Why the UK is Banning Default Passwords in IoT Devices

Matt Warman, the minister for digital and broadband in the UK, writes: From washing machines and children's toys to personal assistants, we are increasingly seeing more of our daily lives connected to the internet. In fact, research suggests by 2025 there will be 75 billion internet connected devices in homes around the world. However, the current security standards of many of these devices are low and the security and privacy risks are too great. Last week, for example, the usernames and for more 500,000 devices including Internet of Things (IoT) products were made available online.

Our aim is to make the UK the world's leading digital economy. But if we are to achieve this ambition we need to make sure people trust technology. I believe we can do this through pro-innovation regulation. So today I've announced we are developing new legislation to hold firms manufacturing and stocking internet-connected devices to account to stop hackers threatening people's privacy and safety. These new laws will mean consumers are protected from devices which do not adhere to the three rigorous security requirements we've developed alongside a code of conduct. These measures will mean all the passwords pre-programmed in internet-connected devices must be unique and not resettable to any universal factory setting.

Stupid but necessary

[EndlessNameless]

A government is passing a useful law? How refreshing.

The companies apparently don't have an incentive to configure unique passwords (otherwise they would have done so already).

With the disruptive level of traffic from Mirai and its successors, someone had to step up. With the whole Brexit debacle, I never expected the UK to take action. Thumbs up, chaps.

Re:Stupid but necessary

[I am not a Bicycle]

There's actually a fairly easy way to solve the problem without unnecessarily inconveniencing the user. Stamp or paste the password on a discreet but easily accessible part of the device, say, on the battery compartment (this is where the password of my mobile AP is located). The device can only be "hacked" (in both the good and bad sense of the word) by someone who already has physical possession of it. Just make sure the password isn't in some thermal print that fades a few weeks after the device has been unboxed.

An alternative will be a simple hardware access button. No passwords needed. For devices where security is very important, that button could be a reset key that wipes the user data clean.

Still insecure.

[BAReFO0t]

Anyone could have that password. Delivery guy, telecoms employees, manufacturer employees and anyone they pass it on.

What's so hard about storing that password you created on installation in a safe location?
Stick a post-it under the device if you absolutely must. Any modern OS offers a password manager though. The good ones even contain edit/backup functionality. As do browsers.

Also: If you can't even be bothered with *that* little of an "inconvenience", goood luck finding a job. Or a girlfriend. Or a home.

Re:

[Bourdain]

Dude - be careful with the tinfoil hat

Re:

[Anonymous Coward]

G-ma has just signed up for a small-town ISP and is told she needs a router; she remembers that G-pa may have left one in the wood shop when he died. She finds it, tries to plug it in, but it starts cutting a hole in the desk instead of making her internet work. So she goes to Best Buy and is advised that this was not the correct type of router to use for Internet. She purchases one, takes it home, and after randomly plugging the cables in for a half hour, it starts working. All is well. Except when it's no

Re:

[ceoyoyo]

You're welcome to change the default password. Most people don't though. So you use a unique one, which *could* be stolen, but probably won't be. It's way better than using "admin" for a million devices.

Access point manufacturers figured this out about ten years ago, after initially taking the lazy stupid route as well.

Re:

[ebvwfbw]

You're right. We'll make it something nobody would guess.
BAReFO0T.

Oh wait, now it's on the internet.

Re:

[freeze128]

"We'll just set the password to the same as the mac address. That's complex enough, right?"

Re:

[OrangeTide]

Alternatively we could publish article shaming manufacturers and stop buying IoT devices that are insecure garbage.

It's nice to have a powerful government when they operate in your best interests.

It's problematic if that government ever goes off the rails while it has a tremendous power invested in them.

Re:

[JustAnotherOldGuy]

Alternatively we could publish article shaming manufacturers

Yes, because they're so responsive to that kind of thing.

"We take security of our craptastic devices very very very very seriously and we'll look into pretending to do something about after the next stockholder's meeting, which will be never because we're going out of business since we already have your money."

Re:

[OrangeTide]

My answer is: So What? Because nobody cares enough to stop buying them.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

The UK is one of the world leaders in consumers importing stuff though, mostly from China. Our high streets are dying fast because everyone buys online, and Chinese stores like AliExpress, Banggood, Gearbest, eBay etc. are very popular.

With the desperation of brexit forcing us to do a bad trade deal with China soon I can't see this ending. So in practice a lot of hardware will be Chinese spec and will ignore this law.

Really we need to convince a big trading block to adopt the idea so that Chinese companies

Re:

[AmiMoJo]

Oh dear, some brexiteer snowflake was trolled by having it pointed out why the EU is a good idea.

How pathetic. This is what the once moderately impressive United Kingdom has become.

Why, you ask?

[lionchild]

Because they realize default passwords on a computing device inside your firewall is a horrible idea?

All the passwords must be unique

[DontBeAMoran]

"...all the passwords pre-programmed in internet-connected devices must be unique..."

Alright, then.

Device serial number #0000000001: password0000000001
Device serial number #0000000002: password0000000002
Device serial number #0000000003: password0000000003
etc.

This COULD work

[davidwr]

If the goal is to make remote-hacks more difficult, this will work as long as there's no way to remotely interrogate the device for its serial number without entering the password first and as long as the user never has to give his serial number to anyone for any reason: If he does, he can be "social engineered" into providing it to an adversary.

If the goal is to make it so you can't use the device if you steal it, this will be a fail as most devices have the serial number printed on the physical device.

Re:

[tap]

It's not so easy as that. Serial numbers aren't completely random, but usually have some kind of pattern. Like being sequential.

So even if you can't query the serial number, you can still make educated guesses about what it might be. Also many times devices don't get shuffled into random containers on their way from the factory to a distributor to an end customer. So if an organization buys a crate of routers, there's a good chance they'll get SN X, X+1, X+2, etc. So knowing one device's serial number

Re:

[AHuxley]

Re "Serial numbers aren't completely random"...
Dont use the "Serial numbers"
A random user name, a random long password per device.
A better font can be selected to make sure zero and an alphabet O are not the same.
Do the math on just how random two lines of 20 letters and numerals can be... per user. With common symbols.
20 "random" letters and numerals for the user name. With common symbols. Used once...
20 letters and numerals with common symbols for the password used once for the user name.
ie l

Re:

[Talderas]

That could happen even if purchases are staggered. I've bought devices years after my initial purchase where I've had serial numbers that fall in line with the serial numbers from my original purchase. It's not a commissioned device so it makes me wonder if this is just a function of bad inventory management on the vendor's part or we're one of the few customers for the devices.

As for a real life example of serial numbers being exploited, it was done in World War II by allied forces. They recorded the seria

Re:

[rtb61]

Passwords are bad for noobs, they always will be, they just do not really get it. Do it in hardware, simply provide a usb security access port, to transfer the access password from the device to the device that will connect to the device. For noobs, connect usb device to LOT device, get really, really complex password, connect USB device to phone etc. and the software will upload the password and delete it from the USB device. To connect another device, plug USB back in and repeat. To reset really complex p

Re:

[AHuxley]

It does work. A few consumer products ship with unique names and passwords in the box for the user to enter.
The trick been not to allow admin/admin as a default generation after generation for decades again ....

Re:

[AK Marc]

And that's perfect. Even if one were to know the schema, you'd still need millions of tries for popular devices, rather than the current model of scanning everything and trying the default and getting in first time.

Re:

[Chris Mattern]

Provided, of course, that the login banner doesn't state the device's serial number.

Re:

[AHuxley]

Re "Provided, of course, that the login banner doesn't state the device's serial number."
A sticker inside the box for that user. A unique name and password printed out just for that device.

Re:

[Chris Mattern]

That, of course, is the smart way to do it. If only we could be sure that they all would do it that way. These are the people who decided that default passwords were a good idea in the first place, after all.

Re:

[AHuxley]

Re "These are the people who decided that default passwords were a good idea in the first place, after all."
That could have been a factory limitation in the past.
Now the cost of setting a long random code as a user name and password per device and printing the result onto every device is lower.

Re:

[AmiMoJo]

Unfortunately they often use the MAC address as the basis for the password.

Re:

[DontBeAMoran]

Do as I say, not as I do.

Re:

[thegarbz]

Perfect. Providing that the header sent to the client doesn't include it's serial number.

The intent here is not to be resistant to local attack. Only remote.

Re:

[tap]

You're not serious, but this is really what gets done.

A certain popular cable modem/DVR was going to make the *WFI password* based on the MAC address of the device. Every device using the same password was insecure. The passwords weren't the same this way, so it's ok. There would be some algorithm, that no one could ever guess or reverse engineer, that would convert the MAC to a password. I think I managed to kill that plan.

While it would be more secure to give each device a totally random initial pass

Re:

[itsdapead]

Device serial number #0000000001: password0000000001

Don't be silly - it will be the last 8 digits of the md5 hash* of the serial number - because that's like totally secure :-)

(* I was going to say rot13 but it doesn't encode numbers... So much for not spoiling Lost...)

Or give every unit the password 'ZxN#4bp!Q' and print it on a sticker using a dot-matrix stye font, and hope nobody compares notes,..

Lets just hope the actual legislation is written by someone with half a clue and is a bit more detailed than the soundbite...

Re:

[WindowsStar]

Computers are too good at figuring that out. A script kiddie will do it fairly fast.

Something like would be much harder (Serials more random, Passwords Longer):

Serial 3gt.28vbn4.32poq.e25 Password: Device3About7Have#Shaming1Publish
Serial yu4:6icvq:295t:265aa Password: 5They&Browse-Our0Showing@Abuse
Serial utt-35opi-8bn12-goqy Password: !Registration9User(Take2Manufactures
Serial r902#c520cv#51#bsp Password: Kind$Nobody6Promoting2More%Join

Re:

[LenKagetsu]

Laws in Europe tend to be interpreted according to the law's intention rather than its precise wording.

Bricks...

[Anonymous Coward]

... These measures will mean all the passwords pre-programmed in internet-connected devices must be unique and not re-settable to any universal factory setting...

This just means they will be bricks because the average consumer will not remember passwords...

Re:

[scdeimos]

This just means they will be bricks because the average consumer will not remember passwords...

The average consumer needs the password exactly once, when they first plug it in to set it up, and then will not need it again unless the device stops working for some reason.

Re:

[Anonymous Coward]

Not necessarily. The device could have a hardware factory reset that puts it into a mode where it does nothing but ask for a new, secure password. Whether or not that's legal depends on how the law is crafted, but as an example my modem/router has no way to set the password except via a web interface. I can't believe that a compliant router would require a separate non-network interface just for the purpose of setting the password. A sensible way to implement this is for the router not to pass any packe

Re:

[cusco]

Axis security cameras mostly took care of this issue a decade ago. When you unbox an Axis camera and plug it in the username/password is root/pass. **BUT** you are required to provide a new password before you can do anything else with the device. You can't even configure the IP address until you change the password. If you use the reset button to set it back to factory default you're right back where you were, needing to provide a new password before you can do anything.

Unfortunately installers tend no

Re:

[jenningsthecat]

Unfortunately installers tend not to be that bright, so a lot of them change to a good password and then change it back to root/root.

No reason the device can't enforce passwords with reasonable minimum character types and counts, the way many computer programs and websites do. I think that minor modification to the scheme you described would pretty much take care of the problem.

Re: Bricks...

[BAReFO0t]

At what point do we simply let natural selection do its job?

One *can't possibly be this fuckin lazy and stupid!* Let alone demand being able to!
Seriously, why do you enable such behavior?
They are homo sapiens! With the right food, parenting and education, they can all find ways to keep a passwors without remembering before the age of four! Even many mentally disabled kids!
As grown people, doing things like calculus, programming, building a bookshelf or a brick wall, crocheting a sweater, growing a plant, ge

Re: Bricks...

[buchanmilne]

I think a reasonable balance of improved security and convenience would be to allow default password iff the device cannot assign/accept a default gateway/route when the current password matches the default password (and have first-time setup prompt/require changing of the password).

Sure, this would allow lateral movement in a subnet that already has compromised devices, but if all devices did this, compromising one would be less likely.

Re:

[ceoyoyo]

Sure. Just like every wireless access point made in the last ten years. They use unique device passwords. Bricks, all of them.

Leading Digital Hyprocracy

[El Fantasmo]

Recently from the Guardian:
https://www.theguardian.com/te... [theguardian.com]

It's hard to carry water if someone can pull the cork from the hole in your bucket.

At least the Russian government's state seal has a 2-headed eagle, so we know it's talking out both sides of it's mouth.

Be careful here

[davidwr]

not resettable to any universal factory setting.

You generally DO want someone with physical access to be able to reset a device to a "factory state."*

That said, it is fair to require that any "factory set password" be changed before the device can do its network functions. For example, a smart thermostat would come "out of the box" with only "on the console-control" and "bluetooth-control" enabled until you set a password. If you did a factory reset, it would revert to that limited functionality until you changed the password.

* Obvious exceptions for high-theft items like phones, where you want to deter theft by remote-wiping it, remote-bricking it, and/or remote-tracking it if it is stolen, without giving the thief a chance to disable these features.

Re:

[AK Marc]

My device that comes with the password D$423fqa# can be factory reset. It factory resets to a password of D$423fqa#, not resetting back to admin/admin, as some would do to make remote admin easier, but also make it so the first step of many would be to factory reset it and leave it at default.

Re:

[AHuxley]

re "You generally DO want someone with physical access to be able to reset a device to a "factory state.""
If the "factory state." was one of one and printed under the device..
20 "random" letters and numerals for the username/passowrd. With common symbols. Used once per device/user/password/username.
A font to make sure zero and an alphabet O are not the same.
Out of the box:
The password is random and long. With symbols..
The user name is random and long. With symbols..
A factory reset on the physical

Re:

[scamper_22]

Definitely. Factory reset is something that is simply better. Overtime the default pw on the device might become hard to read or something.

I agree 100% that they should definitely allow for a default pw is allowed, but you are forced to change it on first login. Also the device should operate in a reduced state until that login is done.

For example, if you purchase an IP camera. It should NOT transit any images until you login. Of course when you login, you can use the factory default... and then you are for

Re:

[shabble]

not resettable to any universal factory setting.

You generally DO want someone with physical access to be able to reset a device to a "factory state."*

The relevant word in the bit you quoted is "universal" - they're not disallowing factory resets, they're disallowing that reset to set the password to the same thing on all devices.

Why the UK is Banning Default Passwords

[The Grim Reefer]

Because manufacturers have been too stupid to do so? Though I'm surprised that any government has figured this out. Perhaps there is still hope.

Don't Forget Copy Machines!

[El Fantasmo]

Try your company copy machine:
admin \ admin
admin \ "no password"
administrator \ admin
etc.
Then skim the local address book or scrape the assets network info. There's probably a no password needed SMTP relay email address in there somewhere.

A small step

[JustAnotherOldGuy]

A small, mostly useless step in securing the Internet Of Targets.

Most people will put in '12345' and call it a day. You know it, I know it, the makers of IoT junk know it, and most importantly, the hackers/crackers/scammers know it.

(Use 123456 to be really safe. Or use your birthday, no one will ever guess that.)

Re:

[itsdapead]

Most people will put in '12345' and call it a day.

Only the college-educated ones. Most people will leave the password set to the factory default of 'gizmotech' which anyone can find by Googling "default password for GizmoTech 500'". That's the problem.

That's why you integrate johntheripper.

[BAReFO0t]

Aka when creating a pasword, you check it against simple patterns (repetitions, successions, reversals, visual pattens, total amount of bits [counting in UTF-8 bytes]), any address books / user info, and a large dictionary.

Why is that not standard for decades anyway?

How about a box warning?

[cnaumann]

If food products can be "gluten free" or "MSG free", can I find household products that are guaranteed "IoT free" or "DRM free"? I would really like a coffee maker that did not check to make sure I am using approved coffee and a refrigerator that continued to make ice even if I did use a non-approved filter. Why would I trust a manufacture to make an IoT device that actually benefited me, the consumer?

And get off my lawn!

Re:

[roc97007]

> And get off my lawn!

Hey, I'm old too.

It sounds like you're talking more about "DRM free", and I agree with you there. But for an IoT capable appliance, wouldn't it be sufficient to simply not supply the appliance with your wifi password? At least, the appliance would have to work for it.

Checking... Found ssid "monkeyhouse" at five bars. Trying... Using WPA2+AES discarding

Found ssid "doggiestyle" at three bars. Trying... Using WPA+TKIP discarding

Found ssid "getoffmylawn" at one bar. Trying... U

Don't compare MSG to gluten please.

[BAReFO0t]

Other than gluten (the vast majority of people), MSG causing negative effects like a headache has been well-established science for a long time.
Apart from being pointless too. It is only added, to rip people off, by including less of the actual flavorful ingredients. Which, frankly, is fraud, and hence a crime, and in any sane state must result in the equivalent to prison.

Re:

[Kernel Kurtz]

Other than gluten (the vast majority of people), MSG causing negative effects like a headache has been well-established science for a long time.
Apart from being pointless too. It is only added, to rip people off, by including less of the actual flavorful ingredients. Which, frankly, is fraud, and hence a crime, and in any sane state must result in the equivalent to prison.

Many chefs use Maggi sauce in a lot of things, as do I. It is basically MSG and adds umami to dishes the same way you would use salt or sugar to add sweetness or saltiness. Certainly there is plenty of food with way too much sugar or salt, but I don't think that means any cooks that use them are ripping you off. They are kind of basic actually.

https://en.wikipedia.org/wiki/... [wikipedia.org]

"the world's leading digital economy"

[gweihir]

German politicians have been spouting that for quite a while, yet it seems Germany falls farther and farther behind in the digital space. Seems the UK is having problems keeping up too....

This is the "Big Lie" technique at work.

Re:

[jrumney]

Germany already has the protection of EU standard TS 103 645, as did the UK until the day after this article came out.

Default passwords aren't the problem

[Snotnose]

Easily guessed default passwords are the problem. In the past few years the devices I've bought (granted, they cost more than $5 + 2 boxtops) have had unique labels with what I hope are unique passwords. I've changed them all, but I'm guessing a password based on a unique serial number assigned to my device isn't a problem, notwithstanding it's a "default password".

While we are at it ...

[Retired ICS]

While we are at it why not mandate the following, with a death penalty levied on the CEO of the company making a device that is non-compliant.

1. Require complete documentation of ALL network accessible APIs.
2. Require that the device will function WITHOUT access to the Internet.
3. Require that Internet access can be turned off, and that is the default.
4. Require the ability have network ACLs (inbound and outbound) on the device, with the default permitting access only to/from the same subnet as is assigned to the devices network interface.

My OPPO BluRay player, Sharp TV, and Yamaha Amp all comply with these requirements.

These would be far more useful requirements than simply requiring silly passwords.

Re:

[sabt-pestnu]

> 2. Require that the device will function WITHOUT access to the Internet.

I look forward to my new magic router.

Still not buying

[RotateLeftByte]

any of this IoT crap/shit no default password or not.
Anything that needs to 'phone home' to some server somewhere outside my firewall is not coming into my home.
I don't run any MS OS (or any MS Software for that matter).

You are at the mercy of the server operator. If they pull the plug, you are left with even more Electronic Landfill (or Recycling). This is planned obsolescence gone mad.
Just look at what Sonos is doing.

Bit rich

[conorjh]

"Our aim is to make the UK the world's leading digital economy" https://www.speedtest.net/glob... [speedtest.net] At 45th, UK is beaten on speed by the likes of Slovakia, Qatar, Latvia etc.

Leading digital economy?

[coofercat]

> Our aim is to make the UK the world's leading digital economy. ...and yet, they brought in IR35. Then, realising it was a complex can of worms, found it hard to enforce. Instead of fixing the mistake, they've double-down on it to release IR35 "chapter 10" which isn't even law yet but is responsible for sending thousands of tech jobs overseas. For those of us left, it'll stop us working flexibly, thus reducing businesses ability to compete.

But back on topic...

This all sounds great, but good luck getting

Re:

[bn-7bc]

Well amazon has e precense in the uk so they might be able tu punish that for non compliance if that device ets used in a ddos

Irrelevant

[RockDoctor]

The UK is too small a market to persuade major manufacturers to change their most efficient manufacturing practices. So, no-one will comply.

Now, if we were part of a trading block of over 500 million first world customers, we might have the ability to make this argument and get it to stick. But we've slashed that throat open, and now the vultures are going to gather and shit in our throat while ripping out our livers.