Why Using Universal Default Passwords Is a Bad Idea

A Look at the First Provision of the ETSI EN 303 645 Cybersecurity Standard, Which Is ‘No Universal Default Passwords’, and Examine Why Having Weak Default Passwords Is a Bad Idea for Consumer IoT Products

In today’s digital age, consumers are increasingly recognizing the convenience and benefits afforded by Internet of Things (IoT) products. These connected devices offer a wide array of smart features that make everyday life easier and better. Looking to the future, the outlook on the global consumer IoT market is forecast to reach $204.8 billion by 2027, rising at a market growth of 15.9% CAGR from 2021 to 2027.

But as their popularity grows, there is an increasing need to better secure these connected devices from potential cyber threats. To that, recent developments such as the launch of the ETSI EN 303 645 cybersecurity standard for consumer IoT devices is a step in the right direction.

In this article, we look at the first section of the ETSI EN 303 645 cybersecurity standard, which is ‘No universal default passwords’, and examine why having default passwords is a bad idea for consumer IoT products.

How consumer iot devices grant access to users - and why weak passwords are vulnerabilities

The first line of defense to protect consumer IoT devices is through authentication, the process or action of verifying the identity of a user or process.

FACTORS OF AUTHENTICATION

To grant access to a device, identification (such as a username) is used, and authentication is needed so users can prove their identity. Authentication can be based on:

Something you know (such as a password)
Something you have (such as a smart card)
Something you are (such as a fingerprint or other biometric feature)

The danger lies in using weak passwords, highlighting the necessity of using no universal default passwords. Every device has attack surfaces, which include all the software and hardware interfaces an unauthorized user can exploit to gain access or to retrieve data from the device.

A typical vulnerability is posed by the usage of a weak password. Characteristics of weak passwords include the following:

Easily brute-forced: Having a low (<6) number of characters, predictable sequence (123456), dictionary (admin admin)
Susceptible to social engineering: Your name is Peter and your password is Peter01
Unchangeable: Can be retrieved by looking at the software’s source code

To mitigate weak passwords, one scheme that can be used as a reference is FIPS 140-2 which recommends for a password the following criteria:

It must be at least seven (7) characters in length
It must include characters from at least three (3) of the following character classes:
- ASCII digits;
- lowercase ASCII;
- uppercase ASCII;
- non-alphanumeric ASCII; and
- non-ASCII

Universal default password happens when the same password is used on all devices of a model when they are in operational state.

Exploiting default password vulnerabilities: theory

Manufacturers using a universal default password for a device creates weak vulnerabilities which can be exploited by hackers. Let’s illustrate that with the following scenario. Mr. Smith buys a smart refrigerator called SuperFridge which, when connected, can be accessed through an APP (through the Internet) with a default username “SuperFridge” and default password “000000”. Mr. Smith is not tech savvy and finds his new smart fridge convenient since when he runs out of milk, he has set the settings of the smart fridge via the APP so that the smart fridge automatically orders a bottle of milk from the local food store.

Mr. Mallory, meanwhile, is a malicious hacker. He buys the same fridge model to study its flaws and finds out quickly that the device is using a default username and password. Which means he can connect to any of these smart fridges and send malicious messages:

Another way is through ‘brute force’. This type of attack involves ‘guessing’ credentials (usually username and passwords - but it can also be a token if they are short length) to gain unauthorized access to a system.

Password Generation Method

When a password is used by default on a device, it should be unique for each device and its generation method should not be easily guessed.

Using the example of Mr. Smith and the SuperFridge, creating a password this way: “SuperFridge” + factory batch number = SuperFridge462” would be too easy to guess. A generation mechanism should produce a password that appears random like “f2wd34hsd2aead89”.

AUTHENTHICATION AND CRYPTOGRAPHICS

When a user is sending its username and password over a network, he/she needs to ensure that if a malicious hacker is “listening” on the network that data he is sending (since the data is the credentials) and that he is not able to read it.

To avoid sending cleartext credential, the user will send its credential on a secure communication channel. A common method is to use TLS 1.2 (or 1.3) over http to provide data encryption.

Password anti-brute force mechanism

A brute force attack involves ‘guessing’ credential (usually username and passwords- but it can also be token if they are short length) to gain unauthorized access to a system.

The image below shows an attacker using the tool Hydra to brute force some credential by trying different passwords:

In the image above, the password was guessed with only 85 attempts but the hacker can send millions of requests to try to guess credentials. To avoid these millions of attempts, devices can prevent brute forcing attacks with:

Account lockouts after failed attempts
Modify the default port
Use CAPTCHA
Limit logins to a specified IP address or range
Employ 2-Factor Authentication (2FA)
Use unique login URLs
Monitor server logs

Exploiting Default Password Vulnerability – in the wild

Mirai botnet made the headlines of newspaper in 2016 by creating an internet outage in the US West Coast with a distributed denial of service. It was a botnet of millions of IoT device which an attacker add control ovet. To get control of all these IoT devices, infected devices are scanning the internet to find other devices. If a targeted device respond to the prob, the malware will try to log into them by brute forcing authentication using a list of 60 default passwords (such as: 1111, 6666, password, admin, guest) and usernames (mainly root, admin). To have a grasp on how widespread default passwords are, one can take a look at publicly available database of default password: https://many-passwords.github.io/

What is the etsi en 303 645 standard?

To address cybersecurity concerns in consumer IoT devices, the ETSI EN 303 645 cybersecurity standard was launched to provide a comprehensive set of directives for device manufacturers - and the industry at large - to strengthen cybersecurity for these devices. The standard also serves as a basis for certifications of future IoT products.

Containing 13 provisions, it is a globally applicable cybersecurity guide for consumer IoT devices covering security needs of equipment, communications and personal data protection. The first directive on the list covers the use - or rather misuse - of weak default passwords.

What can be done about weak or universal default passwords?

The first provision stated in the ETSI EN 303 645 cybersecurity standard is that no universal default passwords should be used. According to this standard, the following shall apply for consumer IoT product passwords:

Where passwords are used and in any state other than the factory default, all consumer IoT device passwords shall be unique per device or defined by the user.
Where pre-installed unique per device passwords are used, these shall be generated with a mechanism that reduces the risk of automated attacks against a class or type of device.
Authentication mechanisms used to authenticate users against a device shall use best practice cryptography, appropriate to the properties of the technology, risk and usage.
Where a user can authenticate against a device, the device shall provide to the user or an administrator a simple mechanism to change the authentication value used.
When the device is not a constrained device, it shall have a mechanism available which makes brute force attacks on authentication mechanisms via network interfaces impracticable.

From a reading of the provision, we can see that it rules out using passwords that can be easily guessed or hacked by brute force, while also calling for ways to allow users to change authentication passwords.

why choose TÜV SÜD for etsi en 303 645 testing

Consumers are increasingly paying attention to cybersecurity for their consumer IoT devices. Device manufacturers can provide great confidence and reassurance to consumers when making purchases by certifying their products under the ETSI EN 303 645 standard. One way to do so for manufacturers is by working with organizations such as TÜV SÜD for their ETSI EN 303 645 testing and Attestation of Conformance (AoC). TÜV SÜD experts are intimately familiar with the cyber fraud and data privacy regulations in specific markets and a deep understanding of the cyber threat field, working with customers around the world to fully unlock the potential of the digital future. Cybersecurity and data protection are one of our core capabilities. From product design, manufacturing to operations, we provide you with intimate support at every step to reduce the cybersecurity and data privacy disclosure risk.

Learn more about our ETSI EN 303 645 testing services here.