IoT password ban a start, but admins can’t afford to wait for regulators

IoT password ban a start, but admins can’t afford to wait for regulators

The United Kingdom’s world-first ban on default and easily-guessable passwords for connected devices is a welcome step – but just the first toward securing the rapidly expanding landscape of the Internet of Things (IoT).

While outlawing passwords like “admin” and “12345” raises the security baseline, the legislation doesn’t go far enough in mandating firmware updates and built-in security capabilities. Enterprise admins must therefore remain vigilant against other glaring device loopholes in the smart office.

With IoT attacks quadrupling over the past five years, and the threat of IoT botnets only growing, admins can’t afford to wait for regulators. Here’s how they can tighten cybersecurity and regain control over their enterprise’s device ecosystem.

Carsten Rhod Gregersen

CEO and Founder, Nabto.

The war on weak passwords

This sort of ruling has been a long time coming for default passwords – and that’s because they’re extremely dangerous. Simple user-password combinations are easily guessable or crackable, turning devices into potential entry points or compromised online assets.

Recent research is sobering: attackers need only five common password sets to access an estimated 10% of all internet-connected devices. The Mirai malware, which hijacked over 100,000 home routers for massive distributed denial-of-service (DDoS) attacks, used just 62 username-password combinations.

This is an escalating issue. IoT botnets have emerged as a major DDoS traffic generator, with compromised devices disseminating malware, stealing data, and enabling other cyberattacks. The number of botnet-driven DDoS devices rose from around 200,000 last year to approximately 1 million today, accounting for over 40% of all such traffic.

Implemented in April, The UK’s Product Security and Telecommunications Infrastructure Act 2022 (PSTI) aims to address this by mandating that devices either have a randomized password or generate a unique one during initialization. Non-compliance is a criminal offense with penalties of up to £10 million or 4% of global revenue, whichever is higher.

For years, pundits expected market forces would compel device makers to improve password practices. But, without them stepping up, the government is stepping in and also instructing manufacturers to establish means for reporting security issues and detailing the timeline of security updates for their connected products.

Enterprises, don’t wait for regulators

This isn’t to say the act is perfect. For example, there are no specific rules that dictate the minimum timeline for reporting the above security updates. Worse, the standards lag behind comparable regions and regulations. The PSTI only meets 3 out of 13 IoT security guidelines from the European Telecommunications Standards Institute. Further, the regulation falls short of the more rigorous Cyber Resilience Act in Europe. This suite of connected device rules – slated for 2027 – goes a few steps further by mandating hardware and software support throughout the entire product lifecycle as well as automating updates.

Make no mistake, the PSTI is a positive step and tackling generic passwords is crucial. It’s also head and shoulders above the optional consumer checkmark solution put forward in the United States. But for enterprises operating today, regulations can only provide so much protection, and what they protect and how far they go will depend on where you are. The onus of achieving comprehensive protection ultimately falls on IT professionals to secure their connected device ecosystems.

This means adopting cutting-edge tools and best practices now. There are no excuses – unique credentials and multi-factor authentication are the minimum. Or, consider doing away with passwords altogether and opting for Public Key Infrastructure (PKI). This method uses asymmetric cryptography to establish an initial trust setting between the client and the target device, where a generated key replaces the password and grants authentication. Not only is this a far safer form of single-factor authentication, but it renders brute-force attacks impossible.

But that’s just the start. Rigorous asset discovery, network segmentation, and continuous monitoring are critical. Likewise, redouble efforts to lock down connections by encrypting all data in transit and ensuring direct peer-to-peer communication. Finally, don’t assume and always verify by following the principles of zero trust.

The future of secure devices is up to admins

The security imperative is immediate for admins. Don’t wait for slowly turning policy gears – the future of your connected infrastructure depends on decisive action today.

This begins with the basics like the above security controls. It also requires thinking critically about the device’s origins. Where does a given device come from? Who is the manufacturer and what are their security priorities and track record? These considerations can’t be dismissed in our landscape of pervasive supply chain risks.

Additionally, scrutinize the operating system and inner workings. Is it a full-fledged, high-end Linux distribution with a complex attack surface and potential backdoors? Or a real-time operating system (RTOS) purposely streamlined for the dedicated task? Admins must weigh whether the benefits of advanced capabilities justify the increased risk footprint. Simplicity and security restraint may be the wiser path for many IoT use cases.

It’s heartening to see regulators catch up with the stark cybersecurity realities of modern devices. Nonetheless, top-down mandates can only go so far as to protect you and your business. Ultimately, securing your connected future demands judicious device choices – rigorously vetting device origin, favoring secure-by-design architectures, and customizing the defaults. Until standards fully mature, you’re the last line of defense.

We’ve listed the best business password manager.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Carsten Rhod Gregersen

Leave a Reply