The UK Bans Default Passwords

The UK is the first country to ban default passwords on IoT devices.

On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

The UK may be the first country, but as far as I know, California is the first jurisdiction. It banned default passwords in 2018, the law taking effect in 2020.

This sort of thing benefits all of us everywhere. IoT manufacturers aren’t making two devices, one for California and one for the rest of the US. And they’re not going to make one for the UK and another for the rest of Europe, either. They’ll remove the default passwords and sell those devices everywhere.

Another news article.

EDITED TO ADD (5/14): To clarify, the regulations say that passwords must be either chosen by the user, or else unique to the device. If unique preset passwords are used, they can’t be produced by an algorithm that makes them easily guessable. Here is the actual language of the regulation.

Tags: , , ,

Posted on May 2, 2024 at 7:05 AM17 Comments

Comments

Peter May 2, 2024 7:31 AM

Bit click baity, it’s only on IOT devices, i.e..who cares. The real damage is vendor backdoor default passwords, not user facing ones.

Jos May 2, 2024 8:12 AM

@Peter
IOT devices are also a tool to obfuscate identity, if I am a foreign state actor I can all of a sudden make my actions appear from my target country, making it far less suspicious. Using several compromised IOT devices I might even go entirely below radar when I’m able to work my attack from several IOT sources scattered in the country in sequence.
While it’s marketed as “consumer protection” that’s not what drives the legislation.

Gilbert May 2, 2024 10:50 AM

I am afraid this might not work. A lot of politicians think you can use laws to fix problems. But criminals do not obey law. Chinese companies that put hardcoded root passwords into products they sale.. They don’t even tell customers that those passwords do exist. And the UK government is not going to unpack, disassemble and study each appliance firmware to check that, because it takes time, money and needs to be done on each update.

Big sellers of hardware might follow the law because they have a huge market and don’t want their products to be sale-forbidden in UK. But IoT appliances are numerous, companies come and go, and they don’t really care. Most of them even put “EC” marks on their products and they don’t even follow european’s certifications.

What the UK is really doing is asking people that put hardcoded, default passwords into their products to stop doing it ? They already know it’s not a good idea to hardcode those things. Just look at Cisco : how many times did they got burned with security issues because of those hardcoded “root level” passwords in their products ? Again, and again and they keep hardcoding those : https://www.schneier.com/blog/archives/2023/10/cisco-cant-stop-using-hard-coded-passwords.html

Those that do that in covert will surely not obey nor follow those laws.

This is one serious issue with politicians : they think complex problems have simple solutions. And they believe that making a law will fix the problem.

It won’t.

Hans May 2, 2024 11:03 AM

@Gilbert
And the UK government is not going to unpack, disassemble and study each appliance firmware to check that, because it takes time, money and needs to be done on each update.

That is not the job of the government. That is the executive branch and even they can delegate to private control organizations. The Law makers have to create the basis for the executive to work on.

And they believe that making a law will fix the problem.

Not arguing wit the “simple solutins” complaint. But those laws give a basis for the executive or judicative to work on. Cisco might forget passwords if there is no real risc. But they will not risk getting banned from the british market. Even a thread of a large fine may be enough for a money oriented business. Without laws at such, that threat does not exist.

Who? May 2, 2024 11:09 AM

A nightmare for Fortinet, even if not exactly an IoT manufacturer. They are even worse than Cisco in this area.

lola May 2, 2024 11:27 AM

Bit click baity, it’s only on IOT devices

…and also not a ban on default passwords, but only “guessable default passwords” (though I can’t find the details in the linked law). Similarly, the California law says a device is okay if “(1) The preprogrammed password is unique to each device manufactured. (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time”—contrary to the Techcrunch summary, there’s no apparent requirement to “change the unique password to something new”; it looks to me like the default password could remain, whether active or temporarily disabled.

So, it’s likely that shipping a product with a per-device default password printed on it, as many router manufacturers do, remains acceptable. The California law doesn’t even require it to be complex or unguessable.

lola May 2, 2024 11:39 AM

Correction: the California law only requires one of those two conditions to be satisfied. So, a password of “admin” is fine if the user’s forced to configure new authentication on first use (even if “admin” remains valid); or, a per-device password printed on the device is fine, and there’s no need to make the user change it (or, apparently, allow them to).

Thanks to noname for linking the actual U.K. requirements (I should’ve refreshed before posting; a working preview button would be nice). They’re basically the same as California’s, with the additional requirement that a per-device password (if used) actually has to be good; not “based on incremental counters [… or] otherwise guessable in a manner unacceptable as part of good industry practice.” It also closes the California loophole that allows the default password to remain active along with the configured one.

JonKnowsNothing May 2, 2024 12:34 PM

@All

Well, at least the hackers will go through the default list quickly and move on to the more likely alternatives.

The old devices will be around for a long time so they will hunt for those first.

The juicy stuff comes once they get access to the new improved password selected since all new stuff will likely use the same or similar.

People are not that creative and they are not going to name every light bulb using a Dice List.

Clive Robinson May 2, 2024 1:51 PM

@ lola, ALL,

Re : addition of guessable.

“…and also not a ban on default passwords, but only “guessable default passwords”

The way you write it, suggests you think it is the weaker of the two, rather than the stronger.

A default password would be the same on every device within the model range.

To get around that the manufacturer could change the password to the device serial number or other simple sequence.

Such sequences are easily guessable, especially with “home routers” installed by “Internet Service Providers”.

So the no “guessable default passwords” stops the use of easily “guessable sequences”.

The problem is the use of encryption in a CTR-Mode.

At it’s simplest it’s a “Counter”(CTR) driving an encryption algorithm in simple substitution mode. The entire security rests on the “secret key” not becoming guessed or used again.

As stuxnet demonstrated keeping such secrets secret in a production environment is not really practical.

jdgalt May 2, 2024 4:07 PM

I’m more interested in the requirement to report how long products will receive security updates.

While we’re at it, tell us how long our printers will receive device driver updates. Or simply require the drivers to be open-source so that the market can provide support for them.

lola May 2, 2024 7:08 PM

@ Clive Robinson,

The way you write it, suggests you think it is the weaker of the two, rather than the stronger.

My point was only that the headline was incorrect: default passwords are not banned. Just in case people start to wonder why they’re still seeing default passwords printed on the devices they buy.

I’m not sure I fully understand your view that banning all default passwords would be worse than banning only weak default passwords. Are you thinking of people war-driving for devices that are plugged in but whose passwords have not yet been changed? I suppose a strong default password would prevent that, although man-in-the-middle attacks occuring during initial setup would still be a concern.

lurker May 2, 2024 10:14 PM

@lola, @Clive Robinson
re: mitm attacks during initial setup

This is something that always bugged me. Devices come out of the box and allow or require internet access, but will not allow setting up without a connection to that internet. I used preconfigured images where applicable, or did setup on a “private” net which was moderately isolated. Of course that was with devices that had a RJ45 ethernet connection. Your modern IoT device uses WiFi, or BT, or if you’re lucky IP over power line. The manufacturers will tell you it’s cost. Ask them about security, they shrug and turn away …

Baron_von_munschausen May 3, 2024 4:17 AM

@Hans and @Gilbert,

Without testing or auditing, who is going to know if companies are actually complying with this law? Section 27 of the Act authorizes the delegation of an enforcement function by regulations. I wonder what those Regs will say. Maybe it’ll be delegated to the government, or maybe a contractor? … and if a contractor, who will check up on the contractor (remember the Post Office scandal) ?

And what about conflict of laws? E.g., despite all these duties imposed on manufacturers, importers and distributors, suppose there is a request for technical assistance — e.g., the state wants a manufacturer to make an exact duplicate of a device for use by the government in [redacted]. What then?

bcs May 3, 2024 10:39 AM

What’s the over/under on how long till someone tries “It doesn’t have a default password because, by default, it doesn’t have a password”?

ResearcherZero May 6, 2024 2:45 AM

Life cycle of some common IoT devices:

‘https://blog.noip.com/thank-next-life-cycle-iot-devices-honor

“We applied our approach to a large number of EoL models from three vendors ( D-Link, Tp-Link, and Netgear) and detect the alive devices in a time period of more than two years.”

“More than 2 million active EoL devices are vulnerable, and nearly half of them are threatened by high-risk vulnerabilities. Furthermore, more than half of the vulnerabilities (182 of 294) are discovered after the EoL date.”

https://ieeexplore.ieee.org/document/10321684

It’s a sizable investment to provide up to 10 years of maintenance.

90% of software life cost is related to its maintenance phase. A dedicated software developer for maintaining software will cost around $25 to $120 per hour.

Not all products are equipped to support OTA (Over the Air) updates.

‘https://www.sciencedirect.com/science/article/pii/S1084804520302538

https://www.lantronix.com/blog/component-lifespan-considerations-for-industrial-iot-oems/

Escaped the Moderator May 6, 2024 4:23 AM

I have not investigated (lazy, or not enough time, or poor time-management), but I don’t know if this catches OpenWrt.

When this FLOSS software is first loaded onto SOHO routers, the administrator account has a default password: but the defined WAN connection/routing is disabled until someone logs in from a LAN connection and changes the administrator password. Would this be compliant?

WiFi devices that have only local WiFi and local LAN connections are a problem, I would think, as there currently appears to be no way of loading the current OpenWrt software that complies with the legal requirements.

Does the legislation allow for ‘forced change of default password on first use’?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.