The Cybersecurity and infrastructure agency in the US has recently published 2 new advisories directed towards manufacturers of tech products urging them to move away from using default static passwords in their products.
This has mainly come off of the back of recent attacks against critical national infrastructure within the US, in these incidents Programmable Logic Controllers (PLCs) were sabotaged by Iranian cybercriminals causing impact to water facilities within the country.
“Recent intrusions targeting programmable logic controllers (PLCs) hardcoded with a four-digit password demonstrate the significant potential for real-world harm caused by manufacturers distributing products with static default passwords,” -CISA
These default passwords are common knowledge on online hacking forums and these credentials can easily be found by criminals by conducting some quick reconnaissance on the type of PLC that the company uses.
To counter this CISA have suggested that these manufacturers make 2 key changes: Their first changes suggests that they only have default passwords on setup and that once setup is complete, these default changes are changed and two step verification is set up.
The second change is that manufacturing of these products consider security by design in process, consider how these products are used and adjust based on customer feedback.
Source: Technology Manufacturers Urged to Eliminate Passwords - Infosecurity Magazine (infosecurity-magazine.com)