Internet of Things
Avoiding cyberattack vulnerabilities caused by IoT device passwords
By Joe Lomako, business development manager (IoT) at TÜV SÜD, a global product testing and certification organisation.
I
nternet of things (IoT) products offer a wide array of smart features that make everyday life easier and better. But as the popularity of these connected devices grows, there is an increasing need to improve their security to stop potential cyber threats. Every device has attack surfaces, which include all the software and hardware interfaces an unauthorised user can exploit to gain access or to retrieve data.
The first line of defence to protect consumer IoT devices is through authentication - the process or action of verifying the identity of a user or process. To grant access to a device, identification (such as a username) is used, and authentication is needed so users can prove their identity. Authentication can be based on: ● Something you know (such as a password) ● Something you have (such as a smart card)
● Something you are (such as a fingerprint or other biometric feature) However, vulnerability is increased if weak passwords are used. Weak passwords include ones that are: ● Easily brute-forced - have a low (less than six) number of characters, predictable sequence (e.g. 123456), and/or can be found in a dictionary.
● Susceptible to social engineering – for example if a person’s name is Peter and they use the password “Peter01”.
● Unchangeable – so they can be retrieved by looking at the software’s source code. To help to mitigate weak passwords, common recommendations include to use one that is at least eight characters long. It is also advised to include characters from at least three different character classes, such as digits, lowercase letters, uppercase letters, and special characters. However, manufacturers often use a universal default password for a device. This is when the same password is used
48 March 2024
The first section of ETSI EN 303 645 covers the use, or rather misuse, of weak passwords. It states that no universal default passwords shall be used and that the following shall apply for consumer IoT product passwords: ● Where passwords are used in any state other than the factory default, all consumer IoT device passwords shall be unique per device or defined by the user.
● Where pre-installed unique per device passwords are used, these shall be generated with a mechanism that reduces the risk of automated attacks against a class or type of device.
● Authentication mechanisms used to authenticate users against a device shall use best practice cryptography, appropriate to the properties of the technology, risk and usage.
on all devices of the same model when they are in an operational state, creating a vulnerability which can be exploited by hackers. For example, a smart refrigerator could be accessed through the Internet using both a default username and password. A hacker can identify any smart refrigerators using those defaults, connect to them and send malicious messages that the end-user may assume are genuine. Another way a hacker could gain access to a product is through ‘brute force’. This type of attack involves ‘guessing’ credentials to gain unauthorised access to a system, and a hacker can send millions of requests to try to guess credentials. So, even if the owner of our refrigerator changes their username and password, they need something that is less vulnerable. For example, creating a password that is the “model + factory batch number” would be too easy to guess. A generation mechanism will produce a randomly generated password such as “f2wd34hsd2aead89”. Manufacturers of IoT products should therefore ensure that, if a password is used
Components in Electronics
by default on a device, it is unique for each device and its generation method should not be easily guessed. Devices can also prevent millions of brute forcing attempts with: ● Account lockouts after failed attempts ● Using CAPTCHA ● Limiting logins to a specified IP address or range
● Two-factor Authentication (2FA) ● Using unique login URLs
ETSI EN 303 645 cybersecurity standard
The ETSI EN 303 645 cybersecurity standard addresses cybersecurity concerns in consumer IoT devices by providing a comprehensive set of provisions for device manufacturers – and the industry at large – to strengthen cybersecurity for these devices. The standard also serves as a basis for certification of IoT products. Containing 13 sections, it is a globally applicable cybersecurity norm for consumer IoT devices covering security needs of equipment, communication and personal data protection.
● Where a user can authenticate against a device, the device shall provide to the user or an administrator a simple mechanism to change the authentication value used.
● When the device is not a constrained device, it shall have a mechanism available which makes brute force attacks on authentication mechanisms via network interfaces impracticable. From a reading of the provisions, we can see that it rules out using passwords that can be easily guessed or hacked by brute force, while also calling for ways to allow users to change authentication passwords. Consumers are increasingly paying attention to cybersecurity for their consumer IoT devices. Device manufacturers can provide great confidence and reassurance to consumers when making purchases by testing and certifying their products under the ETSI EN 303 645 standard.
https://www.tuvsud.com/en-gb/services/ cyber-security
www.cieonline.co.uk.uk
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62
