back to article Even tech giants find themselves telling folk not to use default passwords on Internet of S**t kit

Microsoft's Security Response Center has issued a bunch of recommendations for orgs to protect against nation-state network intrusion via insecure IoT devices. A report by the Windows giant's security unit describes three incidents earlier this year, where a VoIP phone, an office printer and a video decoder were compromised. …

  1. Martin Gregorie Silver badge

    I have a solution, but the punters won't like it

    Just this: force the purchaser to set the password before the IOS device can be used and build in a list of well-known stupid passwords that it won't accept.

    1. Pascal Monett Silver badge

      The punters wouldn't care much, I wager. It's the makers who couldn't be arsed.

      1. Doctor Syntax Silver badge

        It's the makers who need to be forced to force the punters.

    2. John Brown (no body) Silver badge
      Joke

      Re: I have a solution, but the punters won't like it

      Just this: force the purchaser to set the password before the IOS device can be used and build in a list of well-known stupid passwords that it won't accept."

      I'm OK. I don't use IOS. FreeBSD, Linux, Android and Windows (wifes laptop). Nary an Apple product in site.

      1. jake Silver badge

        Re: I have a solution, but the punters won't like it

        Shirley you mean no Apple products on site.

        1. John Brown (no body) Silver badge

          Re: I have a solution, but the punters won't like it

          Damn! I didn't even notice that typo! "Sight", obviously :-)

          1. jake Silver badge
            Pint

            Re: I have a solution, but the punters won't like it

            So you hide your Apple products from prying eyes?

            Beer. It's probably the best available answer.

    3. DougS Silver badge

      I assume you meant "IoT device"

      Forcing people to change the password makes it less "user friendly". They want people to be able to buy something and get it working with the least possible amount of effort, and without all the support calls from people saying "I forgot my password".

      Honestly for stupid stuff like a light bulb a hardcoded password is probably just fine - just make it different for each one and printed on the label so it is easy to look up if you forget it. Sure, let people change the password if they want, but if the default password is a random sequence of 6 digits and it lengthens the time between retries for every wrong password no automated attack will ever break into it...

      1. NetBlackOps

        Re: I assume you meant "IoT device"

        IOS == Internet Of Shit?

        1. DougS Silver badge
          Angel

          Re: I assume you meant "IoT device"

          Ah I thought we were talking about Internet of Turd.

      2. irrelevant

        Re: I assume you meant "IoT device"

        This!

        I switched ISP yesterday. Whilst I was waiting to get hold of the VDSL passwords from them, in order to connect my own router up, I tried using their router in Bridge mode.

        Connected laptop up, accessed Web interface. Simple default password being name of ISP. But it then forced a password change. Usual silly rules. Didn't like my normal format of password for IoT devices, but was quite happy with P@ssword123. Far more faffing about than I needed when it was only going to be used for a couple of hours at most just to stop the kids wailing.

        And of course, for the vast majority of users whom just get the box and plug it in, it would have been sat there still on the obvious default password. Absolutely no point in making it hard for me to get in and change a few settings. They supplied a random wifi password on the sticker underneath, why not a random management password?

  2. Roj Blake Silver badge

    Strontium Dog

    I'm very disappointed that you've done an article on STRONTIUM without any pictures of Johnny Alpha, Wulf Sternhammer, or Middenface McNulty.

    1. RockBurner

      Re: Strontium Dog

      Wot, no Gronk?

    2. Excellentsword (Written by Reg staff)

      Re: Strontium Dog

      Toyed with the idea of shoehorning something like "STRONTIUM, dog" in headers somewhere for you nerds, but nah.

      1. Solarflare

        Re: Strontium Dog

        And this is why you're only 'Excellent'sword, rather than 'Perfect'sword.

    3. Loyal Commenter Silver badge

      Re: Strontium Dog

      More importantly, Durham Red...

  3. GreenJimll

    > Customers may still think of devices like printers and phones as appliances

    Probably not helped by lots of computer system vendors selling folk products called "appliances".

    1. John Brown (no body) Silver badge

      ...including the reports authors, MS, constantly taking away or making it difficult to find settings and dumbing everything down. Not only have they messed with Control Panel with every iteration of Windows, they even managed to create two different Settings/Control Panel which sometime affect the same settings, sometimes affect different sets of settings.

  4. Anonymous Coward
    Anonymous Coward

    Strontium

    Strange way to spell Russia?

    1. Loyal Commenter Silver badge

      Re: Strontium

      Microsoft attributed the attacks to a nation-state group it calls STRONTIUM, which largely targets governments, IT, military, defence and engineering organisations – as well as anti-doping agencies, political groups, and the hospitality industry.

      Hey, it could be anyone, I mean there's lots of nation states with grudges against anti-doping agencies...

      Maybe they should have gone with MOSCOVIUM...

    2. Doctor Syntax Silver badge

      Re: Strontium

      "Strange way to spell Russia?"

      Maybe they think it's Scotland.

      1. John Brown (no body) Silver badge

        Re: Strontium

        Noviscotia?

        1. Doctor Syntax Silver badge

          Re: Strontium

          http://streetmap.co.uk/map.srf?X=181665&Y=761785&A=Y&Z=120

          1. jake Silver badge

            Re: Strontium

            For those who don't get the reference, look up strontianite (SrCO3) ... but be careful, you might learn something.

  5. Carma

    I've just installed air conditioning to the house, it comes with perfectly functional remotes to control the indoor units but 'features' WiFi connection to replicate these remotes by using Android or iOS applications, so not only is there an attack surface in the WiFi modules themselves, but also the opportunity in the (no doubt) shonky code used in the applications themselves - oh, and for bonus points, there's QR codes pointing to who-knows-where to download the applications....

    Needless to say, the indoor units have been neutered by removal of the (thankfully plug-in) WiFi modules and the QR codes have been dealt with by the shredder.

    Why do these companies think we 'need' WiFi connectivity to everything, just because it's possible?

    1. Anonymous Coward
      Anonymous Coward

      Because they all have magic beans to sell. Everyone buys them. Everyone.

      Even you did, though mitigating the problem. You still show on their sales metrics.

      We cannot win, only change how we lose.

      1. Commswonk Silver badge

        We cannot win, only change how we lose.

        Brilliant. Depressing, but brilliant.

      2. Carma

        You're right about the sales metrics - I won't show on the conversion metrics though - done a bit of digging into the 'app', it naturally requires registration, either by email or by mobile phone and appears to be a subset of the TUYA (their shouty caps, not mine) platform which looks as oily as a chipshop window. Believe me, If there was something non-connected at the convergence of price, quality & capability, i'd have bought that in preference.

        1. Anonymous Coward
          Anonymous Coward

          I guess that is a win then.

          Like all those buying the Amazon Buttons for salvaged microcontrollers. ;)

    2. batfink Bronze badge

      Of course you want to adjust your air-conditioning while you're not there! What are you thinking man?

      It's like using Alexa to turn off the lights instead of using the fucking switch.

      1. DougS Silver badge

        Alexa is like the return of the "clapper" (probably you didn't get those commercials in the UK, google it and I'm sure you can find the commercial) for super lazy people who can't be bothered to flip a switch or touch a button on a remote.

  6. Will Godfrey Silver badge
    Unhappy

    Waste of effort

    Joe sixpack doesn't understand, doesn't want to understand, and will aggressively resist any attempt to teach him.

    It's simply "I want now!".

    Oh, of course the same is true for Jane.

    1. Doctor Syntax Silver badge

      Re: Waste of effort

      "will aggressively resist any attempt to teach him."

      But may eventually be taught by experience.

      1. Anonymous Coward
        Anonymous Coward

        Re: Waste of effort

        Naive much?

        1. Doctor Syntax Silver badge

          Re: Waste of effort

          Experience is a dear teacher but there are those who will learn at no other.

          Or to put it less elegantly, reality can come and bite you in the arse.

  7. Binraider666

    Western World Problems

    I'm not nominally a fan of IoS**T, although an exception is my hot tub. Being able to remote into it to tell it to warm up before leaving the office; or check the pH and chlorine levels electronically is all rather convenient. Western World problems, eh?

    It is sat behind a Netgear range extender with firewall thoroughly closed off, and behind my home network also.

    Interestingly, the supplier's own policy is such that they will not touch a users home network AT ALL, under any circumstances, because if something later messes up with the home network (suppliers fault or not) they do not want to be accused of being responsible for it. On the plus side, this means a nerd like me can configure the hardware to reasonably secure the system. For those mere mortals that bodge their way through on default passwords, well, they are doomed.

    The vendor is pretty thorough at issuing firmware updates for the PLC on the tub too.

    1. Carma

      Re: Western World Problems

      Just got to be careful of stuff with hardcoded DNS servers in them, I'm using a Pi-hole to stop various unwanted outgoings & incomings, had to also block port 53 at the router to all other local IP's due to Panasonic, Sony and a 'SamKnows' box attempting to bypass my control of traffic, need to sort out DoH traffic now...

  8. jake Silver badge

    It's 2019 and ...

    ... corporations still ship connected gear with a default password.

    Sadly, I suspect this will not change until Engineering is in charge of releasing product again, and Marketing is completely out of that particular part of the product development loop. Has anyone talked to the corporate lawyers about potential class action lawsuits yet?

  9. martinusher Silver badge

    I have a solution but the vendors won't like it

    Let's face it, the only reason why you need to have printers and what-have-you on the public Internet is so that the appropriate vendor can snoop on the device's usage and use it to either market or sell/rent you stuff. (Sounds silly? HP has a sort of rental option for its domestic and small business printers....)

    If the device didn't need to phone home all the time then it wouldn't need to initiate Internet connections, it would be just a peripheral that did what you told it to. You'd be surprised how little a network stack you can get away with if you build kit that only works with datagrams** -- UDP -- and only speaks when its spoken to. No additional connections to initiate, no DNS to hijack, just a quiet life of getting on with whatever the user wants it to do.

    (**One of my pet peeves is the common practice of taking a stream protocol -- TCP -- and putting a crude protocol on it to break the data into frames. Talk about inefficient.......unreliable.....insecure......but it all makes work for the working person to do........)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019