California and The UK Say "No" To Default Passwords On IoT Devices
It’s a well know secret that you can do a Google search on any particular internet capable device, router, firewall, switch, printer, washer and dryer, etc. and obtain the default username and password for the device. Some of which are very creative, like admin/admin or admin/password. Once you know the default credentials you are now able to remotely access that device.
As we discussed in a previous blog post about California’s new IoT device law, one of the ways the state is trying to address its requirement that manufacturers “equip the device with a reasonable security feature or features” is to require a preprogrammed password unique to each device and require a user to generate a new password before access to the device is given for the first time. Not something that is new, users are accustomed to changing passwords to devices, just a new way of applying that best practice to IoT devices. There are many arguments as to why it can’t be done, but none that say it is not a good idea.
The UK government released a code of practice for consumer IoT devices. "The new code of practice outlines 13 guidelines that manufacturers of consumer devices should implement into their product's design to keep consumers safe." "This includes secure storage of personal data, regular software updates to make sure devices are protected against emerging security threats, no default passwords and making it easier for users to delete their personal data off the product."
We have to resist the urge to repeat the same cyber security mistakes we know, in the new IoT landscape and I think removing the default password is a good first step.