Today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged technology manufacturers to stop providing software and devices with default passwords.
Once discovered, threat actors can use such default credentials a backdoor to breach vulnerable devices exposed online. Default passwords are commonly used to streamline the manufacturing process or help system administrators deploy large numbers of devices within an enterprise environment more easily.
Nonetheless, the failure to change these default settings creates a security weakness that attackers can exploit to circumvent authentication measures, potentially compromising the security of their organization's entire network.
"This SbD Alert urges technology manufacturers to proactively eliminate the risk of default password exploitation," CISA said, by taking "ownership of customer security outcomes" and building "organizational structure and leadership to achieve these goals."
"By implementing these two principles in their design, development, and delivery processes, software manufactures will prevent exploitation of static default passwords in their customers' systems."
"Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations," CISA added.
Alternatives to default passwords
The U.S. cybersecurity agency advised manufacturers to provide customers with unique setup passwords tailored to each product instance as an alternative to using a singular default password across all product lines and versions.
Moreover, they can implement time-limited setup passwords designed to deactivate once the setup phase concludes and prompt admins to activate more secure authentication methods, such as phishing-resistant Multi-Factor Authentication (MFA).
Another possibility involves mandating physical access for the initial setup and specifying distinct credentials for each instance.
Ten years ago, CISA issued another advisory notice highlighting the security vulnerabilities associated with default passwords. The advisory specifically underscored the heightened risk factors to critical infrastructure and embedded systems.
"Attackers can easily identify and access internet-connected systems that use shared default passwords. It is imperative to change default manufacturer passwords and restrict network access to critical and important systems," the cybersecurity agency said.
"Default passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the default password before deploying the system in a production environment."
Iranian hackers recently employed this approach, using a '1111' default password for Unitronics programmable logic controllers (PLCs) exposed online to breach U.S,. critical infrastructure systems, including a U.S. water facility.
Comments
wpontius - 4 months ago
The Commerce Department Office of the Secretary was found in March of 2022 to be using default passwords on endpoint security. These agencies repeatedly fail to patch their own systems, evidenced in the recent Cold Fusion exploit used to breach Government servers running outdate and unpatched versions of the software. The State Department in a recent audit of this year deemed their systems & network secure even though still running Windows XP.
During the rash of leaks from the NSA following the Snowden leaks, the NSA bemoaned the inability to block USB drives from being used on Windows systems to curb the leaks. A simple web search found that a registry hack was available back to Windows 2000 and Windows 2003 Server versions. The agency that engineered one of the most sophisticated viruses (Stuxnet) of modern times, is unable to secure their own systems. Scary!!