IoT Device Cybersecurity: PSTI Act 2024, Default Password Rules and Advice Installers Should Give Clients

Verified 17 April 2026

Quick Answer

The UK Product Security and Telecommunications Infrastructure (PSTI) Act 2024 (effective 29 April 2024) requires consumer IoT devices sold in the UK to meet three mandatory security requirements: no universal default passwords, a published vulnerability disclosure policy, and transparency about the minimum security update period. Installers should confirm that devices being specified carry UKCA marking or evidence of PSTI compliance, change any remaining default credentials at commissioning, and advise clients to update device firmware before handover.

Summary

Smart home devices — cameras, doorbells, smart locks, smart speakers, thermostats, and the routers and hubs that connect them — are among the most commonly compromised devices in UK household networks. Unlike computers and phones, which receive regular security patches and operating system updates, many IoT devices are configured once during installation and never touched again. Security vulnerabilities accumulate, firmware goes unpatched, and default credentials remain unchanged for years.

The PSTI Act 2024 established the UK's first binding legal framework for IoT device security. From April 2024, manufacturers, importers, and distributors of consumer connectable products in the UK are required to meet minimum security standards or face fines of up to £10 million or 4% of global turnover. This shifts legal responsibility towards the supply chain, but installers who specify and commission smart home equipment still have a duty-of-care obligation to clients to deliver a secure installation.

For residential tradespeople, the practical implication is straightforward: specify PSTI-compliant devices, change default passwords at commissioning, segment IoT devices onto their own VLAN, and hand the client a written record of what was installed, what credentials were set, and where to check for firmware updates.

Key Facts

PSTI Act 2024 (Product Security and Telecommunications Infrastructure Act) — primary UK legislation for IoT device security; effective 29 April 2024; administered by OPSS (Office for Product Safety and Standards)
PSTI mandatory requirements — three obligations for all covered consumer connectable products:
1. No universal default passwords (each device has a unique password, or user must create one on first use)
2. Published vulnerability disclosure policy (manufacturer provides a point of contact for reporting security vulnerabilities)
3. Stated minimum support period (manufacturer must declare how long security updates will be provided)
UKCA marking — from 1 January 2025, PSTI-compliant products carry UKCA marking; pre-existing CE-marked products in stock can be sold through stock until exhausted
Covered products — smartphones, tablets, smart TVs, smart speakers (Alexa, Google Home), IP cameras, doorbells, baby monitors, smart locks, routers, Wi-Fi extenders, smart home hubs, and any internet-connectable device; excluded: medical devices, smart meters, EV chargers (covered by other regulations)
Non-compliant products — OPSS can order product withdrawals and issue civil penalties; manufacturers and importers face enforcement action; distributors (including trade installers) who supply non-compliant products may face liability
Default password — a pre-set credential shared across all devices of the same model; e.g. "admin/admin" or "admin/1234"; explicitly prohibited by PSTI; non-compliant devices from pre-2024 stock still exist in distribution
Credential hygiene — changing default passwords, disabling unused admin ports, disabling UPnP on routers; basic steps that dramatically reduce attack surface
Firmware update — manufacturer's mechanism for patching security vulnerabilities; updates should be applied before installation and kept current; auto-update settings should be enabled where available
Network segmentation — placing IoT devices on a separate VLAN from personal data devices; prevents a compromised camera or smart speaker from accessing a client's laptop, NAS, or banking sessions
WPA3 — current Wi-Fi security standard (replaces WPA2); provides stronger encryption and forward secrecy; all new Wi-Fi APs and smart home devices from 2020+ should support WPA3
Port forwarding — opening a router port to allow external access to a device; creates significant attack surface; advise clients against enabling port forwarding for cameras or smart home systems; use VPN instead

Quick Reference Table

Spending too long on quotes? squote turns a 2-minute voice recording into a professional quote.

Try squote free →

Security Practice	Why It Matters	Installer Action
Unique device passwords	Prevents bulk brute-force using leaked default credentials	Change during commissioning; document securely
Firmware update	Patches known security vulnerabilities	Apply latest firmware before handover; enable auto-update
Network segmentation (VLAN)	Compromised IoT device can't access personal data	Implement IoT VLAN during network setup
WPA3 Wi-Fi	Stronger encryption protects network access	Configure WPA3 on IoT Wi-Fi SSID
Disable UPnP on router	Prevents IoT devices from automatically opening firewall ports	Disable in router admin settings
No port forwarding	External attacks can't reach cameras/devices directly	Use VPN or manufacturer cloud relay instead
Two-factor authentication	Secures manufacturer cloud accounts for cameras, doorbells	Enable on all manufacturer app accounts at handover
Documented credentials	Client can update passwords and access devices after handover	Provide handover document with all device access details

Detailed Guidance

PSTI Act: What Installers Need to Know

The PSTI Act primarily targets manufacturers, importers, and distributors. Installers who purchase from UK retailers and distributors are at the downstream end of the supply chain, but several implications are relevant:

Specifying compliant products: From April 2024, any new IoT device brought to market in the UK should be PSTI-compliant. However, pre-existing stock (pre-2024 manufactured products) may still be in distribution. When specifying products, verify that the manufacturer has published a PSTI compliance declaration (available on the manufacturer's website for compliant products).

Compliance evidence: The PSTI Act requires manufacturers to provide a Statement of Compliance. For products sold in UK retail, compliance should be assumed for purchases after April 2024 from reputable UK distributors. For grey-market or direct-import products (particularly from Chinese marketplaces), verify compliance independently.

Liability exposure: An installer who knowingly supplies and installs a non-compliant product could face OPSS enforcement action. More practically, if a non-compliant device is compromised and causes harm (e.g. a security camera is hacked and footage is accessed by an attacker), the installer may face civil liability for supplying inadequate equipment.

Commissioning Security Checklist

Follow this security checklist at commissioning for every smart home installation:

Before installation:

Verify all devices are from reputable UK distributors and purchased post-April 2024 (or have confirmed PSTI compliance)
Check manufacturer website for pending firmware updates; download latest firmware

During commissioning: 3. Change default admin passwords on all devices that allow it; set unique, strong passwords (minimum 12 characters, mixed case + numbers + symbols) 4. Change default Wi-Fi network names (SSIDs) from router-supplied defaults (e.g. "SKY12345") to a network name that doesn't identify the household 5. Create separate IoT Wi-Fi SSID (or VLAN) for smart home devices; give it a different password from the household Wi-Fi 6. Disable UPnP on the main router; check each device's admin interface for enabled port forwarding and disable it 7. Enable auto-firmware update on all devices that support it 8. Enable two-factor authentication on all manufacturer cloud accounts (camera apps, smart home apps, router admin)

At handover: 9. Provide a written handover document with: list of all devices installed; access credentials (stored securely — not in plain text email); instructions for firmware update checking; manufacturer contact details for security issues

Specific Device Security Concerns

IP cameras and doorbells: Historically the most compromised IoT category. Pre-PSTI budget cameras (Reolink, TuYa-branded, unbranded cameras) frequently had universal admin/admin or 123456 default credentials. Post-PSTI, verify unique default credentials or forced password change on first use. Advise against port forwarding for remote access — use the manufacturer's encrypted cloud relay or a client VPN instead.

Smart speakers (Amazon Echo, Google Nest): These devices capture audio in the home. The security risk is primarily the manufacturer's cloud infrastructure and data privacy rather than local network security. Advise clients about:

Reviewing the device's microphone access settings and data retention options
Ensuring the device is on the IoT VLAN, not the main household VLAN where it could interact with other devices
Voice purchasing controls (PIN required for purchases via Alexa)

Smart locks: A compromised smart lock is a physical security issue, not merely a data issue. Verify the lock vendor has a strong security track record; prefer locks with offline code backup (ability to operate without connectivity); ensure the app account has 2FA enabled.

Smart routers/mesh systems: The router manages the entire network. Prioritise router security above all other devices: change admin credentials, keep firmware updated, enable WPA3, disable unused admin interfaces (Telnet, SSH if not needed), and use a strong, unique Wi-Fi password.

GDPR Considerations for Smart Home Cameras

Smart security cameras that capture images beyond the property boundary (public street, neighbour's garden) involve personal data processing under UK GDPR. While installers are not data controllers, they should advise clients:

Position cameras to minimise capture of public areas or neighbouring properties
Display a privacy notice sign if cameras cover public spaces (required by ICO guidance)
Check the camera manufacturer's privacy policy regarding cloud storage and data retention
Register with the ICO as a data controller if using cameras beyond domestic/household purposes

See [smart security cameras installation|smart security camera installation and GDPR](/wiki/smart-home/smart-security-cameras-installation|smart security camera installation and GDPR) for detailed guidance on CCTV compliance.

Advising Clients: What to Say at Handover

Clients rarely think about IoT security beyond "does it work?" The handover conversation should include:

What to tell clients:

"I've changed the default passwords on all your devices. The list of credentials is in this handover document — keep it somewhere safe, not in your email inbox."
"All your smart home devices are on a separate network from your computers and phones. If anything gets hacked, it can't access your personal data."
"The cameras are accessed through the app — do not enable port forwarding on your router, as that would expose the cameras directly to the internet."
"Firmware updates are set to automatic where possible. For [specific devices that require manual updates], check for updates in the app every few months."
"Two-factor authentication is enabled on your [camera app, smart lock app] accounts. You'll need your phone to log in."

Frequently Asked Questions

Which types of devices are NOT covered by the PSTI Act?

Products excluded from PSTI requirements include: smart meters, large-scale connected industrial products, medical devices, vehicles, and products already covered by other security regulations (e.g. EV chargers, desktops, laptops). The Act focuses on consumer connectable products — devices sold to individuals for personal use in the home.

Can I still sell and install pre-2024 stock that may not be PSTI-compliant?

Manufacturers, importers, and distributors are responsible for compliance. Pre-2024 stock in legitimate UK distribution channels was legal when manufactured/imported and can continue to be sold through. However, given the liability risk of installing non-compliant equipment (particularly security cameras), installers should transition to confirmed-compliant products as existing stock depletes.

Does PSTI compliance mean a device is secure?

No — PSTI sets a minimum baseline (no universal default passwords, vulnerability disclosure policy, stated update period). Many compliant devices still have vulnerabilities in firmware, inadequate encryption, or insecure cloud backends. PSTI compliance is a floor, not a ceiling. Installers should additionally assess whether a manufacturer has a credible security track record.

What should I do if a client's existing device doesn't meet PSTI standards?

Document it in the handover and advise the client. If the device was installed before April 2024, it may be pre-PSTI stock. Recommend the client apply any available firmware updates, change default credentials, and consider replacement when the device reaches end-of-life. If the device has a known unpatched vulnerability, advise immediate replacement.

Regulations & Standards

Product Security and Telecommunications Infrastructure (PSTI) Act 2022 — primary legislation; came into force 29 April 2024; enforced by OPSS
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 — the secondary legislation setting out the three mandatory security requirements
UK GDPR / Data Protection Act 2018 — applies to CCTV cameras capturing images of individuals; residential CCTV for domestic household use is exempt but cameras covering public spaces are not
ICO CCTV Code of Practice — guidance for residential and small business CCTV compliance
OPSS — PSTI Act Guidance for Manufacturers and Businesses — official compliance guidance
NCSC — Security Guidelines for Smart Devices — National Cyber Security Centre guidance on securing smart home devices
ICO — CCTV and Smart Cameras — ICO guidance on residential CCTV and GDPR
ETSI EN 303 645 — the international consumer IoT security standard that PSTI is based on
[smart security cameras installation|smart security camera installation](/wiki/smart-home/smart-security-cameras-installation|smart security camera installation) — CCTV positioning, PoE wiring, and GDPR requirements
[home networking for av|home networking and VLAN segmentation](/wiki/smart-home/home-networking-for-av|home networking and VLAN segmentation) — the network infrastructure that isolates IoT devices
[smart home commissioning handover|commissioning and handover documentation](/wiki/smart-home/smart-home-commissioning-handover|commissioning and handover documentation) — documenting credentials and security settings at handover
[voice control integration|voice control integration](/wiki/smart-home/voice-control-integration|voice control integration) — privacy considerations for smart speakers and voice assistants

Got a question this article doesn't answer? Squotey knows building regs, pricing and trade best practice.

Ask Squotey free →

For information only. Always verify with current regulations and consult a qualified professional.