New cybersecurity legislation – ‘password123’ is illegal?

All internet-enabled devices are manufactured with an original admin password. Manufacturers generally give all new devices the same default password out of ease – often something simple like ‘admin’ or ‘password’. The problem here is that consumers don’t bother changing this default password on receiving their new device, rendering hundreds of devices vulnerable to cyberattack without a secure, unique password.

This neglect has led to significant data breaches, with cybercriminals able to attack many at a time via the same default password; Twitter, Spotify and Reddit have all fallen victim. In 2017, Equifax paid an eye watering data breach statement of around $700m to US regulators and US states for using default ‘Admin’ password.

New legislation introduced in California in January 2020 has banned electronics firms from using these universal default passwords for all internet-enabled devices. The manufacturers are now required to set a unique password for the device at the time of manufacture, or prompt people to set their own the first time they use a device. The laws hope to protect consumers by setting higher security standards for smart devices.

What will the impact of new regulations be?

The impact on manufacturers and users will vary according to the response to these new regulations. If the firm opts to build a unique password for each device – BT hub and Virgin media have both chosen this route – the manufacturing process will be more complex. It’s far more straightforward to produce identical products and additional procedures will be needed to produce ‘unique’ devices in mass production. This route would also impact users who will have to input a long, random password upon receiving their device, though device designers may address this issue to improve usability.

The alternative option for manufacturers is to prompt users to set their own password for their device. This route is less disruptive to the manufacturing process – devices can still be made with the same default password – but requires additional design for the initialisation process. It gives users additional steps to complete in setting up their device but also means they’ll have a personalised and more memorable password.

What about the rest of the world?

These laws currently only apply to California, though it’s only a matter of time before similar regulations start to pop up elsewhere. Based on other official guidelines for cybersecurity provisions for consumer Internet of Things (IoT), it’s clear that default passwords are considered a key vulnerability.

Here in the UK, the government published the Code of Practice for consumer IoT security in October 2018. Though it serves only as guidelines for cybersecurity, ‘no default passwords’ is the first recommendation. There have also been proposals to mandate the 3 key rules specified in this Code of Practice, a change which would make the guidelines enforceable legislation.

The emphasis on banning default passwords is echoed in the European Telecommunications Standards Institute’s technical specification for the Cyber Security for Consumer Internet of Things (published February 2019). ‘No universal default password’ is the specification’s first rule.

Out of all potential security threats, passwords are the number one vulnerability of any device. With even the most powerful security hardware and software setup, it only takes one password to breach all the walls. Banning default passwords may not be enough on its own, but this is a big step in the right direction for safety and privacy.

If you are having problems or need support when it comes to device security, we have expert teams in this area who would love to be of help to you! Contact us here.