Thinking Security: Usercodes, Passwords, and Certificates – Oh, My!
Author(s): Michael Kain, Posted on January 8th, 2016
This is the 11th blog in a series about security and how security is about how you think.
I’m finally getting around to reading the manual that came with my new Internet-connected toaster. I didn’t know it comes with a maintenance web server installed. It’s used for local configuration, updates, and customization of my “internet dashboard” for the toaster. That dashboard was one of the reasons that I bought the toaster – you can go to any internet-connected device and see details about every piece of toast and bagel that you’ve made and get lots of pretty graphs.
Hmm, but looking at how they implemented some of these features really surprises me. The toaster has default credentials when you get the toaster out of the box – you enter “admin” as the user code and “creamcheese” as the password. I found this in the documentation – so every toaster out of their factory comes with the same credentials. What I also found is that remote administration of the toaster is enabled by default (so that you can control your toaster from any device). Wow – this surprises me – that means that if I don’t do anything, anyone who could connect to my device could control my toast and see what types of toast I’ve made.
Back in the fine print of the toaster manual, it does tell me that I should change the name of the default usercode from “admin” (only as of release 2.0, so that leads me to believe that someone brought up the fact that you couldn’t change it earlier), and change the password to something more complicated. I don’t know what people do who don’t read the manual – how would you know this otherwise? It would have been more secure if I had been alerted to this item when I pulled the toaster out of the box.
Another item from the toaster manual which surprised me is that my toaster’s Internet account comes preconfigured on the toaster. The usercode for their website was the serial number of the appliance and the password is the model number. That strikes me as really a security problem – so someone could guess the serial number of my toaster and the model number. Once they bought one toaster, they could figure out the serial number pattern and probably control all of the toasters of the world.
I also noticed that my connection to the maintenance web server of my toaster was secured by SSL (which is a good thing), but that it was using a self-signed certificate. SSL (which is now called TLS which stands for Transport Layer Security) is a great thing in general – but do I really need to secure data across my local home network? The self-signed certificate is also worrisome, since it’s like trusting someone who makes their own driver’s license – it’s not really that strong.
Now, I’m being overly paranoid here – it’s just a toaster, right? The data that the toaster has isn’t really mission-critical – but as we increase the value of the access and the data – we have to become more proactive with securing the credentials of the environment. So, as we go to my home router – the credentials, how I secure the data, even the SSID (wireless network name) is very important. Would you connect to a WIFI hotspot with the name “Linksys”? I wouldn’t. It shows that the person managing that hotspot isn’t doing much in the area of security. I’d also be worried that they wouldn’t be up to date on the latest firmware updates, etc.
As we deal with mission-critical systems, the default credentials are even more important to change and we are usually guided to change them on installation. It’s a trade-off – we have to manufacture systems with common access so that clients can get in easily once they receive them – but then we have to guide the client to customize the security of their systems instantly, if not force them to do so when installing them into their environment. Change the administrative usercodes away from standard “admin” or “administrator” usernames, change the passwords to strong passwords, and change self-signed certificates to certificates which are issued by real Certificate Authorities. This allows our clients to secure their environments.
Again, this process of understanding about the usercodes, passwords, and certificates that I have in use on any device comes down to how I think about security. The default set up out of the factory is good (it prompts me for a usercode and password that I have to have the manual to figure out), but it’s the same for every toaster in the world. The internet account is very guessable – somewhat secure (I need to be looking at the bottom of the toaster to find it), but if I know how the serial numbers and model numbers are done – I can try over and over until I get one that works (a brute force attack). SSL/TLS is on by default, but a self-signed certificate isn’t as good as a real certificate.
This security process and thinking is two-fold: the process that the vendor goes through to establish a good security baseline, and the process that the user (our clients) are guided through (or forced through) to customize the device once it is installed. This “hardening” process has to give the client all of the information that they need to *THINK* security in their environment. This overall process can be taken to any device, no matter if it’s an iPhone, internet-connected toaster, or mission-critical server.