No Default Passwords

One of the big problems with IoT devices is default passwords – here’s the list coded into the malware that attacked Brian Krebs. But without a default password, you have to make each device unique and then give the randomly-generated password to the user, perhaps by putting it on a sticky label. Again, my IoT vision post suggests a better solution. If the device’s public key and a password are in an RFID tag on it, and you just swipe that over your hub, the hub can find and connect securely to the device over SSL, and then authenticate itself to the device (using the password) as the user’s real hub, with zero configuration on the part of the user. And all of this works without the need for any UI or printed label which needs to be localized. Better usability, better security, better for the internet.

6 thoughts on “No Default Passwords

  1. A good solution for people who care about security, but the majority want it to “just work”. They’ll lose their RFID cards and then what?

    The random password on a sticker protects against random attacks (e.g. malware) while also being reasonably convenient for the user.

    • The RFID tag is in a sticker attached to the device – nothing to lose. It’s like the password sticker but contains a public key for immediate secure channel establishment and a password for 2-way auth. It’s strictly better than the password-on-sticker approach.

  2. You’re adding BOM cost and provisioning.
    Also not sure how your SSL setup works. Where/when is the certificate created? by which authority?

    • You don’t need an external certificate authority – the cert can be self-signed. As long as the hub knows what public key its expecting, that’s fine. So there’s no extra provisioning cost beyond a few CPU cycles in the factory.

      I agree adding an RFID tag adds BOM cost, but it must only be a few cents, and you save money elsewhere on e.g. l10n, and building a custom UI for the device. (See the whole vision doc.)

  3. Also, about “the hub can find and connect securely to the device over SSL”. One of the challenges with IoT devices is to pair them with the local wifi network in the first place. If you don’t address that you don’t have much.

    • Well, not all IoT devices use wifi – some use e.g. Zwave or Zigbee. Surely they have better solutions for this problem? And if it is wifi, there’s that one-button WPS thing. WPS also has an RFID mode as well as a wifi mode, so perhaps the RFID channel when you swipe could be two-way. You’d have to put batteries in the device first, but that’s not a major user hurdle.