UK Government Declares War on Cybercrime: Weak Default Passwords Will Be Banned
Yesterday, Matt Warman, the Minister of Britain's Department for Digital, Culture, Media and Sport (DCMS), told The Telegraph that he and his team want to turn the UK into 'the safest place to be online.' This sounds well and good, but ask any politician in any country, and they'll tell you exactly the same thing about the patch of land they are responsible for. Britain's elected officials, however, believe that they know how to do it.
DCMS announced that it's working on a piece of legislation banning the UK sales of IoT devices that come with weak and default passwords. The department will propose a bill, which, it hopes, will be well-received by Members of Parliament and will be turned into a law. "As soon as possible" was the closest to an ETA the Government could come up with, which isn't exactly a rock-solid time frame, but on the bright side, whenever it happens, banning default passwords in smart gadgets will surely be good news, right?
The British Government understands the problem to some extent
The really good news is that more and more people are starting to realize what the issue is. The never-ending wave of internet-connected gizmos has transformed our everyday lives, but it has arguably had an even more profound effect on the online threat landscape. Many of the IoT contraptions we buy by the millions are incredibly easy to compromise, and they can act as a vehicle for anything from (relatively) harmless pranks to disruptive DDoS attacks and cyberstalking.
Hacking into a smart lightbulb, a baby monitor, or another piece of IoT technology is often as easy as using a specialized search engine and googling the make and model in order to get the default login credentials. In certain cases, trying out simple combinations like "123456" is all that's needed. DCMS thinks that banning weak and default passwords can make hackers' lives a lot harder. But will the proposed legislation really have the desired effect?
Default and weak passwords are only a part of the problem
The default password has often been hailed as the main reason for IoT's woeful security. This is (at least partly) because the general public has an easier time understanding how this type of attack works. This is also why the readily available password is the first thing legislators are going after. The truth is, however, as often as not, the default login credentials are only a part of the problem.
Last year, for example, the European Commission issued a recall for a batch of children's smartwatches over privacy concerns. In that instance, the problem wasn't the default password, but the fact that the gadgets were transferring large volumes of sensitive information without encrypting it in any way. There are a number of other examples that have nothing to do with the authentication process but still serve as proof of how poor the security of some IoT devices is.
The reasons for the current state of affairs are pretty clear to anyone who's been paying close attention to the so-called IoT revolution. Vendors are in a race to satisfy a recently discovered desire to connect everyday items to the internet as quickly and as cheaply as possible. Designs are rushed and built on a shoestring, and because all these contraptions are supposed to bring a bit of novelty, ease-of-use takes priority over any privacy or security concerns.
The UK Government does know that the problem goes beyond the default password. The proposed ban on devices that use weak login credentials is a part of a wider best practice code concerning IoT security. Drawn up in 2018, it includes quite a few other points which, at the moment, are simply recommendations. If they are turned into a law, IoT vendors will be forced to have public vulnerability reporting platforms, and they might even need to start putting warning labels on their products to inform users that smart gadgets can be attacked by hackers. Unfortunately, we're not sure that even this would be enough.
Vendors and users must start taking security more seriously
IoT has already been at the center of more than a few major cybersecurity incidents, and the UK Government is not the first regulatory body to realize that something must be done. In fact, a law banning the use of default passwords was passed in the State of California back in 2018, and on January 1, it went into effect. We've yet to see how effective it will be, but we're pretty sure that other local and national governments will also follow suit.
The problem is, legislation can only get you so far. The number of factors governing the security of a single IoT device is mind-boggling, and regulating all of them is just not possible. If the situation is to improve, we need a fundamental change in the way both vendors and users think.
Even if we assume that the recent laws will urge manufacturers to come up with a more secure login system, there will be nothing to stop them from building the rest of their backend infrastructure in the quickest, cheapest, and most insecure way possible. The gaping security holes found in many IoT contraptions show that some vendors must realize that they are responsible for keeping their customers safe and reorder their priority lists accordingly. That being said, we can't put all the blame on vendors.
The "it won't happen to me" mentality many people have adopted is doing us no favors. IoT vendors tend to ship their products with a default password because this makes setting up a device for the first time easier and quicker. They also include a facility that allows the default password to be changed, though, and the simple fact of the matter is, many customers don't use it.
The point of IoT is to bring only positive changes to our lives, but it's pretty clear that in its current form, it's also causing some problems. British and Californian lawmakers are trying to solve some of them, but the real change can only come from the people who design and use the smart devices.