The Cybersecurity and Infrastructure Agency (CISA) urges technology vendors to eliminate default passwords for hardware and software, to decrease hacking activities that exploit known, default vendor credentials. The announcement by CISA comes only a month after Iranian-linked hackers known as “Cyber Av3ngers” exploited default credentials on U.S. water facilities. It’s part of a new “Secure by Design” alert it hopes to compel vendors to action.
CISA said it’s time for technology and security vendors to “take ownership of customer security outcomes” by not passing the buck and responsibility to customers.
“Studies by CISA show that the use of default credentials, such as passwords, is a top weakness that threat actors exploit to gain access to systems, including those within U.S. critical infrastructure,” the agency said.
CISA Secure By Design Alert Principles
Our new Secure by Design Alert urges every technology manufacturer to eliminate default passwords in the design, release, and update of all products. We need to be #SecureByDesign to better protect customers: https://t.co/9GZqihU88V pic.twitter.com/dyUSWZ1oTA
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 15, 2023
CISA’s X account promoting its “Secure by Design” Alert calling for the elimination of default passwords. (Source: X)
The agency is offering example “Secure by Design” principles it hopes vendors will adopt to make the transition away from default passwords and credentials. Among the recommendations are:
- Provide instance-unique setup passwords with the product
- Provide time-limited setup passwords that disable themselves when a setup process is complete and require activation of more secure authentication approaches, such as phishing-resistant MFA
- Require physical access for initial setup and the specification of instance-unique credentials
The agency has been tracking the weaknesses and cyber exposure that default credentials pose for years and has public guidance dating back to 2016 available on its website.
Default credentials and passwords enabled Iranian-linked U.S. water facility hacks
While the recent attacks by the Iranian hacking group were not novel or sophisticated, the attacks highlight “the significant potential for real-world harm caused by manufacturers distributing products with static default passwords,” CISA stated.
The U.S. water facility cyberattacks targeting programmable logic controllers (PLCs) were hardcoded with a 4-digit static password. That allowed the cyberattackers to use known, default static passwords to disrupt the PLCs once they were confident in the actual PLC device and vendor that was used in each targeted environment.
Deputy National Security Advisor Anne Neuberger concurs on the impact that eliminating default credentials would have. “Some pretty basic practices would have made a big difference there,” Neuberger stated about the U.S. water facility hacks.
“We need to be locking our digital doors. There are significant criminal threats, as well as capable countries — but particularly criminal threats — that are costing our economy a lot,” Neuberger added.
CISA has released a full “Secure by Design Alert” offering best practices and guidance on the cyber risks default credentials pose in a PDF. The PDF can be accessed from CISA’s website (PDF link).
