The security of the Internet of Things (IoT) is a source of growing concern. Many devices are being used with poor security protections, making it easy for hackers to install malware and use the devices as part of botnet attacks. But is California’s weak password ban the solution to IoT security?
The ban, which is part of a law targeting improved online security, will come into effect from 2020. It would compel gadget-makers to issue each device with a unique password rather than a standard option such as ‘admin’ or ‘password’.
Often the companies or other end users of such devices never change the default password, contributing to weak IoT security.
Poor security on some gadgets, particularly connected home devices, has proved extremely beneficial to hackers, making it easy for them to install malware of large numbers of devices. Common uses of such malware are to enable the device to be used as part of a vast, multi-device attack on a website or online service, or forced to mine cryptocurrency for the attacker.
The theory behind the law is that making stronger passwords a legal requirement would end the ease with which hackers can gain control of such devices. But while there is some value in the approach, cybersecurity professionals remain unconvinced.
“I think the law that the State of California is contemplating is a great first step, but it’s just a first step in a very long road to ensuring security around the globe,” said Bill Evans, senior director at One Identity.
IoT security goes beyond default passwords
For cybersecurity experts, the challenge of device security involves the intersection of several issues, all of which need to be tackled in order to improve IoT security in general.
“Default passwords are just one of many different ways in which devices get compromised. This does not address anything other than default passwords,” said Amit Sethi, senior principal consultant at Synopsys.
“This will certainly get connected device manufacturers to think about the problem of default passwords. But it is unlikely to make connected devices more secure.”
Sethi argued that while the default password issue has already been partially solved by organisations, other issues remain unchecked.
“The problem is that most organisations with good security programs have already addressed issues like this; organisations that do not have good security programs will probably not get the solution right,” he said.
“An obvious problem is that uniqueness does not imply that it is difficult to guess. For example, using device serial numbers as passwords would likely be in compliance with the law, but would result in poor security.
“Another issue is that the password uniqueness requirement only appears to apply to connected devices that are ‘equipped with a means for authentication outside a local area network’. This assumes that connected devices are deployed in completely trusted local area networks – this is rarely the case in real life.”
The challenge facing IoT security in businesses
As the number of IoT devices multiplies – something that is set to continue in both business and consumer settings – so too does the number of passwords that need to be managed. And in a business setting, this poses very real risks to security.
“The challenge with the specific California law is that it doesn’t address the core issue that enterprises have, which is managing all the admin passwords in an automated fashion,” said Evans.
“While it’s great to implement legislation that requires each device to ship with a unique password, lazy admins will simply change them back to a standard set of credentials and render the solution moot. The underlying problem is: how does a large organisation administer dozens, hundreds or thousands of unique credentials?”
Alternative approaches to IoT security
If the California weak password ban is not the solution, what is a better approach? While cybersecurity experts are divided, they do have their own proposals.
“A better approach would be one that does not mandate specific action. Rather, governments should use the levers at their disposal to incentivise enterprises to solve the problems in ways that meet their needs,” suggested Evans.
“An example would be tax incentives. Imagine a regulation that suggests that every dollar spent on a privileged management solution can be deducted from next year’s tax burden. Governments should use the ‘carrots’ available to them, rather than the ‘sticks’, to incentivise enterprises to make the security investments that are best for them.”
By contrast, Javvad Malik, security advocate at AlienVault, argued that requirements should be more significant.
“Not only should simple default passwords be avoided, but users should be forced to change the password on first use. Additionally, the UI should be intuitive so that changing a password is easy for customers,” he said.
“Keeping the devices updated should also be a requirement, so that any patches or security fixes can be easily deployed.”
However he argued that it was too soon to legislate.
“There are probably other issues that will come to light in this regard over the years as more and more devices have internet-capabilities built in; so regulation at this stage would seem premature, as it could force design changes that could introduce other unforeseen issues,” said Malik.
For Nabil Hannan, managing principal at Synopsys, the answer lies in two-factor authentication:
“A much better solution would be to enforce users having to use two-factor authentication by default. This way, even if their password is breached, attackers cannot log into the applications as that user since they wouldn’t have access to the second factor.”