Proposed UK Law Bans Default Passwords
Following California’s lead, a new UK law would ban default passwords in IoT devices.
EDITED TO ADD (12/12): Commentary.
EDITED TO ADD (12/14): A draft of the bill.
Following California’s lead, a new UK law would ban default passwords in IoT devices.
EDITED TO ADD (12/12): Commentary.
EDITED TO ADD (12/14): A draft of the bill.
jones • November 26, 2021 9:03 AM
I’m trying to imagine people trying to manage the passwords for all the “smart” light bulbs in their homes… and getting jammed up when their “smart” toaster crashes…
Clive Robinson • November 26, 2021 9:12 AM
@ ALL,
The usuall warning with regards current UK legislation and BBC reporting needs to be sounded,
“The devil is in the details, read with care”.
I would not be surprised if this is actually anti-EU and anti-China policy driven.
UK Politician Tom Tugendhat has previously argued fairly vehemently that both products and funding for research from China “rarely comes without strings attached” and has made it clear in otherways that anti-China sentiment is very definitely “on the table”.
Others have likewise taken up the same sort of anti-EU stance as well.
Combined, these stances politically draw the UK much closer to US State Dept policy… Which appears to be a significant aim of the current UK PM.
6449-225 • November 26, 2021 9:55 AM
This will establish the market for IoT device password setter-resetter/storer devices.
Obviously, a device with such a sensitive role will need to be password protected. Nobody knows how this would be done … ∞
Andy • November 26, 2021 10:48 AM
My router from 2Wire (acquired by AT&T ?) from probably a decade ago and all its successors have a random password printed on it. If you do a hard reset on it then it goes to that value. The manufacturer shouldn’t keep a database of serial numbers to passwords for this to be secure. Physical access to the device should be both sufficient and necessary.
Ted • November 26, 2021 10:57 AM
I was wondering how likely this PSTI bill was to pass. I’m thinking likely bc it was developed both the DCMS and the NCSC along with industry, academia, standards bodies, and other countries.
That’s a lot of early buy-in.
The ‘top three’ rules mentioned in the original article are also mentioned in the bill’s gov.uk factsheet.
Those are big deals, imo.
nnz • November 26, 2021 11:05 AM
Maybe I am missing something obvious, but would having no password by default be complaint?
Sumadelet • November 26, 2021 12:30 PM
Hmmm. I wonder how this might apply to after-market firmware, such as LineageOS, postmarketOS, and OpenWrt. This might provide manufacturers the weapon needed to close off such things. Microsoft would love it if it gave a way to prevent Linux, BSD, or other libre software distributions being placed on old or repurposed PC hardware, too. It is an easy step between requiring a unique password per device to requiring a unique password certified as such and controlled by the manufacturer on each device, all in the name of improved security.
Call me suspicious.
lurker • November 26, 2021 12:55 PM
@nnz, Sumadelet
The default no password is superficially attractive, but, can you ensure that the user/installer sets up a password, any password, better than “fred”?
Years ago I tried an install of netbsd. It rebooted to an open root prompt. Took me a while to realise this was a great idea – if you know what you are doing. What confidence is there that the average user of an IoT device knows what they’re doing?
neill • November 26, 2021 4:52 PM
unfortunately the ordinary user will type in that special password once … then reset it to something like ‘letmein123’ for convenience
SpaceLifeForm • November 26, 2021 5:35 PM
Top Notch Security Theatre
It does not matter what the password rules are if the password can leak.
Ted • November 26, 2021 5:57 PM
It seems like there a lot of concerns that a user won’t set up a sufficiently secure device password. And that is understandable.
I guess moving thousands of devices off a default password of “admin” or whatever is still a step in the right direction.
I was trying to see if there was more specific guidance on the default password ban and did see that there are more details at the link below under the section: “Key Policy Position 6 – Security Requirements.”
The text says: “We intend to create two routes to conformity within the intended legislative framework.”
One route looks like it follows the provisions set from ETSI European Standard (EN) 303 645. For passwords this relates to provisions 5.1-1 and 5.1-2.
Ted • November 26, 2021 5:58 PM
(continued…)
Here is the explanation of intent:
“Our intent is to cover all passwords within the device, including those not normally accessible by the user, such as passwords on administrative interfaces, or within firmware of sub-components. Pre-installed software applications (Apps), including those that are 3rd party provided but pre-installed on a device, are also in scope. Our intent is also to ban passwords which may be unique per device, but are still easily guessable and therefore still present a risk (for example, if incremental counters are used such as ‘password1’, ‘password2’ and so on).”
I don’t know if a device could force a certain level of password complexity?
SpaceLifeForm • November 26, 2021 8:15 PM
@ Ted, Clive, ALL
Silicon Turtles
Our intent is to cover all passwords within the device, including those not normally accessible by the user, such as passwords on administrative interfaces, or within firmware of sub-components.
Note the OR. It may be an /AND.
s/cover/recover/
Ted • November 26, 2021 8:58 PM
@SpaceLifeForm, Clive, ALL
Note the OR. It may be an /AND.
So it looks like the start of the list of applicable devices is…
It sounds like manufacturers and ‘economic actors’ will have a foundational role in complying with security standards, publishing declarations of conformity, and complying with enforcement activity.
I am kind of confused as to what role consumers will have in all this. I wonder what percentage of the default password ban will be invisible to the consumer. And if consumers do have to manage device passwords, what kind of system or platform is going to handle this?
Ted • November 26, 2021 9:11 PM
@SpaceLifeForm, Clive, ALL
Re: Checking smart devices for default passwords
According to a report[1] “Those aged 75+ are the least likely to have checked (8%) [for a default password] and also the most likely to say ‘Don’t know’ (14%) which may reflect less awareness and knowledge of technology.”
What do you think of this?
[1] “Consumer attitudes to IoT security” report
6449-225 • November 26, 2021 10:28 PM
“Those aged 75+ are the most likely (93%) to have left the router published default password in place and set up a honey-pot to lure computer crackers to their doom.”
Adage: “Old age and treachery will always beat youth and skill.”
Dave • November 26, 2021 11:04 PM
Good to see the fines also given as “x% of turnover” rather than the standard fixed amount, looks like governments are finally waking up to the fact that for many tech giants it’s far easier to just pay a fixed-amount fine and ignore the problem than to actually fix it.
JonKnowsNothing • November 27, 2021 12:42 AM
@All
re: “Those aged 75+ are the most likely (93%) to have left … default password in place
Remember this is what has been taught to consumers:
DO NOT TOUCH THE CONFIGURATION
A) When an I-Provider(USA) shows up, the installation persons blast in and out as quickly as possible. They spend the least amount of time and rig up the worst connections (1) because the installers only drop the equipment and move to the next drop and someone else is in charge of making it work.
More than often, they never test the connection beyond the link from the closet to the exterior junction (OK I got a green led… Let’s go…). There is no documentation and no explanations as everything is configured from the Central Office.
At most, they may show you how to power cycle the system.
B) We have taught end users to CLICK A LINK and now expect them to NOT To Click.
C) We have obscured over and over how things work, made things look “magic like”, over engineered every aspect of the system and wonder how come folks cannot complete something that is “dead easy” but requires hundreds of clicks and hours of configuration file settings while reading up on the differences between PNG v JPG v GIF v BMP and JSON v HTML v RTF v TXT.
They still need to call Tech Support because the vendor forgot to install a required software update package or worse, they didn’t install the correct application software at all.(I cannot find the letter typing program. I am supposed to be able to type a letter. You ordered what? I don’t see anything on your manifest… Yes I ordered it shows on my invoice. I want to write a letter! Oh… you don’t have a letter typing program, you have an email program, but you didn’t buy the ISP connection.)
It is not easy
D) Passwords are not intuitive. Much already said about this.
Guard: Caesar, What is the password for tonight?
Caligula: Give us a kiss….
E) Then there is the ladder problem. (2)
===
1) RL tl;dr
An team of installers left the router hanging by the incoming fiber optic line. When I pointed it out, they pull out common double sided sticky tape and taped it to the wall. The tape held less than 15 minutes after they left.
An installer setup the 4 pair CAT wire outlets. All worked except 1 outlet. The second level Tech Support Installer found the first installer had miss punched the wire order. It took a long time to sort that out because the Telco only provided the tech installer a 2 wire LED tester.
2)
h ttp s:/ /ww w.wh o.int/new s-r oom/fact-sheets/detail/falls
26 April 2021
Falls are the second leading cause of unintentional injury deaths worldwide.
Each year an estimated 684 000 individuals die from falls globally of which over 80% are in low- and middle-income countries.
Adults older than 60 years of age suffer the greatest number of fatal falls.
37.3 million falls that are severe enough to require medical attention occur each year.
An estimated 684 000 fatal falls occur each year, making it the second leading cause of unintentional injury death, after road traffic injuries.
JonKnowsNothing • November 27, 2021 1:04 AM
@ Sumadelet
re: I wonder how this might apply to after-market firmware, such as LineageOS, postmarketOS, and OpenWrt. This might provide manufacturers the weapon needed to close off such things.
Many manufactures use “tattoos” or “dongles” intended to prevent other hardware, firmware or software from being installed.
Some proprietary systems may list “standard name brands” for specs but these maybe customized version that have “hidden locks”.
Attempts to exchange, repair or fix the item fails because replacement does not have the secret sauce code required.
iirc(badly) tl;dr
A refurbisher of old computers, legally obtained, lost a court case brought by M$.
Each system had legal rights to a copy of the OS. The refurbisher would download a copy of the OS using the correct authorized code for a set of installation CDs. They would clean the system and reinstall a the OS and use the correct serial number for that machine.
M$ claimed that the rights to the serial number and downloaded OS copy only applied to the initial purchaser and could not be transferred to another owner.
The refurbishing company pointed out that these were old machines and M$ no longer provided retail copies of the OS.
Didn’t help.
M$ won the case and afaik, the recycled machines could no longer use M$ OS so the refurbisher switched to Option-L.
SpaceLifeForm • November 27, 2021 3:19 AM
@ JonKnowsNothing
DO NOT TOUCH THE CONFIGURATION
LOL
That is the first thing one should do in order to properly secure.
I actually have fun with installer techs. They learn something. If it is a new install, I watch them like a hawk, and make sure they are doing it right. If it is a new issue with existing kit, I usually have already diagnosed the problem, and can save a bunch of time for both of us.
Tech: You know more about this stuff than I do. You could do my job.
Me: Probably, but I do not want to.
JonKnowsNothing • November 27, 2021 10:32 AM
@SpaceLifeForm @All
re: DO NOT TOUCH THE CONFIGURATION
LOL
That is the first thing one should do in order to properly secure.
Precisely the problem.
Rhetorical Question:
One the hallmarks of tech-types is our innate (or learned) ability, to smell where the faults lie in setting up a system. We either learn by failure or sometimes someone else shows us God Mode or we actually read and learn what’s needed.
It’s what makes us LEETS and it’s also what makes our designs fail when handed out to NOOBs. We presume and assume that “It is clear that…” and it’s anything but clear. (1)
We cannot unlearn our knowledge so we presume everyone else has the same. They are not.
CONSIDER
Look at the configuration of the Internet Explorer Browser. There are the first panels with gross-level choices but nothing clear about what they do or do not do. Then click your way to the Advanced Tab, scroll down the list of stuff. You might have 100% full knowledge of every item on the list but the consumer will not. Some of those items are important to “secure” the browser, that’s not saying much but it’s the best one can do with that config file.
Open up the FireFox. Their base setup pages of @ 5 tabs is similar to IE. Some generalized information but nothing too deep and some of defaults are WRONG. Then open the Config file (try to pretend you don’t know how to do that either) and scroll down the many pages of options. Some of those are important too. It isn’t probable that a Gran, Grad, FarmerJane or a 5yo, will be able to fill in the required blips. (2,3)
afaik, there isn’t a good answer to WHY and there isn’t a good prospect that this will change anytime soon.
CONSIDER
===
1) My most hated textbook phrases:
“It is clear that A follows B … ”
and
“It is left as an exercise to the reader to …”
2) RL tl;dr:
Not long ago, I wanted to “enable” a feature in FF. Normally such a feature is on the main 5 tabs but it wasn’t listed. I looked in the CONFIG file for the option to enable it. I found the line and made the toggle. NOTHING HAPPENED. NOTHING CHANGED. (repeat edit/test several times). After DDG for what’s going on, it turned out that feature had been “deprecated” but the CONFIG option was still there.
You can turn it on, but there’s no one home.
3) RL tl;dr:
[PreCOVID]
A friend with a very old computer that had not been powered up for a long time, needed help. The system insisted that there was NO OS installed. They asked me if they should reinstall the OS. I went to their home and they had a shoe box full of software ready for use. I turned on the computer, saw the error flash then power cycled the machine and entered the Hardware Config.
I switched the PRIMARY BOOT from the A: Drive to the C: Drive.
SpaceLifeForm • November 27, 2021 7:08 PM
@ JonKnowsNothing
Did the button battery die?
https://support.mozilla.org/en-US/kb/about-config-editor-firefox
JonKnowsNothing • November 27, 2021 9:20 PM
@SpaceLifeForm
No. The option I was expecting to see had been removed from the release. Only the config options were there for those who had not previously disabled it.
So,
fwiw: IF you are so inclined, you can copy-paste from an older FF profile or CutNPaste part of the profile configuration to rebuild the UI component. Since only the UI portion is actually missing. The functionality remains like deadwood in the code. The old problem of Legacy Support.
SpaceLifeForm • November 27, 2021 10:33 PM
@ JonKnowsNothing
Now I am curious. If you hit ‘ALT’, and then go to about:config does the behaviour change? Or the reverse (about:config, then ALT)?
What exactly are you NOT seeing?
JonKnowsNothing • November 28, 2021 12:45 AM
@SpaceLifeForm
re: What’s not there?
It is 100% trivial item, it doesn’t affect the browser. It was a “Recently Visited History” list (not the one in the History section) and was displayed in the Bookmark Library and on the Menu Bar/Bookmarks and Search Bar.
In the Library layout, you can delete categories and folders you don’t want. I had deleted the 2 “Recent Tags” and “Recently Bookmarked” sections. When I attempted to restore them it was a bigger Rabbit Hole than expected.
The feature was removed from Firefox. There is nothing to see unless you happen to have an older version of the browser.
When attempting to restore the missing layout, it didn’t work even though an initial FF suggestion was to enable the Recently Visited options in the Config File. When the options did not return to the UI, I dug deeper and it turns out that feature was removed from the baseline code.
To get the old UI version back, the settings are supposed to be archived in one of the profiles. You have to do some digging if you really want it back. But “what’s the point?” because the option is No Longer Supported.
There are plenty of other history listings, there’s no shortage.
===
h ttp s:/ /suppo rt.mozil la.org/en-US/questions/1293515
ht tp://k b.mo zillazi ne.org/Viewing_the_browsing_history_-_Firefox
Search On:
FF 77 / how-to-display-most-visited-pages-in-firefoxs-address-bar/
lurker • November 28, 2021 11:29 AM
@SpaceLifeForm, JonKnowsNothing
DO NOT TOUCH THE CONFIGURATION
The Configuration Editor (about:config page) lists Firefox settings known as preferences that are read from the prefs.js and user.js files in the Firefox profile and from application defaults.
[1. presumably “application defaults” are hard-wired in the code and not necessarily visible in ~/.mozilla/…/prefs.js
[2. ~/.mozilla/…/user.js contains only stuff that the user has changed from default. If it wasn’t in there at upgrade time, and the new version UI config editor doesn’t include it, then pasting from an archived profile might or might not…
[3. prefs.js says
// DO NOT EDIT THIS FILE.
//
// If you make changes to this file while the application is running,
// the changes will be overwritten when the application exits.
//
// To change a preference value, you can either:
// – modify it via the UI (e.g. via about:config in the browser); or
// – set it within a user.js file in your profile.
user.js if it exists is available for tinkering but…
[4. user.js? no longer a plaintext file? DO NOT TOUCH unless you have at least half a clue about .js formatting. Go back to the Desktop with the pretty UI Config Editor and use just what the vendors thought was fit for you…
6449-225 • November 28, 2021 12:43 PM
@ lurker @ SpaceLifeForm @ JonKnowsNothing
I weep when I reflect on what js and scripting in general could have become
Projection Factorisations in Partial Evaluation (Distinguished Dissertations in Computer Science, Series Number 1)
https://www.amazon.com/exec/obidos/ASIN/0521414970/acmorg-20
name.withheld.for.obvious.reasons • November 28, 2021 2:34 PM
I assume that commercial consumer facing routers provided by ISP is within the classification of IoT devices the UK would target, as such, and anecdote:
Funny thing, back a few years ago when router and ISP’s had hardware agreements for consumer/customer devices, the default password would often be the MAC address but that is advertised vi ARP requests. At a co-worker’s home, I set about the task of setting up the router and computer systems. As I went to secure the configuration, I noticed something was amiss. Having made the changes to some of the default account and service account I could not see the change to the local router’s addresses and gateway through the physical LAN interface. The wireless link worked though…hum…
Oops, the neighbor’s router which was identical, both were using the local ISP provider for services, and I had inadvertantly reconfigured his neighbors device. I apologized to the co-worker and busily restored the neighbor’s router back to the original config. It was amazingly embarrassing to have made such a mistake but a clear indication of just how poorly the ISP/router vendor relationship did not work. Or, depending on your perspective, just how well it did work.
Clive Robinson • November 28, 2021 2:43 PM
@ 6449-225, JonKnowsNothing, lurker, SpaceLifeForm,
Re Amazon link to the book,
Projection Factorisations in Partial Evaluation
There is no need to buy the book.
It’s an over thirty year old PhD thesis from John Launchbury, that you can as with many thesis download. One download for it is from Glasgow University in the UK where he submitted it,
http://theses.gla.ac.uk/78055/1/11007334.pdf
I skim read it back in the 90’s as part of preping for doing ny own PhD, it’s not a difficult read and actually does not require very much pre-knowledge. I was in particular looking at what was back in the early 90’s called “Mixed Computation”(MC) where you develop small programs that are tightly bound to extracting information large data sets (something we sometimes do with ML these days).
I was looking at using MC to develop “tasklets” that would run “securely” on world wide spanning databases each of which only held a partial data set. The aim was that amongst others that researchers could gather their data with minimal information leak to others such as the iwner/operators of the data sets (talk to drug company researchers about how paranoid they are about research leakage and how it prevents them from using large online databases or even citation DBs like MedLine unless they fully control it).
I won’t go into the dull details, but I could not find a sufficiently adventurous supervisor and reader[1] untill to late when other factors in my life precluded me going forward.
It’s a shame, because some of the ideas I worked out are still not realy “found” by others yet, and I suspect that has a lot to do with the likes of a small number of Silicon Valley Corps, where the last thing they want is you to be able to do things without them knowning…
Oh for those that do not know “Mixed Computation”(MC) and “Partial Evaluation”(PE) had a great deal in common. Though coming from different view points and with some significant differences such as PE was a chase for “efficiency” where as MC could be used to find efficiency or other requirments like security and side channel elimination. Back in the late 80’s and 90’s everything was about “efficiency” not “security” so many regarded MC and PE as equivalent…
If you ever wondered where I came up with the meme “Security-v-Efficiency” well now you have a clue 😉
Be warned though it is a “rabbit-hole” domain / field of endevor. It realy requires you to have a very very broad cross domain knowledge both in breadth and depth (which both the research and academic career paths tend to dissuade).
[1] In essence getting a PhD was at the time a bit of a con. In essence you had to do somebody elses “research” they published the results (as they had a PhD). And… as a reward if it was felt you had “played the game” you got a PhD which was your entry level token into “publishing” and “Conference Speaking” that would alow you to start a career in research or academia (neither of which particularly interested me as career options, something I’m thabkfull for seeing how people are treated in those career paths these days).
Ted • November 28, 2021 6:24 PM
Finally it seems someone has found and made available a draft copy of the UK bill.
https://regmedia.co.uk/2021/11/26/psti_bill.pdf
Some of the real kickers for me are seeing how the reporting, compliance, and enforcement processes work out.
The Register had this to say:
As for enforcement of these new regs, UK.gov isn’t messing around. A government statement said: “This new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.”
The bill’s third chapter deals with Enforcement. I have been searching for iot enforcement or compliance examples in the US as they relate to California or Federal laws, but haven’t found much that is publicly available.
https://www.theregister.com/2021/11/25/product_security_telecoms_bill_parliament/
SpaceLifeForm • November 28, 2021 10:24 PM
@ name.withheld.for.obvious.reasons
Obviously, the neighbor never secured their router.
If you always configure router (disconnected from WAN), via ethernet cable, you normally catch any problems immediately.
Lsuoma • November 29, 2021 9:10 AM
@ 6449-225 , Clive Robinson
6449-225 added an associates tag to the URL, so someone will get money if anyone does buy it.
Also, people should stop using the “exec/obidos” version of URLs – that was made obsolete over a decade ago.
Makes me wonder how long this person has been hawking the monetized version of the URL.
bassman1805 • November 29, 2021 9:50 AM
When I was in college, I went on a school trip to Peru. We visited a tech school while we ere there, and spent a decent time stuck waiting in some kind of lounge room. None of us had cell connection, and the wifi was protected (you could connect without a password, but got redirected to a university sign-on page that we had no login for). Being facebook-addicted millennials, this was a serious conundrum. One of the students (a geology major) tried connecting to 192.168.1.1 and using “admin”/”password” to log into the router. It worked, they created a new admin account (under the name of our band director XD) and we got our fix of precious facebook likes until it was time to move on to the next portion of our visit.
Moral of the story: If your security is hackable by a geology student, maybe it’s not even worth calling it “security”
6449-225 • November 29, 2021 11:03 AM
@ Lsuoma @ Clive Robinson
Re: bad URL
My apologies, I just grabbed the first link I saw when searching, which happened to be Amazon.
I’ll stick to author, title and ISBN from now on !
6449-225 • November 29, 2021 11:12 AM
@ bassman1805
hackable by a geology student
In a lecture years ago, someone who new about these things said that out of all technical disciplines, geologists made the best anti-submarine warfare specialists, because their geology training thematically consisted of finding reasonable ways to complete a picture when only partial information had been supplied as data. The same kind of thinking would now seem to be fruitful in computer security.
bassman1805 • November 30, 2021 12:22 PM
@6449-225
Oh, for sure. But it’s too good an opportunity to throw a little shade.
ResearcherZero • December 2, 2021 5:25 PM
@bassman1805
The local restaurants and cafes all have better security than the many of the state government departments. Important departments too, ones that handle finances, and the kinds of departments that may contain important information.
Hopefully other countries will follow the UK with their own laws, and there will be further improvements to these laws. There are some government security laws, but little governing consumer products.
There is also the Telecommunications (Security) Act in UK which will give Ofcom new powers to monitor the security of telecoms networks. Fines of up to 10% of turnover or £100,000 a day can be issued for those that fail to meet standards.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Vicente Aceituno Canal • November 26, 2021 8:12 AM
They should ban initial passwords being predictable instead. Companies will just move from a constant password to one that is easy to guess based on whatever.