The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

California and The UK Say "No" To Default Passwords On IoT Devices

See Article Here

It’s a well know secret that you can do a Google search on any particular internet capable device, router, firewall, switch, printer, washer and dryer, etc. and obtain the default username and password for the device. Some of which are very creative, like admin/admin or admin/password. Once you know the default credentials you are now able to remotely access that device.

As we discussed in a previous blog post about California’s new IoT device law, one of the ways the state is trying to address its requirement that manufacturers “equip the device with a reasonable security feature or features” is to require a preprogrammed password unique to each device and require a user to generate a new password before access to the device is given for the first time. Not something that is new, users are accustomed to changing passwords to devices, just a new way of applying that best practice to IoT devices. There are many arguments as to why it can’t be done, but none that say it is not a good idea.

The UK government released a code of practice for consumer IoT devices. "The new code of practice outlines 13 guidelines that manufacturers of consumer devices should implement into their product's design to keep consumers safe." "This includes secure storage of personal data, regular software updates to make sure devices are protected against emerging security threats, no default passwords and making it easier for users to delete their personal data off the product."

We have to resist the urge to repeat the same cyber security mistakes we know, in the new IoT landscape and I think removing the default password is a good first step.