OWASP For IoT Security - 1

I1: Weak, guessable, or hardcoded passwords

Passwords verify a user's identity and grant access to a device's security settings, administrative powers, and personal data. Poor password creation or administration is a serious security concern, especially since many device owners do not update the default password. Password reuse and weak passwords remain two of the most serious cybersecurity threats. There are various strategies to improve password security, but users and administrators rarely use them.

A length and complexity policy is the most popular password policy implemented by administrators, both in online applications and other systems. A difficult password, for example, can be required to have at least 8 characters, including uppercase and lowercase letters, numerals, and special characters. This policy, however, is ineffective and should not be encouraged. Another typical strategy used by online systems to improve password security is requiring users to update their passwords regularly. Such methods generally save hashes for prior passwords and prevent users from using any of their previous passwords. Unfortunately, such password requirements give users a false sense of security because they are easily circumvented.

IT administrators should set up new login policies that require users and administrators to change default device passwords as soon as possible to secure these systems. Before redeploying them to live contexts, this policy requires adding layers of special and complex character combinations.

Hard-coded credentials usually provide a big weakness that allows an attacker to bypass the software administrator's authentication configuration. The system administrator may have difficulty detecting this flaw. It can be difficult to identify and fix, therefore the administrator may be compelled to disable the product totally. There are two major differences:

Inbound: the software includes an authentication mechanism that compares the input credentials to a set of credentials that has been hard-coded.

Outbound: the software links to another system or component and has credentials for connecting to that component hard-coded.

A default administrator account is generated in the Inbound variation, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each product installation, and it is normally impossible for system administrators to change or disable it without physically editing the program or updating the software. Anyone with knowledge of the password can access the product if it is ever found or released (a typical occurrence on the Internet). Finally, because all installations of the program, even across different corporations, will use the same password, huge attacks such as worms will be possible.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.