And why this can be a huge cybersecurity risk
And why this can be a huge cybersecurity risk
In today’s digital age, consumers are increasingly recognising the convenience and benefits afforded by Internet of Things (IoT) products. These connected devices offer a wide array of smart features that make everyday life easier and better. Looking to the future, the global consumer IoT market is forecast to reach $204.8 billion by 2027, rising at a market growth of 15.9% CAGR from 2021 to 2027.
But as their popularity grows, there is an increasing need to better secure these connected devices from potential cyber threats. Recent developments such as the launch of the ETSI EN 303 645 cybersecurity standard for consumer IoT devices is a step in the right direction.
In this article, we look at the first section of the ETSI EN 303 645 cybersecurity standard, which is ‘No universal default passwords’, and examine why having default passwords is a bad idea for consumer IoT products.
The first line of defence to protect consumer IoT devices is through authentication, the process or action of verifying the identity of a user or process.
To grant access to a device, identification (such as a username) is used, and authentication is needed so users can prove their identity. Authentication can be based on:
The danger lies in using weak passwords, highlighting the necessity of using no universal default passwords. Every device has attack surfaces, which include all the software and hardware interfaces an unauthorised user can exploit to gain access or to retrieve data from the device.
A typical vulnerability is posed by the usage of a weak password. Characteristics of weak passwords include the following:
To mitigate weak passwords, one common recommendation is to fulfil the following criteria for a password:
A universal default password is used when the same password is used on all devices of a model when they are in operational state.
Manufacturers using a universal default password for a device creates a vulnerability which can be exploited by hackers. Let’s illustrate that with the following scenario.
Mr. Smith buys a smart refrigerator called SuperFridge which, when connected, can be accessed through an APP (through the Internet) with a default username “SuperFridge” and default password “000000”. Mr. Smith is not tech savvy and finds his new smart fridge convenient because he has configured the settings of the smart fridge via the APP so that when he runs out of milk, the smart fridge automatically orders a bottle of milk from the local food store.
Mr. Mallory, meanwhile, is a malicious hacker. He buys the same fridge model to study its flaws and quickly finds out that the device is using a default username and password, which means he can connect to any of these smart fridges and send malicious messages:
Another way is through ‘brute force’. This type of attack involves ‘guessing’ credentials (usually username and passwords - but it can also be a token if they are of short length) to gain unauthorised access to a system.
When a password is used by default on a device, it should be unique for each device and its generation method should not be easily guessed.
Using the example of Mr. Smith and the SuperFridge, creating a password this way: “SuperFridge” + factory batch number = SuperFridge462” would be too easy to guess. A generation mechanism should produce a password that appears random like “f2wd34hsd2aead89”.
When users send their username and password over a network, they need to ensure that even if a malicious hacker is “listening” to the communication on the network, the data they are sending cannot be read.
To avoid sending cleartext credentials, the user will send its credentials over a secure communication channel. A common method is to use TLS 1.2 (or 1.3) which provides data encryption.
A brute force attack involves ‘guessing’ credentials (usually the username and/or password) to gain unauthorized access to a system.
The image below shows an attacker using the tool Hydra to brute force some credential by trying different passwords:
In the image above, the password was guessed with only 85 attempts, but the hacker can send millions of requests to try to guess credentials.
To avoid these millions of attempts, devices can prevent brute forcing attacks with:
The Mirai botnet made the headlines of newspapers in 2016 by creating an Internet outage in the US West Coast with a distributed denial of service. It was a botnet of millions of IoT devices which an attacker had control over.
To get control of all these IoT devices, infected devices were scanning the Internet to find other devices. If a targeted device responded to the probe, the malware would try to log into them by brute forcing authentication using a list of 60 default passwords (such as: 1111, 6666, password, admin, guest) and usernames (mainly root, admin).
To grasp on how widespread default passwords are, one can take a look at publicly available repositories of default passwords, for example: https://many-passwords.github.io/
To address cybersecurity concerns in consumer IoT devices, the ETSI EN 303 645 cybersecurity standard was launched to provide a comprehensive set of provisions for device manufacturers – and the industry at large – to strengthen cybersecurity for these devices. The standard also serves as a basis for certification of IoT products.
Containing 13 sections, it is a globally applicable cybersecurity norm for consumer IoT devices covering security needs of equipment, communication and personal data protection. The first section on the list covers the use - or rather misuse - of weak passwords.
The first section stated in the ETSI EN 303 645 cybersecurity standard is that no universal default passwords shall be used. According to this standard, the following shall apply for consumer IoT product passwords:
From a reading of the provisions, we can see that it rules out using passwords that can be easily guessed or hacked by brute force, while also calling for ways to allow users to change authentication passwords.
Consumers are increasingly paying attention to cybersecurity for their consumer IoT devices. Device manufacturers can provide great confidence and reassurance to consumers when making purchases by certifying their products under the ETSI EN 303 645 standard.
One way to do so for manufacturers is by working with organisations such as TÜV SÜD for their ETSI EN 303 645 testing and certification.
TÜV SÜD experts are very familiar with the cyber fraud and data privacy regulations in specific markets and have a deep understanding of the cyber threat field, working with customers around the world to fully unlock the potential of the digital future.
Cybersecurity and data protection are one of our core capabilities. From product design, manufacturing to operations, we provide you with professional support at every step to reduce the cybersecurity and data privacy disclosure risks.
Learn more about our ETSI EN 303 645 testing and certification services here.
A certification scheme that helps IoT device manufacturers develop products based on international cybersecurity standards
Find out what the ETSI EN 303 645 standard is and why it’s important for consumer IoT products and devices.
Learn about how TÜV SÜD ensure that iRobot’s product complied with the IoT cybersecurity standard ETSI EN 303 645