Today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged technology manufacturers to stop providing software and devices with default passwords.
Once discovered, threat actors can use such default credentials a backdoor to breach vulnerable devices exposed online. Default passwords are commonly used to streamline the manufacturing process or help system administrators deploy large numbers of devices within an enterprise environment more easily.
Nonetheless, the failure to change these default settings creates a security weakness that attackers can exploit to circumvent authentication measures, potentially compromising the security of their organization’s entire network.
“This SbD Alert urges technology manufacturers to proactively eliminate the risk of default password exploitation,” CISA said, by taking “ownership of customer security outcomes” and building “organizational structure and leadership to achieve these goals.”
“By implementing these two principles in their design, development, and delivery processes, software manufactures will prevent exploitation of static default passwords in their customers’ systems.”
“Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations,” CISA added.
Alternatives to default passwords
The U.S. cybersecurity agency advised manufacturers to provide customers with unique setup passwords tailored to each product instance as an alternative to using a singular default password across all product lines and versions.
Moreover, they can implement time-limited setup passwords designed to deactivate once the setup phase concludes and prompt admins to activate more secure authentication methods, such as phishing-resistant Multi-Factor Authentication (MFA).
Another possibility involves mandating physical access for the initial setup and specifying distinct credentials for each instance.
Ten years ago, CISA issued another advisory notice highlighting the security vulnerabilities associated with default passwords. The advisory specifically underscored the heightened risk factors to critical infrastructure and embedded systems.
“Attackers can easily identify and access internet-connected systems that use shared default passwords. It is imperative to change default manufacturer passwords and restrict network access to critical and important systems,” the cybersecurity agency said.
“Default passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the default password before deploying the system in a production environment.”
Iranian hackers recently employed this approach, using a ‘1111’ default password for Unitronics programmable logic controllers (PLCs) exposed online to breach U.S,. critical infrastructure systems, including a U.S. water facility.