Recently, the Cybersecurity and Infrastructure Security Agency (CISA) has requested technology device manufacturers to take measures to eliminate default passwords due to the threats posed by IRGC actors. The use of default passwords makes it easier for hackers to gain access to devices and exploit them for nefarious purposes.
The critical infrastructure of the United States was recently targeted by threat actors who were successful in their attempts to exploit it. The attackers were able to gain access to the infrastructure by exploiting static default passwords.
Based on recent and continuing threat activity, CISA is issuing an alert to require all technology manufacturers to remove default passwords from all product designs, releases, and updates. Evidence has shown that it is insufficient to rely on consumers to change their passwords, and action by technology manufacturers is necessary to effectively address the threats.
To address the problem of default passwords, manufacturers are urged to:
- Provide instance-unique setup passwords with the product.
- Establish time-limited setup passwords that require activation of more secure authentication methods, including phishing-resistant MFA, and disable themselves after the setup process.
Manufacturers should also ensure that design and development teams engineer products with built-in security and safety by default.
This request by CISA highlights the importance of maintaining strong security measures and regularly updating passwords to prevent unauthorized access to critical infrastructure systems. It also emphasizes the need for manufacturers to take responsibility for the security of their devices and eliminate default passwords.