Now Reading
Default passwords are the routers of all evil

Default passwords are the routers of all evil

Posted by Zenobia HegdeJanuary 5, 2017

All these Mirai BotNet stories can’t be helping the IoT industry can they? Still, on the basis that all publicity is good publicity, perhaps some good will come out of the recent network hijackings.

Don’t laugh, but it could even be a marketing opportunity. Maybe kit manufacturers could contact all their customers and encourage them to upgrade devices.

A more realistic option for router makers is to get creative when persuading customers to change their default passwords. Password prompts are boring and lectures are even worse. But not as tedious as the notes that come with every ‘plug and play’ device. Who writes them? They make the authors of software license agreements look like Ricky Gervaise, says Nick Booth, freelance IT and communications writer.

Manufacturers of devices will need to do something drastic to get people to pay attention to passwords or everyone will continue to ignore them. As a result, hackers will have a field day hi-jacking the IoT. Stephen Gates, chief research intelligence analyst at Nsfocus says IoT-based attacks will be The Big Trend for 2017.

Logistics is the big problem the kit makers face. Fair enough, it would cost manufacturers dearly to give each device a unique password. But it’s not OK to assume that everyone will change their default password for their device. Especially if you don’t make a big fuss about it. Meanwhile, the customers are guilty of assumption too.

They’ve assumed that their suppliers would give them prior warning about securing these devices – in the same way that people who bought mobile phones assumed that the voicemail service wasn’t easily hacked by tabloid journalists.

There was an assumption that the service providers – who are passionate about customer service, don’t forget – would have a duty of care. It turns out they were not that passionate. Given the lack of warnings that are given to clients when they install their devices, they could be forgiven for assuming that security was no big deal.

Each side is convinced the other will take responsibility. Assumption, as they say in the logistics business, is the mother of all cock ups.

It’s understandable if an end user doesn’t bother to read all the notes that come with their device. If you sat down and read all the small print alluding to every piece of software, hardware and ‘important changes to your account’ you’d never get anything done. Your name would come up in HR crisis meetings.

There must be a creative solution to this. Surely it’s not beyond the wit and imagination of the IoT industry to devise some enforcement schemes. They owe it to us anyway. After all, if you are going to build a world run by machines, you shouldn’t make it easy for Dr Wannabe Evil to take it over.

There seem to be two options open to manufacturers, the Carrot and the Stick. Neither of them has been used yet, with device makers seemingly preferring to fall back on finger pointing. There must be ways to incentivise end users to make the effort.

Maybe vendors could bestow a prize on a random network or security manager who secured their network. Surely this would work as a marketing stunt too. Or maybe the vendor should try shock tactics, like the police use on homeowners. Perhaps they could randomly email network managers, saying, “we just tried hacking your router and noticed you’ve left it open.”

James Wickes, founder of community surveillance company Cloudview, is exactly the sort of person I’d expect to go for this carrot and stick approach. But he is having none of it.

“Rewarding people for changing their passwords is a bit much,” said Wickes, “you can only go so far with rewards and punishment and I’d hope that the recent spate of attacks would serve as a warning.”

Wickes advocates a kite mark for IoT security. “I believe that manufacturers have a responsibility to ensure the safety of the equipment they sell, just as car makers should ensure their cars are safe,” said Wickes.

Well, they don’t, and standards committees will never keep pace with cyber criminals. So, in the meantime, has anyone get any better ideas?

The author of this blog is Nick Booth, freelance IT and communications writer.

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow

About The Author
Zenobia Hegde

Leave a Response