Britain’s first ban on default and easy-to-guess passwords for connected devices is a welcome step – but only the first towards securing the rapidly growing Internet of Things (IoT) landscape.
While banning passwords like “admin” and “12345” increases the security foundation, the legislation does not go far enough in mandating firmware updates and built-in security capabilities. Business administrators must therefore remain vigilant against other glaring loopholes in the smart office.
With IoT attacks quadrupling in the past five years and the threat of IoT botnets only increasing, administrators cannot afford to wait for regulators. Here’s how they can tighten cybersecurity and regain control of their enterprise’s device ecosystem.
The war against weak passwords
These kinds of statements about default passwords have been going on for a long time, and that’s because they are extremely dangerous. Simple combinations of users and passwords are easy to guess or crack, turning devices into potential access points or compromised online assets.
Recent research is sobering: attackers only need five common password sets to gain access to an estimated 10% of all Internet-connected devices. The Mirai malware, which hijacked more than 100,000 home routers for massive distributed denial-of-service (DDoS) attacks, used just 62 username and password combinations.
This is an escalating problem. IoT botnets have become a major generator of DDoS traffic, with compromised devices spreading malware, stealing data and enabling other cyber attacks. The number of botnet-powered DDoS devices has risen from about 200,000 last year to about 1 million today, accounting for over 40% of all this traffic.
The UK Product Security and Telecommunications Infrastructure Act 2022 (PSTI), which was implemented in April, aims to address this issue by requiring devices to have a random password or generate a unique password during initialization. Non-compliance is a criminal offense with fines of up to £10 million or 4% of global turnover, whichever is higher.
For years, experts expected that market forces would force device manufacturers to improve their password practices. But without action, the government is stepping in and instructing manufacturers to develop means for reporting security issues and detailing the timeline of security updates for their connected products.
Companies, don’t wait for regulators
This is not to say that the act is perfect. For example, there are no specific rules that determine the minimum timeline for reporting the above security updates. Worse, standards lag behind comparable regions and regulations. The PSTI only meets 3 of the European Telecommunications Standards Institute’s 13 IoT security guidelines. In addition, the regulations do not comply with the stricter Cyber Resilience Act in Europe. This set of rules for connected devices – scheduled for 2027 – goes a few steps further by mandating hardware and software support throughout the product lifecycle and automating updates.
Make no mistake: the PSTI is a positive step and tackling generic passwords is crucial. It is also head and shoulders above the optional consumer checkbox solution proposed in the United States. But for businesses operating today, regulations can only provide so much protection, and what they protect and how far they go depends on where you are. The responsibility for achieving comprehensive protection ultimately falls on IT professionals to secure the ecosystems of their connected devices.
This means we now need to adopt the very latest tools and best practices. There are no excuses: unique login details and multi-factor authentication are the minimum. Or consider doing away with passwords altogether and opting for Public Key Infrastructure (PKI). This method uses asymmetric cryptography to establish an initial trust setting between the client and the target device, where a generated key replaces the password and grants authentication. This is not only a much more secure form of single-factor authentication, but also makes brute force attacks impossible.
But that’s just the beginning. Rigorous asset discovery, network segmentation, and continuous monitoring are critical. Similarly, redouble efforts to lock down connections by encrypting all data in transit and ensuring direct peer-to-peer communication. Finally, don’t assume and always verify by following the principles of zero trust.
The future of secure devices belongs to administrators
The security imperative is immediate for administrators. Don’t wait for policy to be slowly reversed; the future of your connected infrastructure depends on decisive action today.
This starts with the basics, like the security controls above. It also requires critical thinking about the origins of the device. Where does a particular device come from? Who is the manufacturer and what are their security priorities and track record? These considerations cannot be ignored in our landscape of widespread supply chain risks.
Additionally, examine the operating system and its internal workings. Is it a full-fledged, high-end Linux distribution with a complex attack surface and potential backdoors? Or a real-time operating system (RTOS) that is purposely streamlined for the specific task? Managers must weigh whether the benefits of advanced capabilities justify the increased risk footprint. Simplicity and security mitigation may be the wisest path for many IoT use cases.
It’s encouraging to see regulators catching up to the grim cybersecurity reality of modern devices. Nevertheless, top-down mandates can only go so far in protecting you and your business. Ultimately, securing your connected future requires wise device choices – rigorously vetting device provenance, favoring secure-by-design architectures, and adjusting default settings. Until the standards fully mature, you are the last line of defense.
We have listed the best business password manager.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro