UK Becomes First Country To Ban Default Bad Passwords on IoT Devices

The United Kingdom has become the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. From a report: The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

Manufacturing and design practices mean many IoT products introduce additional risks to the home and business networks they're connected to. In one often-cited case described by cybersecurity company Darktrace, hackers were allegedly able to steal data from a casino's otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank. Under the PSTI, weak or easily guessable default passwords such as "admin" or "12345" are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.

Casio got hack from a fish tank sensor?

[GregMmm]

Yes I get IoT items are targets and going to be targets because updates will stop. But the example is terrible. A casino? With an IT staff? Well here's one for you, don't connect your fish tank temperature sensor to your productions network or as you call it their "well-protected computer network". Put it on an isolated network, or guest or anything else.

Re:

[Junta]

Also, don't treat any network as "inherently trusted".

Re:

[Junta]

I'd say most attack surfaces that are soft by virtue on being on a "trusted network" could easily have a viable hardened characteristic without a huge cost delta. Think various open database instances or password protected with a dumb easily guessable password.

Admittedly, this can be hard to get to because a lot of people mistake "inconvenient" for "secure", and thus if you are *not* entering 3 different OTP codes manually to access a device it's not "secure". However in a lot of cases you can replace such

Re:

[aaarrrgggh]

I cringe when I look at my home IoT network; it is a separate VLAN with limited internal and no external access, but MQTT and some of the REST protocols are really hard to lock down on a residential scale. I could segment IoT more, but with it all being 2.5GHz stuff I am effectively limited to 3-4 VLANs.

Re:

[ls671]

Don't worry so much!

Unique passwords installed by default are still permitted.

Our company decided to then use the MAC address as password since our Internet provider does the same for the passwords to access their routers. /s

Re:

[Luckyo]

This is continuation of the same misunderstanding. You still think of it as a product, that you just sell with "hardened characteristic". You don't understand that in addition to up front costs, this imposes massive process costs for each process that was hardened.

Because security is the opposite of usability. And you have to choose somewhere on the spectrum between the two extremes. For each process. Which means that when you fuck around with heavy industrial processes and shift them away from usability, e

Re:

[Junta]

No, I don't think of security as a 'product'. Also you may want to be more specific. The low hanging fruit is the people that put some sort of service on a network with the password 'admin', because it's "trusted". There's no world in which that is a cost saving behavior, it's just supreme laziness. Now if you get into embedded space, particularly with a lot of legacy design components, ok, that 'network' is going to be trusted. I'd eye things *very* skeptically if someone claims it must be a trusted net

Re:

[Luckyo]

We're not going to get anywhere I think, because you are here to deny the most basic concepts of security processes, such that increasing security necessarily reduces usability.

It's especially visible in that you're only thinking in terms of IT, and that's why you don't understand security. IT security is just a tiny portion of security. Your hyper secure super duper amazing network is highly vulnerable to a guy with a tazer, a set of hand and leg cuffs and a few batteries having a talk with admin who has t

Re:Casio got hack from a fish tank sensor?

[AmiMoJo]

It's more aimed at consumers who plug their ISP supplied router in and never change any settings. Some years back one big ISP's routers used a default WiFi password that was just the wireless MAC address trivially transformed (XOR if I remember). Since the MAC address also identifies the manufacturer, it was pretty easy to find easily exploitable networks and use their broadband for nefarious purposes.

Re:

[jenningsthecat]

It's more aimed at consumers who plug their ISP supplied router in and never change any settings. Some years back one big ISP's routers used a default WiFi password that was just the wireless MAC address trivially transformed (XOR if I remember). Since the MAC address also identifies the manufacturer, it was pretty easy to find easily exploitable networks and use their broadband for nefarious purposes.

The summary points to the real problem when it says "Unique passwords installed by default are still permitted". A necessary-but-not-sufficient practice would require ANY net-connected device to force the entry of a fresh password of specified complexity before the equipment is allowed network access.

If doing that requires extra hardware - say, a USB or CAT5 port to connect to a computer or tablet to provide an interface for entering that initial password - then so be it. Good security is necessarily inconv

Re:Casio got hack from a fish tank sensor?

[Incadenza]

A router with a sufficiently hard password on a sticker will be better secured than the one people will have to make up the password for for themselves. Most people will come up with easiest password the fits that requirements, and maybe re-using it as well.

Yeah how

[Ryanrule]

Gonna have to ban all that copy paste shit coming from china.

Re:Yeah how

[TWX]

My guess is that manufacturers will just add an initial-setup subroutine that won't allow setup to proceed until the default password is changed by the person doing the work.

One issue with requiring each and every bit of hardware to have a unique password will be more e-waste if these devices are less useful on the secondary market. A common technique to work with old hardware is to perform a factory reset on the bench before reconfiguring it for one's own purposes.

Then again, since most devices, even cheap devices, have their MAC addresses printed on them, it wouldn't be all that difficult to populate the same table used for that with the factory unique password in the printing system, and to then include that unique password on the label. It would still be a good idea to force the user to change the password, but if they don't then it would at least require someone to have gained physical access to the device in order to get that password. I suppose a dictionary attack could be used if the vendor password list leaked to the Internet as well, but that's a whole new level of failure.

Re:

[Luckyo]

A lot of routers already have a unique password printed on them when you buy them. So it makes sense if your IoT thing just has a unique default password printed on a sticker/lasered on. Or at least on the box.

Re:

[omnichad]

manufacturers will just add an initial-setup subroutine that won't allow setup to proceed until the default password is changed.

That's the better method. The method of embedding a unique password in the ROM at the factory (like Netgear) is certainly problematic. But also every single ISP router. Because they all rely on a sticker not getting damaged or degraded over time. I get that they aren't handled like laptops (whose underside stickers often end up completely illegible).

Re:

[TWX]

At least on laptops I've bought since 2016, there's been a metal flap on the underside that the sticker is behind. The flap could theoretically be torn off I suppose, but it's held with a magnet and is recessed enough to make that reasonably unlikely.

Re:

[Zocalo]

They'll probably just use the MAC for the initial password because, as you say, the device has almost certainly already got a printed label with it on and it doesn't involve any special characters, so no change to the manufacturing process at all - just a bit of code and a documentation update. Equally, a hardware reset would simply reset the password to the MAC as well as wipe any config info, so no issues with generating extra e-waste, unless the device with shit to start with (we are talking IoT afteral

Re:

[ctilsie242]

QNAP NAS devices default to user admin, with the password being the MAC without any colons. This does work well enough, and for the most part, one never uses this in any process unless they hit the reset button because they got locked out of their appliance, as the QNAP setup process disables the admin account by default and prompts for a username/password on initial install.

What would be close to ideal for more complex devices is an e-ink display. On initial setup, it would display a simple, easy to read

Re:

[TWX]

This makes me wonder about having a new form factor for a serial cable. Something like the RJ11 serial cable Cisco routers use, or maybe using RS232 over USB-C. This way, someone can configure a security sensitive device on a wire or using a cable before it ever sees the network.

What you're talking about is YOST.

https://yost.com/computers/RJ4... [yost.com]

The problem with it isn't the signaling at the port, it's getting the serial part to work on the host PC or other device being used. Almost nothing has RS-232 DE-9 port anymore, and even USB-A is becoming less common. Plus the FTDI scandal with cloned chips and nonfunctional drivers is another major problem.

Is this de facto in the U.S.?

[El Fantasmo]

California passed legislation to ban this in 2018. Does that mean it's basically all devices sold in the U.S., rather than splitting compliance?

https://techcrunch.com/2018/10... [techcrunch.com]

Re:Is this de facto in the U.S.?

[Junta]

One difference is that the California password allow still allows bad default passwords, so long as it enforces 'change on first use', which is a concession to a lot of automation, but if someone *never* uses it, it stays at a bad default value. UK law says it must be unique.

Another difference is the California law allows the password to be pretty guessable, e.g. derived from a serial number or some incrementing counter. The UK law says that the password must not be guessable/derived from some counter or serial number.

So one could argue that California did not ban 'bad' default passwords, but just banned the subset of 'well know common default passwords that can be used to do more than change the password'.

Re:

[omnichad]

if someone *never* uses it, it stays at a bad default value. UK law says it must be unique.

At that point, it's not a "default" password, but just a setup code. It wouldn't be powered on and connected in that state.

Re:

[Junta]

Depends on the product.

Let's say you have a router, that router implements enough to work by default, and the 'setup code' is indeed needed to set it up, but the default operational state was good enough that you didn't actually "set it up". There's a lot of devices that are likely to have a "probably good enough" default operational state that may leave the password/setup code alone so that at some point in the undetermined future an attacker gets to be the one to "claim" the device rather than the reason

Re:

[jacks smirking reven]

For example a well known default that is only viable if the device is 'off' and inoperable. Or a time limit from power on after which the setup code becomes inactive (like an hour or something), after which you have to unplug/replug device to get the setup code active again.

Thinking about how the modems that your ISP rents you work like that. I can factory reset it in an offline mode but as soon as that device hit the network it will be identified and flashed and password changed. A lot of signage players I've worked with operate on that principle, once the device is on your account you assign it a config from your dashboard and even if it's factory reset if it goes online it will find it's been claimed and update itself. The only way to change the password is via the dashb

Re:

[ctilsie242]

This is a tough area... people need a router to be on the network, but it needs a secure channel for setup, and ideally a channel that can't be hijacked if someone other than the owner connects to the device after it is powered on. Having an e-Ink display that shows a temporary setup code can help, but that does cost money. Using Bluetooth is also a way, but someone else might be able to hijack it before the legit owner can complete pairing. NFC communication between the router and phone to establish a p

Re:

[Junta]

If the setup code is truly random sequence of 12 or so ascii characters only available through inspecting the labeling, then I think that could live on a while.

Problem is that scheme is highly automation hostile, and if applied to something like a fleet of hundreds or thousands of devices, wouldn't be workable. So a device targeting fleet style deployment needs some other strategy. Not sure if the UK law provides some sort of provision that would work for a mass headless deployment.

Re:

[Bert64]

One difference is that the California password allow still allows bad default passwords, so long as it enforces 'change on first use',

For a lot of devices, the default configuration works sufficiently that noone ever bothers to log in and change anything, or people don't even realise the device is there at all.
IPMI devices are a good example of this, built in to most modern servers but you don't have to use them - the server will operate perfectly well if you connect a monitor and keyboard instead, so some people do that and have no idea that a default IPMI device is sitting there waiting to be used by someone nefarious.
Similarly consider

Re:

[alvinrod]

If they know your serial number, they probably have physical access and at that point it's probably too late for any kind of password policy to do any good. Not that it's too difficult for a company to comply with not having the initial password based off of a serial number, but any algorithmic scheme to generate passwords makes it somewhat guessable if you know enough about the algorithm.

Re:

[Junta]

Well, for serial number, you have some issues:
-Some devices announce their serial number via some unauthenticated mechanism. There are utilities that list devices from a certain vendor and they'll list details like serial number so you can decide if you should/should not try to set it up.
-Even if not announced, the serial number makes for a nice dictionary. If I know that the password is XXXXYYYY where X is some alphabetic prefix number and Y is a numeric incrementing by 1, then the password may well be p

Calling The Doctor

[Bitbeard]

If only this country had a good working relationship with a Time Lord to go back and make this a requirement starting in 1995. On wait...

Much needed

[bubblyceiling]

Wifi Routers used to be a be a huge security risk due to their weak default passwords. This led to several attacks on unsuspecting users, and was eventually fixed by manufacturers. It is high time that IoT device manufacturers also follow suit

Delivering Test code also needs to be illegal

[laughingskeptic]

Beyond passwords, many IoT widgets are delivered with test code compiled-in that has comments at the top of the source along the lines of "/* DO NOT DELIVER THIS CODE */". I have seen releases where this happened, hackers took advantage, the test code was removed and then a year later reappears in an update. IoT product vendors spend more money on their box design than they do on the contract engineers that deliver the source code for their widget. There is some minimal level of QA that they need to be h

Re:

[Bert64]

The problem stems from vendors wanting to brand the equipment but don't have the expertise to develop their own firmware. You end up with firmware that's made by some chinese OEM and then rebranded by a multitude of third parties. Even assuming the original OEM produces an updated firmware, you then have to wait for the individual reseller to apply their branding and release their branded version of the update. Often this doesn't happen at all and you're stuck with whatever version it rolled out the factory

Thatâ(TM)s novel

[liqu1d]

Never would I have thought the UK would get tech legislation right!

how to enforce this

[jsepeta]

No idea how they're going to make it happen

They didn't get hacked from Fish Sensor

[Murdoch5]

They got hacked because they have bad network policies. Anything IoT is absolutely untrusted, and must be placed in a segmented VLAN, that has zero access to anything you would rate as: “If it dies, I don't care”, level of importance or higher. If someone was able to jump from a sensor in a fish tank, to anything that could access an important node, the network engineer failed, or, there are some companies who need to be answering questions.

Even if you wanted to log the data to an analytic e