Why using universal default passwords in Consumer IoT products is a bad idea

Find out why this can be a huge cybersecurity risk

Find out why this can be a huge cybersecurity risk

In today’s digital age, consumers are increasingly recognising the convenience and benefits afforded by Internet of Things (IoT) products. These connected devices offer a wide array of smart features that make everyday life easier and better. Looking to the future, the global consumer IoT market is forecast to reach $204.8 billion by 2027, rising at a market growth of 15.9% CAGR from 2021 to 2027.

But as their popularity grows, there is an increasing need to better secure these connected devices from potential cyber threats. Recent developments such as the launch of the ETSI EN 303 645 cybersecurity standard for consumer IoT devices is a step in the right direction. 

In this article, we look at the first section of the ETSI EN 303 645 cybersecurity standard, which is ‘No universal default passwords’, and examine why having default passwords is a bad idea for consumer IoT products.


How consumer iot devices grant access to users - and why weak passwords are vulnerabilities 

The first line of defence to protect consumer IoT devices is through authentication, the process or action of verifying the identity of a user or process. 

 

FACTORS OF AUTHENTICATION 

To grant access to a device, identification (such as a username) is used, and authentication is needed so users can prove their identity. Authentication can be based on:

  • Something you know (such as a password)
  • Something you have (such as a smart card)
  • Something you are (such as a fingerprint or other biometric feature)

The danger lies in using weak passwords, highlighting the necessity of using no universal default passwords. Every device has attack surfaces, which include all the software and hardware interfaces an unauthorised user can exploit to gain access or to retrieve data from the device.

 

A typical vulnerability is posed by the usage of a weak password. Characteristics of weak passwords include the following:

  • Easily brute-forced: Having a low (<6) number of characters, predictable sequence (123456), and/or being found in a dictionary (administrator)
  • Susceptible to social engineering: Your name is Peter and your password is Peter01
  • Unchangeable: Can be retrieved by looking at the software’s source code

 

To mitigate weak passwords, one common recommendation is to fulfil the following criteria for a password:

  • It must be at least eight (8) characters in length
  • It must include characters from at least three (3) of the following character classes:
    • digits;
    • lowercase letters;
    • uppercase letters;
    • special characters

A universal default password is used when the same password is used on all devices of a model when they are in operational state.


Exploiting default password vulnerabilities: theory

Manufacturers using a universal default password for a device creates a vulnerability which can be exploited by hackers. Let’s illustrate that with the following scenario.

Mr. Smith buys a smart refrigerator called SuperFridge which, when connected, can be accessed through an APP (through the Internet) with a default username “SuperFridge” and default password “000000”. Mr. Smith is not tech savvy and finds his new smart fridge convenient because he has configured the settings of the smart fridge via the APP so that when he runs out of milk, the smart fridge automatically orders a bottle of milk from the local food store.

  

 

Mr. Mallory, meanwhile, is a malicious hacker. He buys the same fridge model to study its flaws and quickly finds out that the device is using a default username and password, which means he can connect to any of these smart fridges and send malicious messages:

  

 

Another way is through ‘brute force’. This type of attack involves ‘guessing’ credentials (usually username and passwords - but it can also be a token if they are of short length) to gain unauthorised access to a system.

 

PASSWORD GENERATed METHOD

When a password is used by default on a device, it should be unique for each device and its generation method should not be easily guessed.

Using the example of Mr. Smith and the SuperFridge, creating a password this way: “SuperFridge” + factory batch number = SuperFridge462” would be too easy to guess. A generation mechanism should produce a password that appears random like “f2wd34hsd2aead89”.

 

AUTHENTHICATION AND CRYPTOGRAPHy

When users send their username and password over a network, they need to ensure that even if a malicious hacker is “listening” to the communication on the network, the data they are sending cannot be read.

To avoid sending cleartext credentials, the user will send its credentials over a secure communication channel. A common method is to use TLS 1.2 (or 1.3) which provides data encryption.


Password anti-brute force mechanism

A brute force attack involves ‘guessing’ credentials (usually the username and/or password) to gain unauthorized access to a system.

The image below shows an attacker using the tool Hydra to brute force some credential by trying different passwords:

In the image above, the password was guessed with only 85 attempts, but the hacker can send millions of requests to try to guess credentials.

To avoid these millions of attempts, devices can prevent brute forcing attacks with: 

  • Account lockouts after failed attempts
  • Use CAPTCHA
  • Limit logins to a specified IP address or range
  • Employ 2-Factor Authentication (2FA)
  • Use unique login URLs

 

Exploiting Default Password Vulnerability – in the wild

The Mirai botnet made the headlines of newspapers in 2016 by creating an Internet outage in the US West Coast with a distributed denial of service. It was a botnet of millions of IoT devices which an attacker had control over.

To get control of all these IoT devices, infected devices were scanning the Internet to find other devices. If a targeted device responded to the probe, the malware would try to log into them by brute forcing authentication using a list of 60 default passwords (such as: 1111, 6666, password, admin, guest) and usernames (mainly root, admin).

To grasp on how widespread default passwords are, one can take a look at publicly available repositories of default passwords, for example: https://many-passwords.github.io/

 

what is the etsi en 303 645 standard?

To address cybersecurity concerns in consumer IoT devices, the ETSI EN 303 645 cybersecurity standard was launched to provide a comprehensive set of provisions for device manufacturers – and the industry at large – to strengthen cybersecurity for these devices. The standard also serves as a basis for certification of IoT products.

Containing 13 sections, it is a globally applicable cybersecurity norm for consumer IoT devices covering security needs of equipment, communication and personal data protection. The first section on the list covers the use - or rather misuse - of weak passwords. 

 

What can be done about weak or universal default passwords?

The first section stated in the ETSI EN 303 645 cybersecurity standard is that no universal default passwords shall be used. According to this standard, the following shall apply for consumer IoT product passwords:

  • Where passwords are used and in any state other than the factory default, all consumer IoT device passwords shall be unique per device or defined by the user.
  • Where pre-installed unique per device passwords are used, these shall be generated with a mechanism that reduces the risk of automated attacks against a class or type of device.
  • Authentication mechanisms used to authenticate users against a device shall use best practice cryptography, appropriate to the properties of the technology, risk and usage.
  • Where a user can authenticate against a device, the device shall provide to the user or an administrator a simple mechanism to change the authentication value used.
  • When the device is not a constrained device, it shall have a mechanism available which makes brute force attacks on authentication mechanisms via network interfaces impracticable.

From a reading of the provisions, we can see that it rules out using passwords that can be easily guessed or hacked by brute force, while also calling for ways to allow users to change authentication passwords.

 

 

about TÜV SÜD and etsi en 303 645 testing

Consumers are increasingly paying attention to cybersecurity for their consumer IoT devices. Device manufacturers can provide great confidence and reassurance to consumers when making purchases by certifying their products under the ETSI EN 303 645 standard.

One way to do so for manufacturers is by working with organisations such as TÜV SÜD for their ETSI EN 303 645 testing and certification. 

TÜV SÜD experts are very familiar with the cyber fraud and data privacy regulations in specific markets and have a deep understanding of the cyber threat field, working with customers around the world to fully unlock the potential of the digital future.

Cybersecurity and data protection are one of our core capabilities. From product design, manufacturing to operations, we provide you with professional support at every step to reduce the cybersecurity and data privacy disclosure risks.

Learn more about our ETSI EN 303 645 testing and certification services here.


Next Steps

Site Selector