Password compliance with the UK Product Security and Telecommunications Infrastruture Bill
Introduction
The technical landscape for modern electronics and devices is complex.
Historically, after a consumer device such as a speaker, television or dishwasher had made it to a production line modification to those products were out of the question. Devices were in a carefully designed, known good, trusted state by this point, with a predictable behaviour and a relatively predictable shelf life. Any changes were going to be expensive for the business, and therefore carefully planned and scrutinised. The product would continue to operate as intended because there was no outside force trying to constantly fiddle with it. These were the good old days, but they are for the most part well and truly gone.
Device manufacturers are now under pressure to pack as many features into their devices as possible in order to win the consumer war, which means most hardware devices are now really software devices just pretending to be hardware devices. Fridges which used to be simple white metal appliances with a single mission to cool their contents using simple pumps and heat exchangers are now trying to sense their contents, determine which foodstuff might be going bad, guess who is about to open the door and offering internet based reordering services.
These new features deliver consumer value but require design complexity. Complexity demands connectivity and connectivity means risk. Even if connectivity isn’t really required to carry out the core tasks of the device, once a certain threshold of complexity has been crossed connectivity is going to be required. Removing software bugs, extending the life of internal components, like batteries and motors, adding new competitive features, offloading expensive computing tasks to central servers can all be solved cheaply if our devices are internet connected. This makes it a logical design strategy for modern manufacturers but the security industry has been slow to support the needs of this revolution and this has created issues.
Connectivity Consequences
Introducing connectivity into consumer devices brings risk on multiple fronts. There is clearly technical and reputational risk to the device manufacturers themselves if something goes wrong (of which some major brands will care greatly while smaller offshore manufacturers may not care at all), but this is just the beginning.
Poorly secured IoT devices have already been misused by determined hackers in almost every conceivable scenario over the past few years. From intruding on consumer privacy, to compromising previously well secured parts of a host network to commanding massive bot armies of vulnerable devices in order to launch powerful attacks against industries and even countries – no opportunity to misuse an IoT weaknesses has been wasted.
Security vulnerabilities in software and even electronics is not a new phenomenon, but the sheer scale and pervasiveness of the IoT problem now has the industry and regulators very worried.
Traditionally, dealing with vulnerabilities in consumer products has been relatively well understood process of risk identification and management. If problems existed in a product but there was no connectivity then the operating parameters are usually well known and the likelihood and impact of something bad happening was easily determined and usually too insignificant to worry about. In fact, the chances of a vulnerability ever being discovered when a product has never been exposed to the internet is incredibly low because there isn’t much point or opportunity for anyone to even go looking for one.
Not unsurprisingly most consumers in the western world have come to believe that their home computers are the only device which need treating with some caution, but everything else they hook up will work the way it always has. Reliably and safely.
The IoT revolution is bringing exciting new opportunities to manufactures, businesses and consumers, but without due care and attention it will also “tool up” criminal enterprises with an unprecedented opportunity to unleash complete havoc on our lives.
Regulators… Mount Up
The IoT security issues have been on a lot of people’s radars for a long time, as IoT is seen as presenting a genuine threat to the national security of every developed country. This might sound dramatic, but when you can no longer be sure that your office fridge isn’t uploading your private conversations to the internet without your knowledge it becomes a problem. Equally, if an unknown individual has the ability to take control of five million devices around the world due to easily guessable passwords it almost doesn’t matter what those devices are anymore. Having total control of five million of anything has the potential to cause a lot of damage.
The situation is now such that the theoretical attacks which have been circulating amongst the security industry for years are being actively and frequently exploited by criminals and now Governments and regulators are stepping in to try and break the cycle.
The European Standards Organisation (ETSI) has published a paper called Cyber Security for Consumer Internet of Things: Baseline requirements (EN 303 645) which establishes a number of security controls which should be implemented in order to provide a baseline level of security to IoT devices.
Elements of this paper are now being written into law by the UK Government under the Product Security and Telecommunications Infrastructure Bill and will require manufacturers, importers and distributors to ensure that their products meet certain security standards or face fines of up to £10m or 4% of turnover. The security requirements which are to be set out in the regulations critically include a ban on default passwords.
Default and weak passwords have been the biggest vulnerability for IoT devices over the last decade or more so this step is a positive move towards an enhanced security regime for the IoT industry. Lists of manufacturer default passwords are easily sourced on the internet, meaning any hardware belonging to users who aren’t forced (or able!) to change them become instant targets.
Futureproofing an approach to prevent weak IoT passwords
Internet crime is a thriving business and ever evolving. Attackers are constantly exploring new ways to bypass current security measures and this will certainly be true for default passwords too.
While removing default passwords from IoT devices is a solid first step to improving IoT device security and it moves the needle significantly from where it is today, it won’t be enough to prevent an IoT device password compromise for very long.
Removing default passwords and enabling (or forcing) consumers to make their own password selection will ultimately end up pivoting the issue from being a password predictably set by the manufacturer to being a password predictably set by the consumer.
It will remove one of the risks of widescale automated device compromise through a default password – which is progress, but the secondary issue of account / device compromise will remain a problem and be the next challenge manufacturers are inevitably asked to address.
Consumers frequently choose to reuse the same password across their personal accounts but many fail to realise that the passwords they have used in the past have already been stolen, leaked and shared on criminal markets due to a myriad of 3rd party data breaches.
Allowing/forcing users to set their own passwords on IoT devices without first checking if the credential they have opted to choose is one that’s already been stolen from them previously is a problematic approach. It is vulnerable to technical exploitation and no doubt will become the subject of future regulatory focus. As device manufacturers begin considering their options for compliance with the new regulations, they should also consider how they can future proof the design decisions being made today.
The usual infosec solution to password insecurity is to recommend implementing Multifactor Authentication (MFA) but this is not a workable solution for IoT devices.
One option is to implement a unique password for each device coming off of the production line during the manufacturing process. This is being done relatively routinely now with the likes of internet router manufacturers where each device is coded a unique password and the password is also printed and shipped with the device. It is an effective and relatively secure way to avoid default password issues, but can be expensive to implement.
The second option to is to allow the user to set their own username and password during setup and integrate the device with a credential checking service. Credential checking services work by monitoring for stolen username and password pairs and securely checking for matches against the credential being chosen by the user as it is being entered on the device during setup and login. It is critical if implementing a credential checking service that one is chosen which will never require any Personal Identifiable Information (PII) to be transmitted away from the device as part of the check. There are cryptographic techniques that can be employed to enable thorough and rapid checks without the need for any PII to be shared.
Conclusion
The internet has become the backbone of the modern world and being competitive means being connected. This has been true for some time now, but the time for Governments and economies to demand better security from IoT manufacturers has arrived.
Protection through regulation is inevitable when a technological innovation gains critical mass. This plays out pretty much everywhere eventually, including our Telecommunications industry, the cryptocurrency markets, and social media. IoT is no different, and now the regulations have started, smart manufacturing will look and plan ahead to what will be required tomorrow, not just implement what the minimum is required of it today.