As the popularity of Internet of Things (IoT) products grows, there is an increasing need to improve security to stop potential cyber threats. By Joe Lomako, Business Development
Manager (IoT) at TÜV SÜD.
Authentication is the first line of defence to protect consumer IoT devices, which verifies the identity of a user or process. To grant access to a device, identification such as a username is used, and authentication is required so users can prove their identity.
Authentication can be based on several different methods, the most common being passwords and biometrics, such as a fingerprint or facial recognition. However, if weak passwords are used
vulnerability is increased. Weak passwords include ones that are:
• Easily brute-forced – e.g. have a low (less than six) number of characters, predictable sequence (e.g. 123456), and/ or can be found in a dictionary
• Susceptible to social engineering – for example if a person’s name is Peter and they use the password ‘Peter01’
• Unchangeable – so they can be retrieved by looking at the software’s source code
To help to mitigate weak passwords, common recommendations include to use one that is at least eight characters long. It is also advised to include characters from at least three different character classes, such as digits, lowercase letters, uppercase letters, and special characters. However, manufacturers may use a universal default password for a device. This is when the same password is used on all devices of the same model when they are in an operational state, creating a vulnerability which can be exploited by hackers.
‘Brute force’ is a popular way for hackers to gain access to a product. This type of attack involves ‘guessing’ credentials to gain unauthorised access to a system, and a hacker can send millions of requests to try to guess credentials.
So, even if the owner changes their username and password, they need something that is completely unique. For example, creating a password that is the ‘model + factory batch number’ would be too easy to guess. A generation mechanism will produce a randomly generated password such as ‘F2wD34h%sd2hod89’. Manufacturers of IoT products should therefore ensure that, if a password is used by default on a device, it is unique for each device and its generation method should not be easily guessed.
Devices can also prevent millions of brute-forcing attempts with other methods such as:
• Account lockouts after failed attempts
• Using CAPTCHA
• Limiting logins to a specified IP address or range
• Two-factor Authentication (2FA)
• Using unique login URLs
ETSI EN 303 645 cybersecurity standard
The ETSI EN 303 645 cybersecurity standard addresses cybersecurity concerns in consumer IoT devices. It provides a comprehensive set of provisions for device manufacturers and the industry
at large to strengthen cybersecurity for these devices. The standard also provides a basis for certification of IoT products. Containing 13 sections, it is a globally applicable cybersecurity norm for consumer IoT devices covering security needs of equipment, communication and personal data protection.
The first section of ETSI EN 303 645 covers the use, or rather misuse, of weak passwords. We can see that the provisions rule out using passwords that can be easily guessed or hacked by brute force, while also calling for ways to allow users to change authentication passwords. It states that no universal default passwords shall be used and that the following shall apply for
consumer IoT product passwords:
• Where passwords are used in any state other than the factory default, all consumer IoT device passwords shall be unique per device or defined by the user
• Where pre-installed unique per device passwords are used, these shall be generated with a mechanism that reduces the risk of automated attacks against a class or type of device
• Authentication mechanisms used to authenticate users against a device shall use best practice cryptography, appropriate to the properties of the technology, risk and usage
• Where a user can authenticate against a device, the device shall provide to the user or an administrator a simple mechanism to change the authentication value used
• When the device is not a constrained device, it shall have a mechanism available which makes brute force attacks on authentication mechanisms via network interfaces impracticable.
Consumers are increasingly paying attention to cybersecurity for their consumer IoT devices. Device manufacturers can therefore provide greater confidence and reassurance to
consumers when making purchases by testing and certifying their products under the ETSI EN 303 645 standard.
This article originally appeared in the August’25 magazine issue of Electronic Specifier Design – see ES’s Magazine Archives for more featured publications.
