Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

1. The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

2. Passwords must be—

   a. unique per product; or

   b. defined by the user of the product.

3. Passwords which are unique per product must not be—

   a. based on incremental counters;

   b. based on or derived from publicly available information;

   c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

   d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

1. In this Part “relevant connectable product” means a product that meets conditions A and B.

2. Condition A is that the product is—

   A. an internet-connectable product, or

   B. a network-connectable product.

3. Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

5. Computers

   1. Products are excepted under this paragraph if they are computers which are—

      a. desktop computers;

      b. laptop computers;

      c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt¹. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly².

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.

They're currently soliciting for comments on the question:

The system of laws and law-making in the UK is complex, but is that inevitable given the highly developed and interconnected society which laws regulate? Should you need to be a lawyer to understand and use an Act?

You can leave your comment on their forum - here's what I submitted.

Albert Einstein said:

[T]he supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience.

Or, as it is more commonly paraphrased "make things as simple as possible - but no simpler."

The law applies to every person - we should not have to become experts in how to be governed.

Let's take, for example, the Sale of Goods Act (1979). It is one of the most important pieces of consumer legislation yet is almost completely unintelligible to the lay reader. The state has published hundreds of different pamphlets, guides, posters, books, and websites trying to explain it. Not to mention all the work independent consumer organisations have done in trying to make the legislation legible.

I present a random extract from the act. Before trying to understand it, I'd appreciate it if you were to try to read it aloud on a single breath of air.

Where there is a contract for the sale of specific goods or where goods are subsequently appropriated to the contract, the seller may, by the terms of the contract or appropriation, reserve the right of disposal of the goods until certain conditions are fulfilled; and in such a case, notwithstanding the delivery of the goods to the buyer, or to a carrier or other bailee or custodier for the purpose of transmission to the buyer, the property in the goods does not pass to the buyer until the conditions imposed by the seller are fulfilled.

I've read this several times, and I think it means that "If you buy something, it doesn't become your property until you've fulfilled all the parts of the seller's contract. If you don't meet those conditions, the seller doesn't have to give you the goods." Am I close?

The law doesn't need to be in iambic pentameter - but it does need to be readable and understandable to those to whom it is targeted.

This may mean, in future, that an Act isn't written in paragraphs but drawn out as a flow chart or as UML diagram.

Ambiguity only enriches lawyers. Any adult with a GCSE in English should be able to parse a law and understand its impact. To often legal disputes seem to arise not from a willing breach of the law - but by misunderstandings.

I work on user-interfaces for software. If a user doesn't understand that how she has to fill in a form - I have failed. I would suggest that any law which requires a professional to assist with its understanding has also failed.

My suggestion is that all proposed bills undergo a period of UAT (User Acceptance Testing). This UAT would ask members of the public to try and interpret what a law does - and whether it meets those goals.

This can be done online - for example a quiz showing a paragraph of a bill, and then a multiple choice question to see if it has been understood.