IoT Security Solutions Part 1 – No Universal Default Passwords

Cyber security is no longer a nice-to-have feature for large companies. It is essential, especially for embedded and IoT products. ETSI has just released a new regulation for the secure design of IoT and related products, and CEPD could not agree more with the timeliness of this release.

(Image source: CEPD)

With the prevalence and popularity of IoT products hitting the market, it has never been a better time to become educated on some of the common IoT security issues. This article is one in a series that will focus on IoT and embedded security. Common problems will be discussed, and possible solution paths provided. In the end, we hope that we are all a bit more aware of security when using and designing IoT devices.

Default Passwords

A majority of IoT devices use a universal default password, e.g. “admin”, “1234”, “user”, etc. To make matters worse, many users will never update their passwords from the default. This gives full access to anyone who is familiar with these passwords. The potential “hacker” population is anyone who has also bought the product or read about the product. Needless to say, this is a pretty large group of potential hackers that now know your device’s password.

Possible Solutions

It is tempting as a developer to just hardcode a password into the product’s codebase. However, the risks greatly outweigh the benefits. Fortunately, there are design choices that can be made to better secure the IoT device.

Random Number Generation

Upon initial power-up, the IoT device could generate a random number as its password. This could then be shared through a secure means with the end-user. Because this password is random, there is a low probability that another device shares the same password.

Random number generation is available through both hardware and software means. Devices, such as the MikroElektronika MIKROE-4090 will generate a true random number sequence. Furthermore, many modern processors and microcontrollers offer either true or pseudo-random number generator peripherals. Last, C and C++ offer pseudo-random capabilities through the use of pre-compiled libraries (https://www.geeksforgeeks.org/generating-random-number-range-c/).

The point is, there are a lot of ways these days to generate a random number. Adding this feature to your IoT device avoids the universal default password dilemma and demonstrates that your product is truly a step above the rest.

Require a Password Change

If random numbers are a bit too involved, make the user change the password as a first step. Before the IoT device does what it was made for, have a prompt for the user to enter in their own custom password. This is a small burden to put on the user, and the 30 – 60 seconds taken to complete this step will pay dividends in protecting the user’s security and your product’s reputation.

Limit the Number of Incorrect Tries

Rules, such as allowing for only five incorrect passwords within a 3-minute timeframe can make your IoT product more resilient against automated attacks. Note that most of the “hacking” out there is carried out by machines that quickly try to guess a password. If your IoT delays password entry, then it is not going to be the lowest hanging fruit and hacking efforts will be frustrated, probably moving on from your device. Now, this is not sufficient by itself, but when coupled with one of the previous recommendations, it can be powerful.

These issues and recommendations come from work done by ETSI. Their publication ETSI EN 303 645 v2.1.1 (2020 – 06) can be referenced for all of these points.

More articles/blogs on IoT security are coming, so please stay tuned