19/07/2019
Abuse of default passwords has gotten worse since I first posted about it here five years ago.
Threatpost recently posted an article discussing the issue of passwords for IoT (Internet of Things) devices. Because, for example, networked doorbells don't have a way for the owner to enter a unique, secure password and often communicate unencrypted, attackers can take over single devices or a network of them.
IP cameras and baby monitors have been vulnerable to open access for some time. Web sites (which I will not reveal here) allow people to watch "security" cameras, listen to room monitors, and sometimes disable or redirect cameras and microphones.
Stopping Cars
Motherboard reported that a hacker was actually able to hack into the control systems of cars and remotely stop them if they were going under twelve miles per hour! His method was simple: he guessed the usernames and tried the default password of 123456 used by a GPS app. That qualifies as scary stuff in my book!
There Is Good News!
There may be a relief for users of devices manufactured in California. The state has mandated that devices manufactured in 2020 and beyond have unique passwords for each device according to techcrunch. If you are concerned that devices manufactured overseas or in other states on behalf of California companies will not be covered, fear not. The law states "(c) "Manufacturer" means the person who manufactures, or contracts with another person to manufacture on the person's behalf, connected devices that are sold or offered for sale in California." This may be an initial death knell for default passwords.
[sidebar_cta header="The (ISC)2 Cybersecurity Workforce Study Provided Interesting Findings. Learn What This Means for Your Organization." color="blue" icon="" btn_href="https://www.learningtree.com/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_en="https://www.learningtree.com/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_ca="https://www.learningtree.ca/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_uk="https://www.learningtree.co.uk/resources-library/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_href_se="https://www.learningtree.se/kunskapsbank/webinars/learning-from-the-isc-cybersecurity-workforce-study/" btn_text="Watch On-Demand Webinar"]
What Can I Do?
You can do three things right now:
- If you have any potentially vulnerable IoT devices (as described in the threatpost article) disable UDP port 32100 in your router. The method varies by router and is significantly different for enterprise and home devices. Fortunately, most routers are programmed with the philosophy that "everything not explicitly permitted is prohibited" and the 33100 port is likely not enabled.
- Buy only devices known to use secure protocols as noted in the threatpost article.
- Change your default passwords when you can, whether it is your router, GPS car application, or security camera. If no password is set, and there is an option for setting one, do so!
Sometimes you can't do anything. Cnet reported on a breach of data impacting 80 million US households. The interesting part of that particular brief was that the data was not protected by any password at all. Here the default was "no password".
There are two significant issues here: default or no password, and passwords in general. Passwords are so pervasive that I do not see their demise any time soon. Until that time is reached, we need to continue to use good, strong passwords whenever possible and enable other authentication methods when we have the opportunity.
To your safe computing,