7 comments

[ 3.1 ms ] story [ 26.1 ms ] thread
Maybe I'm cynical but isn't this more or less an attempt to outlaw stupidity? Setting aside a determined and targeted hacking attempt this law is really going after people who aren't particularly adept at technology, plug in something new out of the box, and never change the default passwords because it's providing what they wanted: working wifi, home automation, etc. If these devices were built more securely I'm sure there would be a non-trivial people who would complain about them being too complicated to use.
The ban isn’t on users setting a basic password on the device. It’s a ban on device manufacturers shipping devices from the factory with the same password for each one.

Unique passwords has been a thing for a while. It’s just a random code printed on a sticker slapped on the device.

Wireless access points supplied by ISPs (which are the majority of the routers provided by UK ISPs) have been using generated/random keys for years now. Most routers (I know BT and VirginMedia have been doing this for many years, Sky started doing it atleast 12 months ago. When I say most I mean that the majority of new routers issued by the big ISP's in the UK which is what the vast majority of the population use) have been doing the same with the password to the control panel too for a while and the world hasn’t come to a halt yet.

One of the issues with default passwords is that it can lead to other issues, take SKY for example, they used a default admin user/password combo of admin/sky (or admin/nowtv on their Now brand). Along with another bug it would allow malicious JS running on a website to change router settings such as the DNS settings for everyone using that connection - https://www.bbc.co.uk/news/technology-59332840

Having a non default username/password combo on the router helps prevent such an attack because even with a CORS bug it’s now turned into a brute force attack.

The other part of the new rules is that device manufacturers have to tell the consumer how long they can expect security updates for, even if that period is none. You can still sell a device that will never get updates, just got to be upfront about it now.

EDIT: Right in the article it sets out what these new rules for device makers will be.

> easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default (my note: presuming this means you can not reset the password to admin/admin, but it will reset to the unique user/pass it came with)

> customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn't get either, that must also be disclosed

> security researchers will be given a public point of contact to point out flaws and bugs.

It's outrageous to set fines and bans on default passwords, especially those old enough and struggling to learn more about technologies not to bother about this information.
This isn't a ban on default passwords, merely on non-unique default passwords. It's just as easy to laser-print a unique per-device password on the device label as it ever was.
As shameless a money-grab as mandatory COVID travel testing that lines the pockets of privately owned companies with MP connections.
Unless I'm missing something, this law is in line with the current standards of best practice. Complying with it is not that hard.