CISA really wants tech makers to stop using default passwords

(Image credit: Shutterstock)

The US Govenrment's Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to manufacturers, urging them to forgo default passwords supplied with their internet-connected products as a matter of security.

CISA believes these default passwords pose a substantial risk to organizations, allowing hackers to easily breach systems if the basic credentials haven't been changed, as users are supposed to do.

The agency also cited the recent actions of threat actors connected to the Islamic Revolutionary Guard Corps (IRGC) as a case in point, as they hacked default passwords securing critical infrastructure systems across the US.

Better alternatives

Hackers can quite easily search for endpoints that are connected to the internet belonging to organizations. The default passwords these endpoints employ are also easily available for anyone to discover - and many organizations don't bother changing them.

Hackers rely on this fact, allowing for easy access and potential lateral movement with an organization's entire network, and even the ability to gain administrative controls.

The IRGC hackers were discovered breaching programmable logic controllers (PLCs) by using the default password supplied with them, allowing for full control of the devices. The PLCs were used as part of water and wastewater systems in the US.

CISA says that in this case, the default passwords were spread across underground forums commonly used by cybercriminals, and anyone could have found them.

In light of this attack, CISA is now advising that vendors either provide unique setup passwords for each instance of a product, or deactivate default passwords after a certain time, forcing users to create their own unique password to replace it instead.

Other authentication methods were also suggested, such as multi-factor authentication (MFA), as well as requiring physical access to devices during setup.

It urged that security by design principles should be employed by manufacturers, and that they should make sure users are made aware that any cybersecurity issues can affect the public.

Field tests were suggested by CISA as well, allowing manufacturers to see how their users are actually using their products in the wild, in order to determine how to proceed with securing their devices properly.

MORE FROM TECHRADAR PRO

Here are the best password managers to strengthen your credentials
CISA outlines guidance to prevent big tech being hacked again so easily
CISA is worried that critical infrastructure is vulnerable to ransomware attacks

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.