Last month, the State of California banned default passwords on network devices, starting January 1, 2020. This law mandates that manufacturers preprogram a unique password for each individual device and that the user is required to change this password upon first login.
Default passwords on IoT (internet-of-things) devices have plagued the technology industry for some time, and have resulted in many high profile attacks. Everything from cameras to sex toys have been shown to be vulnerable to attackers who simply google the default password the device is shipped with and use it to log in. These default passwords are often something simple that could be easily guessed, like “password” or “1234”. Vulnerable devices are often installed at the perimeter of a network, making them accessible from anywhere in the world. These external devices are especially vulnerable to attackers who automate worldwide attacks against them, resulting in joining them to botnets. In many cases, they are also used by attackers to pivot to internal hosts on a victim’s network, effectively bypassing the firewall. This begs the question why users don’t simply change these devices’ passwords when they set them up. Some do, but far too often, users aren’t aware of or are dismissive of the risks associated with default passwords. That’s why there has been a push to force users to change the password when they first login to setup the device. This doesn’t help, however, if the first login can be performed by a malicious entity armed with the default password who then changes it upon first login.
These concerns are addressed within the new California law, and following the actions dictated by this law will likely result in increased IoT security in regards to specific threat models. For years, security researchers have sounded the alarm in regards to default passwords on network devices, with little traction. Now, as California forces manufacturers to tighten security, it would seem that we are finally getting somewhere.
But are we really getting somewhere?
The law specifies that each password must be unique. From a practical standpoint, this presents a challenge for manufacturers as they decide what methodologies and algorithms to use to generate these passwords. Even before this law, some device makers have risen to this challenge impressively, generating unique, complex passwords that would be very difficult to crack using a brute force attack. Others have not. Some manufacturer’s algorithms have been shown to be highly insecure. The password in many cases is generated using some form or portion of the device’s MAC address – a set of numbers associated with the device’s NIC (network interface card). This MAC address is often displayed on the main login page of the device and can in many cases be used to reverse engineer the generated password. And the law doesn’t say how unique this password must be. Can a factory manufacture 10,000 devices, each with a 4 digit passcode ranging from 0000 to 9999? That would be trivial for an attacker to brute force, using automated tools. What if the default password is complex, but the user changes it to “password123” because there are no password length/complexity requirements?
These types of laws are politicians’ ways of attempting to show that they are doing something about the problem, but often result in compliance without security. Companies tend to follow the letter of the law, instead of the spirit. They may have dotted their i’s and crossed their t’s, to avoid lawsuits, but this often doesn’t actually result in increased security for the consumer. It basically just means that now the consumer can’t sue the manufacturer. Just look at the United States’ HIPAA and HITECH healthcare compliance law. At a time when healthcare organizations are focused more than ever on compliance with federal law, the number of healthcare breaches have skyrocketed.
As government compliance law fails to secure internet-connected devices, new models should be considered. Free markets tend to regulate themselves more effectively than those regulated by the state. As an example, security companies could provide certifications, or seals-of-approval to product manufacturers who commission their security testing services and receive a passing grade after rigorous testing. Consumers could choose to pay slightly more for products which are certified by reputable security vendors, or choose to save money and buy products which are potentially less secure. In this model, security vendors would be motivated to perform thorough testing in order to preserve their reputation. Manufacturers would also be motivated to procure security certifications for their products, in order to appeal to consumers who value security. Consumers would then benefit from the security expertise of reputable security vendors, instead of relying on politicians. In any case, nearly anything is better than allowing politicians who know little about technology – much less internet security – to issue mandates to technology companies. Here’s hoping that the world will shift toward more decentralized models for internet security that can more effectively protect consumers from harm.