MWareman Posted October 6, 2018 Posted October 6, 2018 Sounds like this is going to have to go away very soon! A new California Law makes it illegal to have a default password on any device that is either directly or indirectly connected to the Internet. This would seem to include the ISY. Best alternative, when you first connect to a device a credential wizard should run to walk the user thru setting a username and password. California Bans Default Passwords on Any Internet-Connected Device - Slashdot https://it.slashdot.org/story/18/10/05/1814242/california-bans-default-passwords-on-any-internet-connected-device
Brian H Posted October 6, 2018 Posted October 6, 2018 Thanks for the information. I sure like how our politicians think they can run my life better than myself. ? Guess there are going to be many internet devices like smart TV's and folks who have no knowledge of how thees thing work. Having BIG issues.
mwester Posted October 6, 2018 Posted October 6, 2018 Yes, we need to fix IoT security. But this law? This is only going to solve a very small part of the overall problem, whilst creating a nightmare for the average consumer, and ultimately it's going to poison the well, so-to-speak, for future attempts to solve the bigger picture. Politicians are neither security experts, nor are they engineers. This is going to be a lot like the CFL bulb debacle, I fear. Edited to add URL: https://blog.erratasec.com/2018/09/californias-bad-iot-law.html
MWareman Posted October 6, 2018 Author Posted October 6, 2018 I do generally agree with the problems of over legislation.However, default passwords are very bad. Almost all IOT botnet type malware is possible because of default passwords. That being said - people pick really bad passwords. There must be a better way! Not sure what it is for this type of device though.I’ll bet that there are *plenty* of us that still have admin/admin as the ISY credential (maybe because we have Portal and the ISY is not port-forwarded so we don’t think it’s a risk) and are mostly unaware that an entire class of attacks is still possible simply because of that default credential. You do not need to port forward your ISY to be vulnerable with a default credential.
Michel Kohanim Posted October 7, 2018 Posted October 7, 2018 Hi MWareman, Thanks so very much for the information. With kind regards, Michel
Recommended Posts
Archived
This topic is now archived and is closed to further replies.