The U.K. government calls for weak passwords to be made illegal by 2021
In his foreword to a newly published policy paper on regulating consumer smart-product cybersecurity, the U.K. Minister for Digital Information, Matt Warman MP, has said that his is an “unashamedly pro-tech government.” Warman stated that the Department for Digital, Culture, Media and Sport has been working with the National Cyber Security Centre (NCSC) to “urgently address” the problem of poor Internet of Things (IoT) device security.
How urgently? How does making weak passwords for all such gadgets illegal before the end of 2021 strike you?
What’s the problem with the Internet of Insecure Things?
The problem, such as it is, has been a thorn in the side of cybersecurity experts ever since the Internet of Things first became, well, a thing. With billions of devices already out there, and predictions that there could be as many as 41 billion IoT devices by 2025, the scale of the security problem is as vast as it is pressing.
Everything from lightbulbs to smartwatches that track dementia patients, smart speakers, voice assistants, security cameras and televisions all sit inside this often insecure ecosystem.
Insecure because, for swathes of these devices, they come with pre-loaded, hard-wired, passwords that cannot be changed by the user.
Which wouldn’t be quite such a security disaster if those passwords were at least strong and unique.
Even where consumers can change passwords, they often remain set to the default as these devices are sold as being fire and forget, easy to use non-techy gizmos.
Consumers, on the whole, want to unbox it, plug it in and start using it; changing passwords, updating firmware, any tweaking at this level is simply not on the agenda.
And so there lies the rub: devices that connect to the internet through the home network, passwords that are either already known by would-be hackers or easily cracked by them and a userbase that is sadly none-the-wiser.
Spying on users is just one possibility this opens up, data theft another. But quite apart from the risk to user data, with such devices being used as a staging post for network breaches, IoT devices are often corralled into botnets by cybercriminals that are then used to perform Distributed Denial of Service (DDoS) attacks against online businesses.
What has the U.K. government proposed to beef up internet device security?
The ‘Proposals for regulating consumer smart product cyber security – call for views‘ policy paper, published on July 16, sets out an overview of the proposed password legislation and seeks to get further external feedback from interested parties before moving forward.
Under proposals for a new law to protect consumers from the insecure IoT device threat, the U.K. government has recommended that single, universal, passwords for devices should be banned.
The government also wants to move towards the use of “alternative authentication mechanisms” that do not use passwords. What’s more, the policy paper also reveals that there is an intent to ban those passwords which are unique to every device but are still easily guessable.
The paper states that where pre-installed and unique per device passwords are used, they cannot be generated by a mechanism that doesn’t take into account the minimization of automated attacks.
That password generation mechanism must not, the paper suggests, allow a password to be derived solely from knowledge of another password, or from information that can be determined by communicating with the device over the network.
It is also suggested that device manufacturers would have to provide a mechanism for users to report security vulnerabilities easily, something that many security researchers will confirm is sorely lacking in many cases today. Finally, the paper requires transparency on how long the device would receive security updates.
To enforce these requirements, if they do become law, there would be the potential for financial penalties as expected but also, in some cases, where regulations are not complied with, temporary sales bans and ultimately the seizure and destruction of the devices themselves.
What do security experts say?
“Strong enforcement of password standards is a positive move and gets the message across,” Jake Moore, a cybersecurity specialist at ESET, said, “even if it may seem rather forceful.”
David Kennefick, a product architect at Edgescan, said that “the benefits here outweigh the inconvenience of shipping devices with unique passwords or forcing a password reset change during setup.” He welcomes the principle of a law that doesn’t “allow the selling of devices with poor security configurations or default credentials.”
“It was irresponsible for hardware vendors to ship devices with default passwords, which have been used as entry points into other networks,” Chris Hazelton, director of security solutions at Lookout, said. “This law will introduce much-needed steps to help users to think about security as they set up devices,” he continued, “this could be implemented with simple setup wizards on a mobile app that guides users through the process of creating complex passwords and could even require a connection to more secure home or business networks, thereby creating multiple layers of security.”
And, to conclude, Tim Erlin, vice-president at Tripwire, said that “there’s no technical reason why manufacturers need to ship devices with a common default password. Shipping with unique passwords, or requiring a user to change the default on first use, are sensible requirements that help protect consumers and their data. Regulations can be very effective at creating a minimum bar for cybersecurity.”