The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a call to technology manufacturers, urging them to discontinue the practice of providing devices and software with default passwords. CISA emphasizes that threat actors can exploit these default credentials as a backdoor to infiltrate vulnerable devices exposed online. While default passwords are often used for manufacturing efficiency or large-scale deployments, the failure to change these defaults poses a security risk, allowing attackers to bypass authentication measures and potentially compromise an organization’s entire network.
CISA’s Security by Design (SbD) Alert emphasizes the need for technology manufacturers to take proactive steps to eliminate the risk of default password exploitation. The agency recommends that manufacturers assume responsibility for customer security outcomes and establish organizational structures and leadership to achieve these security goals. By incorporating these principles into their design, development, and delivery processes, software manufacturers can prevent the exploitation of static default passwords in their customers’ systems.
CISA points out that relying on customers to change default passwords is insufficient based on years of evidence. Instead, the agency suggests alternative approaches for manufacturers, such as providing customers with unique setup passwords for each product instance or using time-limited setup passwords that deactivate after the setup phase, prompting administrators to activate more secure authentication methods like Multi-Factor Authentication (MFA). Manufacturers can also consider mandating physical access for initial setup and specifying distinct credentials for each instance.
This advisory from CISA echoes a notice issued years ago, underscoring the security vulnerabilities associated with default passwords, particularly in critical infrastructure and embedded systems. CISA highlights the ease with which attackers can identify and access internet-connected systems using shared default passwords.
Recently, Iranian hackers exploited this vulnerability by using a ‘1111’ default password for Unitronics programmable logic controllers (PLCs) exposed online, compromising U.S. critical infrastructure systems, including a water facility. CISA’s alert serves as a timely reminder of the ongoing risks and the need for manufacturers to address default password security concerns in their products.
CyberSec84 | Cybersecurity news. 
Leave a comment