Forgot the password? Your device is bricked.

M76

M76

[H]F Junkie
Joined
Jun 12, 2012
Messages
14,031
Iot device manufacturers must be thrilled by a new UK legislation that requires the use of unique default passwords on all connected devices. And more importantly bans the password reset feature.

This means if you forget the password and don't have the original documentation with your unique password you can throw out the device because it is basically bricked.

Let's be honest you don't often need the password for most devices so it is more than likely to get misplaced or forgotten after a few months or years. Chalk another one up for planned obsolescence, this time mandated by the state.

Our aim is to make the UK the world’s leading digital economy. But if we are to achieve this ambition we need to make sure people trust technology.

These measures will mean all the passwords pre-programmed in internet-connected devices must be unique and not resettable to any universal factory setting.
Click to expand...

Source
 
The flip side to this is that by NOT doing this, you inevitably create massive bot nets around compromised IoT devices.

The simple solution is to stick / etch the unique password onto the device itself.

These measures will mean all the passwords pre-programmed in internet-connected devices must be unique and not resettable to any universal factory setting.
Click to expand...

Correct me if I'm wrong, from this I don't think it's saying you can't reset the password, just that you can't reset it to some universal default like 123456.

In my opinion, this is a MASSIVE step in the right directly.
 
NeoNemesis said:
Correct me if I'm wrong, from this I don't think it's saying you can't reset the password, just that you can't reset it to some universal default like 123456.

In my opinion, this is a MASSIVE step in the right directly.
Click to expand...

Yes because autistically stupid passwords like A$uW9Iofh4n6MN6RP0Fcvjw%swn#uDIO997 are far easier to remember than Fuckyourpasswordshit_69

The amount of times I've had to reset passwords.. not just for me but friends and family, this is going to suck.
 
NeoNemesis said:
The simple solution is to stick / etch the unique password onto the device itself.
Click to expand...
Set the default password to the MAC address. The MAC is already printed on a sticker on the bottom of most devices. Hackers will have 16.7M combinations to try (based on the first 3 MAC octets being a known vendor static value and the last 3 octets being unique per device).
 
NeoNemesis said:
Correct me if I'm wrong, from this I don't think it's saying you can't reset the password, just that you can't reset it to some universal default like 123456.
Click to expand...
You can reset the device, but that just resets the original password which is unique to that one device, which if you don't know...
 
The title of this thread is misleading. The device isn't bricked, it's reset to the unique password originally given to the device.

What this legislation is set to prevent, is manufacturers giving universal default passwords and allowing factory resetting devices to a universal password, such as admin/admin.
 
M76 said:
This means if you forget the password and don't have the original documentation with your unique password you can throw out the device because it is basically bricked.
Click to expand...
It does not say that. I think you are reading into something that is not even implied.
 
Seems like a better solution might have been to allow default passwords but require them to be changed upon the first use of the device.
 
The plus side here is that our tech illiterate politicians will hopefully be locked out of their communications tools. There really are zero drawbacks to that aspect.
 
Azrak said:
Set the default password to the MAC address. The MAC is already printed on a sticker on the bottom of most devices. Hackers will have 16.7M combinations to try (based on the first 3 MAC octets being a known vendor static value and the last 3 octets being unique per device).
Click to expand...
With hardware forced timeouts for wrong attempts, say 15 min after 3 failed attempts to prevent brute force attacks.
 
  • Like
Reactions: Azrak
like this
IcePickFreak said:
If someone asked me to help because they can't connect to their coffee maker, I'd block their phone number right after I hung up.
Click to expand...

I really wouldnt mind a coffee maker i could command from alexa or my phone. Setting timers works for work days but not weekends when i get up whenever lol.
 
For those saying to use a MAC, where on your cell phone do you want that sticker stuck? How long will it last? Or do you want to hope you can find that small card with the lightly printed ink the mfg included in the box 18 months after you bought the thing? I agree with those saying allow defaults after reset but lock the device down until the admin credentials are changed to something that passes basic account name + password standards. No changing to admin/12345 for the account/password combo.
 
Thunderdolt said:
Seems like a better solution might have been to allow default passwords but require them to be changed upon the first use of the device.
Click to expand...

I believe the point is to stop the lowest common denominator from being a problem. The idea is to remove not only terrible default passwords like admin/admin or admin/12345 but also to eliminate a lot of the most commonly used passwords as well.
 
For most devices it wouldn’t be complicated to add BT functionality and add some sort of RSA key feature to the resetting of the defaults. Require physical access to the device to program it from a default state, allow the user to disable the RSA requirement after that one time use default has been changed.
 
I don't mind a hard reset for IoT things if it requires you have it in your hand / physical access. if you are so important that someone wants to break into your house to reset your password / wifi name and everything else ... well you got other problems to worry about.

Passwords on stickers? They do it for routers, so it's better than nothing. But the fact that alot of people don't change it from default will always be a problem.
 
California already has a law on the books requiring connected devices have a unique passkey.
In my past to prepare for this, for a Bluetooth product we developed the initial pin number was a custom hash function of the serial number of the product.
Worse comes to worse if the customer lost the pairing pin with the product they could call tech support to get it.
A bit of security by obscurity but it was the only good way we came up with to allow a customer to use their expensive device when they inevitably lost the two copies of pairing codes that came with the device.
 
Darunion said:
I really wouldnt mind a coffee maker i could command from alexa or my phone. Setting timers works for work days but not weekends when i get up whenever lol.
Click to expand...
I mean you have to set it up with coffee ground & filter the night before anyway, not seeing the benefit there.
 
As opposed to just walking over to the coffee maker and fixing the coffee? Have we really devolved to that lazy of a species? Wall-E is starting to look more like a prophecy than a movie.
Sorry, meant to include this quote: "I really wouldnt mind a coffee maker i could command from alexa or my phone. Setting timers works for work days but not weekends when i get up whenever lol."
 
  • Like
Reactions: Meeho
like this
NickM said:
As opposed to just walking over to the coffee maker and fixing the coffee? Have we really devolved to that lazy of a species? Wall-E is starting to look more like a prophecy than a movie.
Sorry, meant to include this quote: "I really wouldnt mind a coffee maker i could command from alexa or my phone. Setting timers works for work days but not weekends when i get up whenever lol."
Click to expand...

"Wouldn't mind" is different from "I'm completely unable to make [coffee without this feature]."

I wouldn't mind a more powerful car, but I am still happy and able to drive my car without that extra power. I wouldn't mind winning PowerBall, but I am still happy finding a dollar on the ground.
 
NickM said:
As opposed to just walking over to the coffee maker and fixing the coffee? Have we really devolved to that lazy of a species? Wall-E is starting to look more like a prophecy than a movie.
Sorry, meant to include this quote: "I really wouldnt mind a coffee maker i could command from alexa or my phone. Setting timers works for work days but not weekends when i get up whenever lol."
Click to expand...

I still split my own wood for heating, so I am pretty far away from wall-e. Just wanting to wake up to coffee. Ideally it would prepare itself too but that might require a bit more work but might be a fun project.
 
NickM said:
As opposed to just walking over to the coffee maker and fixing the coffee? Have we really devolved to that lazy of a species? Wall-E is starting to look more like a prophecy than a movie.
Sorry, meant to include this quote: "I really wouldnt mind a coffee maker i could command from alexa or my phone. Setting timers works for work days but not weekends when i get up whenever lol."
Click to expand...

The counterpoint would be they have the same tech in Star Trek and they seem relatively healthy.
 
NeoNemesis said:
The flip side to this is that by NOT doing this, you inevitably create massive bot nets around compromised IoT devices.

The simple solution is to stick / etch the unique password onto the device itself.
Click to expand...

This.

I support this.

Furthermore, I'd like to ban any claim of encryption where the encryption key resides on any central server or service.

Encryption keys should need to be manually installed on each and every device that need them. Inconvenient, yes, but the only way you can be sure there is no man-in-the-middle.
 
CptCabbit said:
The counterpoint would be they have the same tech in Star Trek and they seem relatively healthy.
Click to expand...

Yea self brewing coffee really doesn't take away much cardio out of ones day.

I guess the people who don't roast and hand grind their own beans sure have become fat and lazy buying preground roasted coffee.
 
Darunion said:
My voice is my passport, verify me.
Click to expand...

bhphotovideo.com%2Fimages%2Fimages1000x1000%2FOlympus_142640_DP_10_Digital_Voice_Recorder_723543.jpg
 

That's just rude.

My blood sample, fingerprint and retina scan are my passport....
 
Jim Kim said:
It does not say that. I think you are reading into something that is not even implied.
Click to expand...

It's there in the direct quote:

all the passwords pre-programmed in internet-connected devices must be unique and not resettable to any universal factory setting.
Click to expand...
It doesn't say you can't reset to the original password, but chances are that if you don't know your own password you won't know the original unique password either, unless you kept it documented somewhere.
 
M76 said:
It doesn't say you can't reset to the original password, but chances are that if you don't know your own password you won't know the original unique password either, unless you kept it documented somewhere.
Click to expand...

Laser etching it into the back of the device in a hidden place seems like the way to go. That way if you lose the password, you have lost the device anyway, so...
 
You must log in or register to reply here.
Back
Top