EU calls for End to Default Passwords on Internet of Things

A group representing European telecommunications firms last week published technical specifications for securing a wide range of consumer Internet of Things devices including toys, smart cameras and wearable health trackers.

The new technical specifications, dubbed TS 103 645 (PDF), call for connected device makers to ban the use of default passwords for connected, consumer devices. They also call on connected device makers to make it easy for users to delete their personal data.

The standards come from the European Telecommunications Standards Institute (ETSI), an independent, not-for-profit, standardization organization for the telecommunications industry in Europe. According to the group, they are intended to govern the security of a wide range of consumer devices that connect to the Internet, home networks or “network infrastructure” more broadly. Among the examples listed in the specification are connected children’s toys, baby monitors, smart cameras and televisions, wearable health trackers and home automation systems.

NIST Floats Internet of Things Cybersecurity Standards

TS 103 645 is intended to provide “high level” guidance for organizations that are developing or manufacturing consumer IoT devices. Commercial IoT products such as those used in industry, manufacturing and healthcare are not the focus of the specifications, ETSI said.

At the top of the list of ETSI’s recommendations: no universal default passwords. That comes after a raft of reports and independent analyses of connected devices have identified weak authentication schemes as a major security issue.

“Many IoT devices are being sold with universal default usernames and passwords (such as “admin, admin”) for user interfaces through to network protocols,” the ETSI report notes. “This has been the source of many security issues in IoT and the practice needs to be discontinued.”

ETSI advises device makers to follow “best practice on passwords and other authentication methods” and to consider implementing “unique and immutable identities” for connected devices.

ETSI is just the latest guideline to call out weak, default passwords. In the U.S., California in September became the first state to regulate the security of Internet of Things devices with the passage of a law, SB-327 that requires makers of Internet connected devices to supply them with “reasonable” security features. That law also outlaws generic and default credentials for connected devices.

Report: IoT Still Wildly Insecure as New ‘Credential Compromise’ Threat Emerges

While calling out authentication, the ETSI guidance advises device makers to have a clear vulnerability disclosure policy for independent security researchers and a policy of acting on reported software security holes in a “timely manner.” Additionally, companies should continuously monitor their own software for security holes and fix them when they are discovered.

Other parts of the new standard call on device makers to provide regular updates for the software on their devices and to use software updates to manage the security of the “entire software supply chain.” ETSI calls on device makers to ensure that their products continue to work during the update and that, where software updates aren’t possible, hardware can be replaced if needed.

Finally, ETSI calls on device makers to implement a hardware root of trust that can verify the integrity of software running on an IoT endpoint.

“If an unauthorized change is detected to the software, the device should alert the consumer and/or administrator to an issue and should not connect to wider networks than those necessary to perform the alerting function,” ETSI advised.

The ETSI guidance is voluntary, but ETSI notes that it can help to ensure that IoT devices are compliant with the EU’s General Data Protection Regulation (GDPR) [i.7] and help device makers implement a future EU common cybersecurity certification framework as proposed in the EU Cybersecurity Act.

Podcast Episode 130: Troy Hunt on Collection 1 and Tailit’s Tale of IoT Security Redemption

The ETSI guidelines track closely to the California IoT security law. At the federal level in the U.S., efforts to pass comprehensive security or privacy laws for the Internet of Things have fallen flat. A bill proposed by Senator Mark Warner (D-VA) in 2017, the Internet of Things Cybersecurity Improvement Act died in committee. So too a bill proposed in the House in 2018.

No similar legislation has been proposed for the 116th Congress, though lawmakers from both parties have identified cyber security as a top priority.

Security experts generally support IoT security legislation and technical standards, noting that they provide a baseline of “best practices” for device makers to follow. However, specific proscriptions can often have unintended consequences, experts warn For example: automated update features designed to keep IoT devices patched and free of security vulnerabilities can be exploited by sophisticated hackers, who use malicious software updates to compromise thousands or hundreds of thousands of devices, as happened with the NotPetya malware.