War Declared on Default PasswordsInitiatives in UK and California Aim to Deep-Six Poor IoT Security Practices
Step away from the default password.
That's the message being promulgated by both the United Kingdom and California as they attempt to make internet of things manufacturers sell only secure-by-design products.
"We need standards to ensure that unsafe products don't harm others."
With at least 20 billion new IoT devices set to be internet-connected by 2020, the race is on to ensure that as many of them as possible are designed to be out-of-the-box secure.
California Governor Jerry Brown on Sept. 28 signed Senate Bill No. 327, which as of Jan. 1, 2020, will require internet-connected device manufacturers "to equip the device with a reasonable security feature or features."
The bill's authentication requirements include:
- The preprogrammed password is unique to each device manufactured.
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
While the guidelines would only apply to devices that get sold to California consumers, it's likely that all U.S. consumers would benefit. In particular, banning default passwords on devices should make it more difficult for attackers to remotely take control of them.
Multiple Password Problems
The importance of creating secure-by-design internet-connected hardware has been glaringly obvious for years, as demonstrated by the 2016 outbreak of low-tech, high-impact Mirai malware, which was built to exploit the default usernames and passwords used by dozens of different manufacturers' IoT devices. Along the way, it also launched record-setting distributed denial-of-service attacks against a number of targets.
Some security experts, however, have criticized the California law. Robert Graham of research firm Errata Security says that while eliminating default passwords is good, the law's language misses the bigger picture.
"A device doesn't have a single password, but many things that may or may not be called passwords. A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services like telnet (based on /etc/passwd), and yet a wholly separate system for things like debugging interfaces," Graham says in a blog post. "Just because a device does the proscribed thing of using a unique or user generated password in the user interface doesn't mean it doesn't also have a bug in telnet."
But Bruce Schneier, CTO of IBM Resilient, says California's move to eliminate default passwords is "a good start" for eliminating the security holes that feature in too many of today's devices.
"We need standards to ensure that unsafe products don't harm others. We need to accept that the internet is global and regulations are local, and design accordingly," Schneier says in a blog post. "These standards will include some prescriptive rules for minimal acceptable security."
No Mandates, Please, We're British
Meanwhile, the U.K. government, including GCHQ's National Cyber Security Center, this week released a code of practice for consumer IoT devices.
The voluntary guidelines set out "practical steps for IoT manufacturers and other industry stakeholders to improve the security of consumer IoT products and associated services," the U.K. government says.
"The new code of practice outlines 13 guidelines that manufacturers of consumer devices should implement into their product's design to keep consumers safe," it says. "This includes secure storage of personal data, regular software updates to make sure devices are protected against emerging security threats, no default passwords and making it easier for users to delete their personal data off the product."
Following the guidelines should make it easier for consumers to use the technology while also making it more difficult for hackers to seize remote control of large numbers of devices and press them into service as a botnet army, capable of launching high-impact DDoS attacks.
Already, technology vendors HP and Centrica Hive have committed to following the guidelines, with Centrica saying that all devices it sells from Jan. 1, 2021, will do so.
"The NCSC is committed to empowering consumers to make informed decisions about security whether they're buying a smartwatch, kettle or doll," its technical director, Ian Levy, says in a statement. "We want retailers to only stock internet-connected devices that meet these principles, so that U.K. consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime."
Let's Get Tough on Consumer IoT
Graham says that while the U.K.'s guidelines aren't perfect, they at least touch on all of the things that manufacturers should be aware of and are appropriately limited in scope.
"Consumer IoT is so vastly different from things like cars, medical devices, industrial control systems or mobile phones that they should never really be talked about in the same guide," Graham says in a blog post.
The guidelines also correctly take aim at the entire IoT ecosystem. "It's not just the device that's a problem, but also the cloud and mobile app part that relates to the device," he says.
Oh Update, Where Art Thou?
But there are bigger-picture questions that the U.K. and California initiatives have not answered, such as how long vendors should provide updates for devices they sell, as well as how devices might best handle updates.
While it might sound fine in theory to suggest that every internet-connected device get auto-updates in the manner of Windows Update, "IoT devices sell for cut-throat margins and have barely enough storage to run," which makes auto-updating them problematic, Graham says.
Also, auto-updating isn't a security silver bullet. The May 2017 NotPetya wiper malware outbreak, for example, has been traced to what Slovakian security firm ESET described as "a very stealthy and cunning backdoor" added to source code of widely used Ukrainian accountancy software, allegedly by Russian hackers, which was then distributed for automatic updating by customers (see NotPetya: From Russian Intelligence, With Love).
An auto-updating alternative might be to alert users when a patch is available. But as history has shown, the vast majority of users will never update their device's firmware. "Blaming vendors for not providing security patches/updates means nothing without blaming users for not applying them," Graham says.
Steps to Better Security
Neither the California nor U.K. initiatives, on their own, will solve the problem that so many internet-connected devices today are utterly lacking in basic cybersecurity hygiene.
But the efforts are a step in the right direction. They also build on burgeoning IoT security recommendations from I am the Cavalry, launched in 2013 by a group of concerned security researchers, as well as from Microsoft, the U.S. National Telecommunications and Information Administration and the Open Connectivity Foundation, among others. (As with all things cybersecurity, the combined might of Congress remains out to lunch.)
Preventable Security Problems Persist
The problem of poor consumer IoT security continues to grow more pressing. Despite numerous guidelines and specifications having been released by those organizations, many internet-connected devices still are not designed with information security in mind.
One repeat offender is Hangzhou Xiongmai Technology Co., one of the world's largest manufacturers of surveillance cameras, digital video recorders and network video recorders. While you may have never heard of the original equipment manufacturer, its products regularly get rebranded by numerous vendors. It was also one of Mirai's targets.
"Mirai is a huge disaster for the internet of things," a Xiongmai spokesman told me in 2016 (see Can't Stop the Mirai Malware). The company promised to recall some targeted products as well as release firmware with more security protections built in.
Fast-forward two years, however, and a new report from cyber and application security firm SEC Consult suggests that not all of Xiongmai's developers got the memo. Notably, it says Xiongmai is shipping numerous devices that are compatible with its XMEye cloud platform, which have a hardcoded username - "default" - as well as password - "tluafed," or default spelled backwards - that attackers could use to remotely log into devices and view video streams (see Review Shows Glaring Flaws In Xiongmai IoT Devices).
During our research we came across a Xiongmai user manual that contained screenshots with lots of #xmeye cloud IDs. One provided access to a NVR with default credentials at a Xiongmai factory! https://t.co/7NOfZxcqVx pic.twitter.com/n7hsZsUSxy— SEC Consult (@sec_consult) October 9, 2018
In fact, SEC Consult says it found one vulnerable Xiongmai-built device running inside the Xiongmai factory that built it.
Vendors of consumer internet-connected products with preventable security flaws: Heal thyself. And if you need help, the U.K.'s guidelines and California's new law will point you in the right direction.