I have a solution, but the punters won't like it
Just this: force the purchaser to set the password before the IOS device can be used and build in a list of well-known stupid passwords that it won't accept.
Microsoft's Security Response Center has issued a bunch of recommendations for orgs to protect against nation-state network intrusion via insecure IoT devices. A report by the Windows giant's security unit describes three incidents earlier this year, where a VoIP phone, an office printer and a video decoder were compromised. …
Just this: force the purchaser to set the password before the IOS device can be used and build in a list of well-known stupid passwords that it won't accept."
I'm OK. I don't use IOS. FreeBSD, Linux, Android and Windows (wifes laptop). Nary an Apple product in site.
Forcing people to change the password makes it less "user friendly". They want people to be able to buy something and get it working with the least possible amount of effort, and without all the support calls from people saying "I forgot my password".
Honestly for stupid stuff like a light bulb a hardcoded password is probably just fine - just make it different for each one and printed on the label so it is easy to look up if you forget it. Sure, let people change the password if they want, but if the default password is a random sequence of 6 digits and it lengthens the time between retries for every wrong password no automated attack will ever break into it...
I switched ISP yesterday. Whilst I was waiting to get hold of the VDSL passwords from them, in order to connect my own router up, I tried using their router in Bridge mode.
Connected laptop up, accessed Web interface. Simple default password being name of ISP. But it then forced a password change. Usual silly rules. Didn't like my normal format of password for IoT devices, but was quite happy with P@ssword123. Far more faffing about than I needed when it was only going to be used for a couple of hours at most just to stop the kids wailing.
And of course, for the vast majority of users whom just get the box and plug it in, it would have been sat there still on the obvious default password. Absolutely no point in making it hard for me to get in and change a few settings. They supplied a random wifi password on the sticker underneath, why not a random management password?
...including the reports authors, MS, constantly taking away or making it difficult to find settings and dumbing everything down. Not only have they messed with Control Panel with every iteration of Windows, they even managed to create two different Settings/Control Panel which sometime affect the same settings, sometimes affect different sets of settings.
Microsoft attributed the attacks to a nation-state group it calls STRONTIUM, which largely targets governments, IT, military, defence and engineering organisations – as well as anti-doping agencies, political groups, and the hospitality industry.
Hey, it could be anyone, I mean there's lots of nation states with grudges against anti-doping agencies...
Maybe they should have gone with MOSCOVIUM...
I've just installed air conditioning to the house, it comes with perfectly functional remotes to control the indoor units but 'features' WiFi connection to replicate these remotes by using Android or iOS applications, so not only is there an attack surface in the WiFi modules themselves, but also the opportunity in the (no doubt) shonky code used in the applications themselves - oh, and for bonus points, there's QR codes pointing to who-knows-where to download the applications....
Needless to say, the indoor units have been neutered by removal of the (thankfully plug-in) WiFi modules and the QR codes have been dealt with by the shredder.
Why do these companies think we 'need' WiFi connectivity to everything, just because it's possible?
You're right about the sales metrics - I won't show on the conversion metrics though - done a bit of digging into the 'app', it naturally requires registration, either by email or by mobile phone and appears to be a subset of the TUYA (their shouty caps, not mine) platform which looks as oily as a chipshop window. Believe me, If there was something non-connected at the convergence of price, quality & capability, i'd have bought that in preference.
I'm not nominally a fan of IoS**T, although an exception is my hot tub. Being able to remote into it to tell it to warm up before leaving the office; or check the pH and chlorine levels electronically is all rather convenient. Western World problems, eh?
It is sat behind a Netgear range extender with firewall thoroughly closed off, and behind my home network also.
Interestingly, the supplier's own policy is such that they will not touch a users home network AT ALL, under any circumstances, because if something later messes up with the home network (suppliers fault or not) they do not want to be accused of being responsible for it. On the plus side, this means a nerd like me can configure the hardware to reasonably secure the system. For those mere mortals that bodge their way through on default passwords, well, they are doomed.
The vendor is pretty thorough at issuing firmware updates for the PLC on the tub too.
Just got to be careful of stuff with hardcoded DNS servers in them, I'm using a Pi-hole to stop various unwanted outgoings & incomings, had to also block port 53 at the router to all other local IP's due to Panasonic, Sony and a 'SamKnows' box attempting to bypass my control of traffic, need to sort out DoH traffic now...
... corporations still ship connected gear with a default password.
Sadly, I suspect this will not change until Engineering is in charge of releasing product again, and Marketing is completely out of that particular part of the product development loop. Has anyone talked to the corporate lawyers about potential class action lawsuits yet?
Let's face it, the only reason why you need to have printers and what-have-you on the public Internet is so that the appropriate vendor can snoop on the device's usage and use it to either market or sell/rent you stuff. (Sounds silly? HP has a sort of rental option for its domestic and small business printers....)
If the device didn't need to phone home all the time then it wouldn't need to initiate Internet connections, it would be just a peripheral that did what you told it to. You'd be surprised how little a network stack you can get away with if you build kit that only works with datagrams** -- UDP -- and only speaks when its spoken to. No additional connections to initiate, no DNS to hijack, just a quiet life of getting on with whatever the user wants it to do.
(**One of my pet peeves is the common practice of taking a stream protocol -- TCP -- and putting a crude protocol on it to break the data into frames. Talk about inefficient.......unreliable.....insecure......but it all makes work for the working person to do........)
Biting the hand that feeds IT © 1998–2019