Huge Fines and a Ban on Default Passwords in New UK Law (bbc.com) 110
The government has introduced new legislation to protect smart devices in people's homes from being hacked. From a report: Recent research from consumer watchdog Which? suggested homes filled with smart devices could be exposed to more than 12,000 attacks in a single week. Default passwords for internet-connected devices will be banned, and firms which do not comply will face huge fines. One expert said that it was an important "first step". Cyber-criminals are increasingly targeting products from phones and smart TVs, to home speakers and internet-connected dishwashers. Hackers who can access one vulnerable device can then go on to access entire home networks and steal personal data.
In 2017, for example, hackers stole data from a US casino via an internet-connected fish tank. There have also been reports of people accessing home webcams and speaking to family members. And poor security on a home wi-fi router could have been behind the uploading of illegal child abuse images from a home network that led to police accusing an innocent couple of the crime. While there are strict rules about protecting people from physical harm -- such as overheating, sharp components or electric shocks -- there are no such rules for cyber-breaches.
In 2017, for example, hackers stole data from a US casino via an internet-connected fish tank. There have also been reports of people accessing home webcams and speaking to family members. And poor security on a home wi-fi router could have been behind the uploading of illegal child abuse images from a home network that led to police accusing an innocent couple of the crime. While there are strict rules about protecting people from physical harm -- such as overheating, sharp components or electric shocks -- there are no such rules for cyber-breaches.
About time (Score:2)
Default password bans aren't enough though. There should be a study on all the most common methods to backdoor IoT devices remotely. Wide-open ports, etc. Stuff users can't fix on their own.
Re:About time (Score:5, Insightful)
Sure, it's not perfect, but even a sticker on the back with a randomly generated password would be a massive upgrade from the current status quo which is every device has the same login and password.
We know that physical access means you most likely own the device. No reason not to slap a label on the back with a unique login/password. Even that is a huge step up from admin/admin.
Sure, a TON more could be done, but even the most minor of security improvements is welcome given the current state of IoT devices.
Re: (Score:2, Funny)
> Even that is a huge step up from admin/admin.
Thanks a lot... now I have to change my password... dick.
Re: About time (Score:3)
Re: (Score:2)
a sticker on the back with a randomly generated password would be a massive upgrade from the current status quo
That's probably part of why it will not happen, and also too inconvenient/difficult for consumers... I predict a shift to passwordless web interfaces. Instead of having a Default Password, there be no authentication by default - just a web address you enter, then you're logged in (Can't use a default password, so don't prompt for login), and if the user wants passworded protection to the ad
Re: (Score:2)
How will that stop people from accessing your IoT webcam or from turning your heating system on?
Re: (Score:2)
That's the whole fucking point of the post, this pants on head stupid law will make things worse.
printing unique username / password labels will cost quite a bit more, production will slow down because you can't just image a device with a generic image since you have to have the user / password matched to the label, and costs to the consumer will skyrocket.
OR you just ship the damn thing flashed with a passwordless image because you can't have a default password. Gee, wonder which option is cheaper so compa
Re: (Score:2)
printing unique username / password labels will cost quite a bit more, production will slow down because you can't just image a device with a generic image since you have to have the user / password matched to the label, and costs to the consumer will skyrocket.
Baloney. It's already happening and has been happening for years. I haven't seen a wireless router sold, in years, that didn't have a randomized SSID and password.
Re: (Score:2)
printing unique username / password labels will cost quite a bit more
Yes, much more than printing the serial number on it. Right?
Re: (Score:2)
a sticker on the back with a randomly generated password would be a massive upgrade from the current status quo
That's probably part of why it will not happen, and also too inconvenient/difficult for consumers...
Linksys, Netgear, etc, have had randomized wireless passwords for years. If you can't connect to the router, you can't mess with it. Block admin access from the WAN port and you've probably eliminated the majority of drive-by attacks.
Re: About time (Score:1)
Re: (Score:2)
would be a massive upgrade from the current status quo which is every device has the same login and password.
I'm genuinely curious what gear you're getting here. Precisely ZERO of the gear I have bought in close to 10 years has had a common login/password. Sure some of them had something stupid, like the MAC address as a password, but it doesn't matter if we're talking about Cisco, UPC, Netgear, Amazon, or IoT shit from China. Even my crappy Foscam came with the aforementioned MAC address as the default password.
And the last time I had a hard coded password in something (I think it was a DSL modem a decade ago) it
Re: (Score:2)
Until very recently all the BMC's on servers had default passwords. Now they are all random which is a pain in the backside as the first thing that happens is they get changed, but now I have to try and take in in focus picture of some silly pull out tag in a dark rack before retreating from the data centre. If think that's progress you are deranged.
Re: (Score:2)
Oh interesting. I didn't think of that and you're absolutely right. I did buy something with a default password the past decade: an ASRock Rack motherboard.
Re: (Score:2)
How uncommon is that? Every crappy ISP-provided router I've set up for family and neighbours has exactly that, a sticker on the back with a unique, non-router-related password on it, usually 8-10 alphanumerics.
Which is a right pain because I can no longer borrow my neighbour's WiFi since they get their new router.
Re: (Score:2)
But passwords aren't the problem... (Score:2)
Passwords aren't the problem. I mean yes, this law is good, but it's not addressing the actual problem. The problem is that too many smart devices are touching the internet in the first place. This is because instead of giving you an app to control a device over your LAN, every manufacturer instead wants that device to be controlled by your app talking to the device through their internet servers. Almost no home network decvice should be touching the internet. Remember the firewalls (what they call "ro
Re: (Score:2)
We need the retailers to be held accountable for the devices they sell. This will stop the stupid being stupid
Re: (Score:2)
Alas, preventing stupid is beyond the power of the smart.
Re: But passwords aren't the problem... (Score:2)
Re: (Score:2)
Boycotts are a necessary and useful tool. But greater gains can be achieved by simply not allowing them to get away with conning those who are too stupid or lack the knowledge to avoid buying their junk.
While this is probably an alien way of thinking - and anathema - to a brainwashed American, consumers deserve to be protected from bad products and unethical business practices....without requiring them to be an expert in every detail of those products or businesses. Citizens have a right to expect that th
Re: (Score:2)
Well yes but plenty of people actually want cameras "touching the Internet".
Re: But passwords aren't the problem... (Score:1)
No. People want cameras that can be accessed remotely. There's a difference. No home device should be streaming its data through a remote server to access, especially cameras. The lowest common denominator employee with that company now has free access to your stream.
No, this is what VPNs are for. Every firewall/router made has the capability. They need to be made easier to set up, and with a common API. Buy a router, register your phone with it with a QR code on the device. Then buy a camera, its a
Re: (Score:2)
And if they want slices of video to be stored "in the cloud"? In case whatever local storage they have fails or overflows?
Not what I would want personally (I own no smart devices), but we are talking about average consumers. Not well-informed consumers.
Also insecure services (Score:1)
Re: (Score:2)
Re: (Score:3)
Cars are not a good analogy, because in most countries you need to study and pass a test to get a driver license.
For the Internet, any idiot can connect anything and do basically any stupid shit without understanding any of it. You are basically asking for a "Computers/Internet License".
Re: (Score:2)
How about you ban stupid users from using products they don't understand? It's like saying "all cars need to be idiotproof".
Before calling users stupid remember you were as dumb as a box of rocks once too.
Re: (Score:2)
No, the box of rocks was smarter.
Re: About time (Score:2)
Re: (Score:2)
People are not stupid because they are ignorant. People are stupid when they choose to remain in that state.
Re: (Score:2)
Absolutely correct.
After working as a programmer/IT support for 30+ years and showing my mother for all these years how to use computers etc she still acts dumb and stupid. She has had a computer for 19 years at home, a computer at her work place for 15 years, a mobile phone for 20 years and a tablet for 7 years and she still does not understand ANYTHING and still keeps ringing me to ask for help like how do I turn my mobile on! or how do I shut windows down! or I have got an email how long do I leave it be
Re: (Score:2)
It will probably be cheaper to just withdraw from the UK's police state market than to deal with the support nightmare that will be coming if that bullshit becomes law.
Sounds like a great opportunity for anybody who makes products that are easy to use.
Re: (Score:2)
An American, because Americans are brainwashed into believing with religious fervour that "caveat emptor" is a legitimate business model, and not a warning against scumbag business practices.
The same brainwashing also teaches them that:
- shonky businessmen and con-men are geniuses who deserve the rewards of their success.
- anyone who gets conned by a conman is a moral failure who deserv
Re: (Score:2)
Many IoT devices have passwords you can't change/get rid of and other backdoors you can't fix short of leaving the thing on its own untrusted subnet. That's the real problem.
This changes nothing (Score:5, Interesting)
Re: This changes nothing (Score:2)
Certainly, but thatâ(TM)s no longer the manufactureâ(TM)s fault. Itâ(TM)s like a padlock manufacturer canâ(TM)t be held responsible if someone stuck the key to a padlock, so they wouldnâ(TM)t lose it.
Many wifi manufacturers are already defining unique passwords, with different approaches. Some are based on the serial number, others are based on one that has been printed on a removable label. At least this is the case for consumer grade ones. I am not sure what is the case for busine
Re: (Score:2)
Isn't "business level" supposed to be a higher level of both education and responsibility, anyway?
Re: (Score:2)
I thought it was the same hardware as the consumer version, but with a different colour for the plastic shell, "Pro" added at the end of the product name and of course a higher sticker price.
Re: (Score:1)
It usually is the same hardware. But the enterprise grade comes with:
- defined response time
- defined replacement time
- longer warranty
Consumers get the B rated call center in India and have to return it to the same retail store for warranty.
Re: (Score:2)
Realize that "professional" only means "doing it for money" anymore. It has lost any connotation to a level of quality or skill.
Re: (Score:2)
Enterprise level hardware usually lets the first person in - because in a business, you usually set it up on a desk to configure it before putting it int he rack. So the first person in gets admin rights. Bu
Re: (Score:2)
Banning default passwords means that device buyers will be responsible for setting the passwords to 123456 instead of the manufacturer, that's all.
Amusing, but the easiest way to delete default passwords is to have each device have a random preset password and a printed slip of paper in the package saying what it is.
Re: (Score:2)
Argh... no! Then you lose the paper slip and you lose your device since even a "reset to factory settings" button shouldn't then be allowed to reset to a default password!
Have a specific really random password printed on the back of the device itself, which can be changed. The "reset to factory settings" button would then reset to that password.
In the end, all customers are going to pay for this although anyway since it is going to be an additional step in the production of each device so maybe the money wo
Re: (Score:2)
Heck, why not make it illegal to keep your devices with a default password and fine stupid customers that do instead?
Cue customers claiming they DID change the password, being doubted and fined, then we find out the device had a bad habit of resetting to factory periodically.
Re:This changes nothing (Score:4, Insightful)
Not really. Most device makers will just have a random generated string printed on the device to be used as the permanent fallback reset password. More sophisticated devices can have a QR code and app to configure the device. There are hundreds of ways to make it user friendly and secure without making the devices expensive and without danger of bricking if the user forgets the password.
Re: (Score:2)
No, device makers won't want users setting passwords, it will only increase their support calls when people call because they forgot their password. One of many possible solutions is that each device should have a unique random password printed on it like a serial number (and on the inside) that it can be reset back to.
Re: (Score:3)
Banning default passwords means that device buyers will be responsible for setting the passwords to 123456 instead of the manufacturer, that's all.
Why would a lazy user do that, when they can just leave the password the same as what the sticker on the back of the device says?
Re: (Score:2)
Those passwords like "password" and "12345" could be solved by checking the password for strength automatically on the device, and if it's not strong enough rejecting it.
However, this is wishful thinking, as the manufacturers wish to accommodate idiots.
Re: (Score:2)
And exacty which of the 10,000 brain dead password checking algorithms should they use ?
9 letters, 3 punctuation characters and 2 digits ? 6 letters, 5 punctuation, 4 digits ? 5 English characters, 2 Norwegian, 1 Kanji, 2 digits ?
Every manufacturer will have a different specification and all they will do is cause users to constantly forget their passwords.
The only sensible check should be that the password is of a minimum length - i.e. ye olde "CorrectHorseBatteryStapler" issue https://xkcd.com/936/ [xkcd.com]
Re: (Score:2)
Unlikely, and besides California has already banned default passwords which means that it makes little practical difference.
Of more interest is the fact that manufactures have to display how long the device is going to be supported for security updates. Personally I would like to see a mandated minimum of a decent amount of time. Frankly 10 years would be reasonable. However due to Brexit that is not feasible, it's something the E.U. could mandate though.
Re: This changes nothing (Score:2)
California at least allowed a default password so long as it has to change on first use, a lot of local managed devices picked that approach to allow it departments to locally manage their new gear.
Discussions on how to deal with this? Devices will now mandate internet connection to force customers to use our new cloud portal. The password law is held up as proof that cloud managed is the only secure way to go, and, coincidentally, we will be charging for cloud management and execs have been excitedly talk
Re: (Score:1)
Can we please have this everywhere? (Score:5, Insightful)
It's such a no-brainer. Have a per-device default password, generated randomly for each device. Print it on the case label and on another label inside the case (or etched onto the mainboard or EEPROM) for redundancy.
Re:Can we please have this everywhere? (Score:5, Interesting)
What would be nice is an e-ink screen on devices. When the device is hard reset, the e-ink screen displays the newly generated password, and once the PW is changed, the e-ink screen is blanked out until the device is reset again, or it needs to display an error code. This way, there is a highly idiot resistant way to ensure the device has a unique password, and can be easily found.
Blink the password on the power LED (Score:3)
e-ink displays aren't cheap, and require a hole in the case. I worked for decades in consumer electronics, and they fight over penny-cost devices and every hole.
Maybe instead, blink the power or status LED in some universal pattern (... --- ...). And then on top of that, modulate a faster pattern that can be captured by a mobile phone app using its camera. If it's a standard encoding (similar to how QR codes are an open standard), then you can use an open-source reader.
OLED displays $1 in singles, LCD 15 cents (Score:4, Informative)
Small OLED displays are cheap. In singles, you can get them for a dollar. Buy 10,000 and they'll be what, ten cents each?
https://m.aliexpress.com/item/... [aliexpress.com]
LCD displays like you have on a pocket calculator are 15 cents in small quantities. I'm guessing maybe three cents in quantity.
An OLED makes the product LOOK more premium and probably adds at least a couple dollars to the price people are willing to pay.
Re: (Score:2)
The issue is reliability. If 10% of those screens fail in a year or two on your fancy router it could be very expensive to replace them.
Re: (Score:2)
Do you really anticipate that high a failure rate? IME small cheap OLEDs are plenty reliable.
Re: (Score:2)
I'd need to see some hard data. For $1/display they seem unlikely to be fully factory soak tested, and long term they are something of an unknown because all we have are anecdotes.
Re: (Score:2)
Consumer electronics devices only have a one-year warranty. Two years out is the same as the heat death of the universe.
Re: (Score:2)
The cost of an OLED has nothing to do with the cost of the display. Those single dollar displays are precisely the ones which break after just a couple of years. Now don't forget you now need to select a device which can communicate with it (which may not have needed that bus before), you need to design it. You need a flat area for the display to sit (large rectangular electronics, what is this 2009, nothing looks more "premium" than a dated display on your sleek displayless device) you need mechanical desi
Re: (Score:2)
We fought hard over one cent components in things like routers.
There's a reason why all the routers for sale - even the high-end multi-antenna ones - only have blinkenlights.
Yes, I'd like a display. But one thing I learned in decades of engineering for consumer electronics is that engineers are *not* the target market.
Re: (Score:2)
Sorry, not possible. That screen could cost a few cents and nobody pays for that.
Re: Can we please have this everywhere? (Score:1)
Re: (Score:2)
No reason to use e-ink, which you just have to have a light next to anyway. Better to use a tiny OLED, they are very cheap and emit their own light. You can pick them up on eBay for under $2 in qty. 1 on a board with pins sticking out of it so I presume they are under twenty-five cents themselves in quantity. The power use is very small and as you suggest it will be only occasional, the display doesn't need to be powered at all when not in use. It could alternatively do the job of the status LEDs but OLEDs
Re: (Score:2)
What would be nice is an e-ink screen on devices.
You just added $30 to the cost of a $30 piece of electronics.
Re:Can we please have this everywhere? (Score:4, Interesting)
What would even be nicer is a law that guarantees that all devices must function independently of cloud command and control if an owner chooses to sandbox it behind their firewall. Passwords are nearly irrelevant if a homeowner can run the equipment on an island wifi. It is beyond fucking ridiculous that people have to ask permission of servers outside their home and outside of their control to control devices in their home. I am looking at solar equipment and the batteries have a cloud requirement to be able to access them. Why are homeowners not allowed the same ability to lock down power or control equipment just like commercial or industrial entities? It is laughable that homeowners cannot utilize the zero trust model. Passwords are a side show and distraction compared to where things are going if people don't get a brain and demand that zero trust (not even trusting the manufacturer and no cloud requirement) be a possibility with all devices sold. This does not rule out cloud as an option, but it should NEVER be a requirement for anything.
Re: (Score:2)
What would even be nicer is a law that guarantees that all devices must function independently of cloud command and control if an owner chooses to sandbox it behind their firewall.
Or in the case of "increased verbosity of network traffic" [npr.org] for Tesla cars ...
Some Tesla owners experienced a series of server errors on the car maker's app Friday, frustrating motorists who were unable to unlock or start their electric vehicle with their phone.
Tesla vehicles utilize cutting-edge technology, including the ability for users to control their vehicle with their phones. This makes the keys that come with it nearly obsolete — until a server error arises, in which case the keys become quite important.
About five hours later, Musk said the error had been resolved, citing an "increased verbosity of network traffic" as the cause of the outage.
Using your phone and Tesla servers to unlock and/or start your car is, I guess, okay, but *relying* on them and not carrying a key seems, well, dumb.
Re: (Score:3)
It would be better to at least have a secondary channel through bluetooth that doesn't include the Tesla cloud in the transaction.
Re: (Score:2)
This.
Because with 4G/5G there will be numerous times when someone parks their car outside of cellular coverage. What do you do then?
Re: (Score:2)
Teslas still have some key-equivalent physical device that unlocks and operates the car independent of any remote connectivity. The recent drama was because the convenient phone-based alternative meant that people have taken to leaving their keys behind. People's cell phones can fail too, because of being dropped, dunked or low battery. The phone solution is not going to be able to match the reliability of keys even without a requirement for connecting to a central server.
Re: (Score:3)
>Teslas still have some key-equivalent physical device
You get two RFID cards with the car. Those are the default keys and you add your phones to the auth list.
The third and better thing is the key-fob, which you have to buy extra, but it sits on your key ring and the car unlocks as you approach and locks as you walk away. No futzing with cards. This should be the standard supplied with the car but it isn't.
Re: (Score:2)
All well and good. But you still have to carry that RFID card or key fob with you. Because your phone might die or you drove outside of cellular coverage.
I suppose one can discount the failure mode of a dead battery in a Tesla (you're not going anywhere at that point). But I had a friend with a BMW whose battery died. And you can't open the engine compartment to recharge it if you can't get inside the car. Fortunately, the mechanical key was available as a backup (although really stiff due to years of disu
Re: (Score:2)
That's not really my point. The fob is the key. My phone is my phone and I don't need it to drive the car. So it's not really any different to any other car at that point. If the battery in the fob is dead, you can use it like an NFC and still get in. There is a physical way to access the Tesla model 3 12V battery if it's completely dead. I don't know about the S or X or Y. I don't have any of those.
They did a reasonably good job of not locking you out of the car and giving you options to create backups for
Re: (Score:2)
I was amazed that they weren't using Bluetooth alone. What if you park somewhere with no cellular coverage, like deep in a car park or something?
Re: (Score:2)
>I was amazed that they weren't using Bluetooth alone. What if you park somewhere with no cellular coverage, like deep in a car park or something?
It works fine. It sees your phone or card or keyfob and unlocks. The internet is not required.
Re: (Score:2)
So how come people couldn't use their cars when the server was down?
Re: (Score:2)
>So how come people couldn't use their cars when the server was down?
They didn't put the card in their wallet.
My understanding (which may be wrong) is that because the cars did have internet access and the servers were down, they weren't going to play nice with the phone. If they were in a connectivity dessert, I expect it would have worked.
It was a non-event for me because I have the fob. The Bluetooth+card solution is imperfect - phone in low power state - it'll take ages for it to ping the car. App no
Re: (Score:3)
Very much this!^^
The cloud is often a huge vulnerability for a device that has no good reason to depend on the cloud at all. Even in cases where some level of cloud use can be helpful to consumers, I don't see a good reason that should include admin level access.
Re: (Score:2)
Maybe true - but your idea is clearly a trickier problem for the average numptie to understand. Therefore tricker to enact, politically.
Also, the penny is gradually dropping here in the UK that we're not quite the "big deal" we thought we were. Telling manufacturers to do something radically different will just result in them not bothering with the UK any longer. We've been buying from ebay and the likes internationally for years, so it wouldn't be too hard for them to sell to us from Europe.
Now, if Europe
Re: (Score:2)
that all devices must function
Define "function". Remember the reason the cloud was introduced in many cases for these IoT devices is precisely to add "function" to access it. The reason Skype has a central server was to add "function" of being able to make a call thanks to people thinking NAT was a firewall and the world not giving a shit about end to end connectivity.
Your "function" may not "function" at all, especially when that "smart" device's core function is remote access.
Re: (Score:2)
Agreed but with the stipulation that the manufacturer delete any record of that random password.
Re: (Score:2)
Even that can be screwed up. There were some devices a while back where the "random" password was generating by transforming the MAC address, meaning it was essentially broadcast in the clear once the algorithm was discovered.
Re: (Score:2)
Murphy's law etc etc, but it's not actually hard to do this right. Just generate it very randomly, using someone else's random generator so you don't accidentally screw up randomness, since it doesn't at all matter if the passwords are unique so long as they aren't all identical (or nearly so.) Maybe choose a RNG that doesn't even accept a provided seed just to avoid being able to screw that up :D
Re: (Score:2)
PRNGs need a seed from somewhere. Then again a lot of devices have true RNGs in them now, assuming that the developer thinks to use it. For example the RPi has one, but it's not used by default.
More proof (Score:2)
Re: (Score:2)
Re: (Score:2)
In that case take your time Nvidia, Intel, and AMD on getting out our GPUs. Take ALL the time needed. We're in no rush.
Re: (Score:2)
It wouldn't make make much of a difference these days. They can announce and "release" all the GPUs they want, if we don't have any chance of buying one, they might as well not exist.
Simplification vs Complexification (Score:1)
Works for the Amish
Re: Simplification vs Complexification (Score:2)
How else are the fish to order their own meals?
How are they going to collect? (Score:1)
All well and good saying that they're going to fine companies that don't comply, but how exactly are they going to do that?
It's not as if all (any) of these infringing IoT devices would be manufactured and distributed within the United Kingdom. Most, if not all, of them would be coming from China. Good luck a) finding the company in the first place; b) getting an infringement notice to them; c) getting them to actually pay up before they close up shop and reappear under another trading entity.
Re: (Score:2)
The retailers are also on the hook if they sell devices with default passwords.
Time it will get updates - rules not good enough (Score:3)
Many customers will not notice that or not understand that the device only having 6 months security patches is bad ... but they will think: what is good about this gizmo is that this one is cheap -- so it must be the right one to buy!!! IoT devices MUST be supported by the typical number of years that a consumer will use it for, so, for example, a 'fridge this is 15-20 years; if not longer.
Also: updating these things must be a no-brainer. How many people have updated the firmware in their broadband router ? Some of us on slashdot maybe, but enumerate how many of your relatives will have done so.
a request for msmash (Score:2)
"...hackers stole data from a US casino via an internet-connected fish tank..."
a technical article about this part sounds pretty cool and would be a welcome change from msmash's usual low grade attempt to elicit pearl-clutching outrage
Re: (Score:2)
msmash not only does not care but clearly takes great joy in shitting up a once great website. Apparently msmash owns part of Slashdot since otherwise any clueful owner would have shitcanned both so-called editors.
They practice epic passive-aggressive story selection and are clearly too smart to be sincerely motivated. It's paid trolling.
Generate a weak password. (Score:1)
Re: (Score:2)
What they want to ban is that the manufacturer sets a password that is identical on all their devices. If the user then goes and changes that to the omnipresent "password" or "12345", that's their business. So you could keep your "Wurzel" password.
And while I would welcome the option to use PKI for securing a router, how many normal consumers do you think would even remotely understand how that works?
Re: (Score:2)
This place is a real shitheap.
Slashdot has always had a contingent of those who don't know and don't wanna but these days it has a broad assortment of trolls. I presume most of them are working for free, while some of them are surely not. I doubt any of them are focused here any more though, because while Slashdot is still somewhat influential it now has neither the impact it used to have, nor the volume of content.