use
Hand over — explain credentials and ongoing maintenance to client

Network architecture for IoT — VLANs and segmentation

The single most effective control is network segmentation. A typical residential VLAN structure for smart home:

Internet
  │
  ▼
Router / Firewall
  │
  ├── VLAN 1 (mgmt) ──── [router, switch, AP management]
  ├── VLAN 10 (Main) ─── [phones, laptops, TVs, NAS]
  ├── VLAN 20 (IoT) ──── [cameras, doorbells, lights, hubs]
  ├── VLAN 30 (Guest) ── [visitor devices]
  └── VLAN 40 (AV) ───── [Sonos, AVR, streamer]

Firewall rules:
  Main → Internet: ALLOW
  Main → IoT: ALLOW (control devices)
  IoT → Main: DENY (prevent lateral attacks)
  IoT → Internet: ALLOW (filtered to specific cloud services)
  IoT → Other IoT: DENY (limit lateral spread)
  Guest → Internet: ALLOW
  Guest → Main / IoT: DENY

The key rule is IoT → Main: DENY. A compromised camera cannot scan or attack family devices. The Main VLAN can still control IoT devices because the rule is unidirectional.

Discovery protocols across VLANs

A challenge: IoT devices use mDNS (multicast DNS), SSDP, Bluetooth and other discovery mechanisms that don't natively cross VLAN boundaries. Solutions:

mDNS Reflector / Avahi — built into UniFi controller, Aruba, Hubitat; selectively forwards multicast across VLANs
HomeKit bridges — Apple TV / HomePod can bridge HomeKit devices across networks
Hub-based architecture — control hub on Main VLAN talks directly to devices on IoT VLAN via firewall rules, presents single endpoint to family devices
Dedicated allow rules — for specific protocols (Chromecast, AirPlay, Sonos), allow specific multicast across VLANs

Most installers default to "mDNS reflector enabled, default deny otherwise" — this provides device discovery while preventing arbitrary lateral access.

Cloud account security

Most IoT devices require a cloud account (Hue, Alexa, Google Home, Aqara, Sonos). Account compromise is a significant risk vector — once an attacker has the user's Alexa credentials, they have voice control of the entire home.

Best practices:

Unique strong password per cloud service — use a password manager
MFA enabled — TOTP via Authy/Google Authenticator preferred over SMS
Separate email — consider a dedicated email for IoT cloud accounts (smarthome@user.com)
Periodic credential review — every 6-12 months, verify cloud account access
Removing departing users — when household members move out, revoke their access

Installers should set this up at handover and explain it. A single shared email used for all cloud accounts is the default for many homeowners — a single compromise of that email compromises the entire house.

Voice assistants — privacy considerations

Voice assistants (Alexa, Google Home, Siri / HomeKit) record audio when activated and transmit it to cloud servers. Some services retain transcripts; some retain audio.

Advice for clients:

Mute when not in use — most devices have a hardware mute button
Review voice recordings periodically — Alexa, Google Home apps allow listening and deletion
Disable in sensitive rooms — bedrooms, bathrooms (though most users want them in kitchens)
Choose privacy-respecting platforms — Apple HomeKit processes more locally; Mozilla's Privacy Not Included database reviews each service
Inform visitors — under GDPR if visitors are recorded by smart speakers, this could be a data processing concern

Cameras — special considerations

Internet-connected cameras are the highest-risk IoT category. A camera compromise gives attackers access to live and recorded video of the home. PSTI compliance reduces but doesn't eliminate the risk.

Practical mitigations:

Indoor cameras only when away — schedule activation
Hardware shutter — physical privacy shutter (some Nest, Eufy models)
Avoid sensitive locations — bedrooms, bathrooms, areas where children change
Local recording where possible — Synology Surveillance Station, Unifi Protect — keeps video off vendor cloud
Review who has access — shared accounts should be reviewed periodically
GDPR compliance — cameras pointing into communal areas or neighbours' property are a data protection issue

For commercial-grade installs (rental properties, holiday lets), consider ICO registration and a privacy notice for tenants.

Firmware updates — the ongoing maintenance burden

PSTI requires manufacturers to provide updates for the declared period — but the homeowner has to install them. Automatic updates are best where supported; manual updates for hubs and main devices should be scheduled.

Installer's role:

Configure auto-update during commissioning where possible
Schedule periodic check — typically monthly for hubs, quarterly for sensors
Maintenance contracts can include this work
Track end-of-life — when a device's support period ends, recommend replacement

A device past its declared support period and unpatched is a security risk. The smart-home industry is just beginning to grapple with this — many devices sold 5+ years ago no longer receive updates and are technically obsolete from a security perspective.

What to tell clients

A simple security briefing for clients:

Update your devices — when prompted, accept firmware updates
Use strong passwords on cloud accounts — and MFA
Don't share credentials — give visitors guest Wi-Fi, not your IoT credentials
Review camera angles — don't accidentally watch neighbours
Mute voice assistants when discussing private matters
Tell us when something seems wrong — unexpected device behaviour, unfamiliar logins
Plan for replacement — devices have a lifecycle; budget for refresh every 5-7 years

This brief should be in writing as part of handover documentation — see smart home commissioning handover.

Frequently Asked Questions

Is the PSTI Act actually enforced?

Yes. OPSS has investigation and enforcement powers. Penalties of up to £10 million or 4% of global turnover apply. Distributors and importers are also liable, not just manufacturers. Compliance is being driven both by regulator action and by retailer due diligence (Amazon, John Lewis, etc., now require Statement of Compliance from sellers).

Do I need to register my smart home with the ICO?

For most residential installs, no. The ICO registration / data protection fee applies to organisations processing personal data, not to individual homeowners. However, if you operate cameras filming public footpaths, neighbours' property, or rental properties with multiple tenants, registration may apply. Check the ICO website. Smart-home installers themselves processing client data (project files, system access credentials) should register.

Can I install Aliexpress IoT devices?

You can buy them, but selling/installing them commercially in the UK without a Statement of Compliance is illegal under PSTI. For a commercial installer this is significant exposure — both legal and reputational. Stick to brands with clear PSTI compliance documentation. The savings on cheap unbranded gear are not worth the regulatory risk.

What if a manufacturer goes out of business — what happens to my support period?

Legally the support obligation runs with the product, not the company; in practice, when a manufacturer ceases trading, security updates stop. Devices become higher-risk and should be replaced or isolated more strictly. This has happened with several IoT brands (Insteon, Lighthouse, Wink at various points). Choose major established manufacturers for longest-term support.

My client wants Ring doorbell despite Amazon's data practices. What do I do?

Provide the security and privacy briefing in writing, explain the data flow (video stored on Amazon servers, accessible to law enforcement under valid warrants), and let them make an informed decision. It's their home and their data. Document that they were informed.

Regulations & Standards

Product Security and Telecommunications Infrastructure Act 2022 — Primary legislation
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (SI 2023/1007) — Implementing regulations
ETSI EN 303 645 — European standard for cyber security in IoT consumer products; PSTI requirements derived from this
GDPR (EU 2016/679 retained as UK GDPR) and Data Protection Act 2018 — Personal data processing
Network and Information Systems Regulations 2018 — Cyber security for essential services (rare for residential)
Computer Misuse Act 1990 — Criminal offences for unauthorised access
BS 7858:2019 — Screening of individuals (relevant for installers with access to client data)
PSTI compliance mark — UKCA conformity mark with PSTI assessment
Cyber Essentials — recommended UK government scheme for installer companies handling client data
PSTI Act 2022 — Primary legislation
PSTI Regulations 2023 (SI 2023/1007) — Implementing regulations
OPSS Office for Product Safety and Standards — Regulator
ETSI EN 303 645 — Cyber security for consumer IoT — Underlying European standard
Mozilla Privacy Not Included — IoT privacy reviews
ICO Information Commissioner's Office — Data protection guidance
home networking for av — VLAN segmentation for IoT isolation
smart security cameras installation — Camera-specific security considerations
smart home commissioning handover — Security briefing as part of handover
voice control integration — Voice assistant privacy
smart home system specification — Including security in spec stage