The Importance of Password Authentication for Connected Devices
Despite the seeming simplicity of checking a password, getting it right for connected products has not been easy. Device vendors, service operators, administrators and end-users alike have been making common mistakes in deploying and configuring password mechanisms. This has given rise to gargantuan botnets such as Mirai whose sheer scale would have been impossible before the Internet of Things existed.
You may think that the attackers’ nefarious goals were achieved by using highly sophisticated attack models, but the original strain of the Mirai agent proliferated without the use of any advanced exploits. The infection spread by simply knocking on the device's front door (a network login interface) and stating the right password. For this, Mirai was equipped with several dozen username-password combinations, some of them extremely simple, which happened to be accepted by hundreds of thousands of devices online.
Those default username-password combinations were defined by the vendors, installed by the service providers across a wide set of products, and then left unchanged by either the service providers or the end users. Since password authentication, which is the device's first line of defense, fell so easily, the early variants of Mirai did not need to utilize more sophisticated techniques or exploit complex device vulnerabilities.
The Practical Guide to Product Security: Closing the Password Authentication Gap
The reason we put together this practical guide is that password exploits such as those described above are one of the simplest, and most frequently used, methods to break into connected devices.
The goal of this document is to help you ensure that your connected products are secure when it comes to password authentication by clearly explaining the following information: - What is required to achieve optimal authentication for connected products? - Why it is so important to put each of these key recommendations into practice? - How should the recommendations be implemented during the development phase?
After you read this guide, you will be able to make sure that your connected devices provide optimal password security. This would require you to implement every one of the 13 recommendations in this document but putting even a few of them into practice is a good first step towards significantly reducing the attack surface of your devices.
Teaser Recommendation: Avoid Weak, Default and Well-known Passwords
- What does this recommendation mean? When defining a password on the device, check the password against an external password list that contains values that are known to be overly common or compromised. Reject any password that is found on the list.
- Why is it important to address this problem? Weak or known passwords are the most common and simplest way to attack devices. An attacker who correctly guesses the password can compromise a device by logging in, and then performing operations and abusing the system on behalf of the user. For example, they can read the user's personal information, and completely hijack the device by replacing the user's credentials with the attacker's own.
- How can I resolve this security gap? Use online APIs or downloadable database files of known passwords to check password values. The guide includes a bash script that takes a password as the command line argument, creates its hash, submits a short prefix of that hash to the pwnedpasswords API, and then checks the results. The full hash remains undisclosed to avoid compromising the password.
Secure Password Authentication Has Become a Must-have for Connected Devices
For home users, passwords are the most reasonable means to log in to their connected devices, while in business environments passwords can be used for remote administration because they're simple to implement and deploy. Whatever the reason, passwords expose systems to unnecessary risks which poses a challenge – how do we make them as secure as possible in order to reduce the risk?
Strong device authentication is required to ensure that connected products can be trusted to be what they purport to be. While automated scanning solutions can help determine if proper security measures have been taken when configuring the product, it is equally important for device end-users, owners and operators to be aware of these security concerns and demand proper solutions. Only then will manufacturers truly become responsible for they secure configuration and operation of their devices.
Download the guide to learn more about how password authentication gets compromised and, even better, how to solve these issues when it comes to your connected products. The guide includes 13 concrete recommendations for improving password-related security, as well as the code needed to mitigate these security vulnerabilities.