Recently, the Cybersecurity and Infrastructure Security Agency (CISA) has requested technology device manufacturers to take measures to eliminate default passwords due to the threats posed by IRGC actors.

This step has been taken to ensure the security of tech devices and prevent unauthorized access by malicious actors.

The use of default passwords makes it easier for hackers to gain access to devices and exploit them for nefarious purposes.

It’s important to be aware that malicious cyber actors often use default passwords (such as “1234”, “default,” or “password”) to gain initial access and move laterally within businesses. This is especially true for systems that are exposed to the internet.

It’s crucial to implement strong and unique passwords to protect your systems and sensitive data from unauthorized access.

It has been reported that the critical infrastructure of the United States was recently targeted by threat actors who were successful in their attempts to exploit it.

The attackers were able to gain access to the infrastructure by exploiting static default passwords, which were found to be malfunctioning.

This incident highlights the importance of maintaining strong security measures and regularly updating passwords to prevent unauthorized access to critical infrastructure systems.

Based on recent and continuing threat activity, CISA is issuing this alert to require all technology manufacturers to remove default passwords from all product designs, releases, and updates.

Evidence has been mounting for years, showing that it is insufficient to rely on thousands of consumers to change their passwords.

Instead, serious action by technology manufacturers is the only way to effectively address the serious threats that critical infrastructure organizations confront. 

Notably, It is unacceptable to utilize default passwords that are generally known in the present threat environment.

Additionally, the hackers targeting programmable logic controllers (PLCs) hardcoded with a four-digit password demonstrate the significant potential for real-world harm caused by manufacturers distributing products with static default passwords.

The default password was easily accessed by actors with IRGC (Iranian Government’s Islamic Revolutionary Guard Corp) ties, giving them access to vital services that are provided to communities all around the nation.

The recent security breach has highlighted some important lessons for the Cybersecurity and Infrastructure Security Agency (CISA).

Despite the attack, the agency is determined to learn from these compromises and implement more robust security measures to prevent future incidents.

 Take Ownership of Customer Security Outcomes

In this principle, attention is given to the key security areas that manufacturers should protect, such as public safety and health. It includes:

• Provide instance-unique setup passwords with the product.
• Establish time-limited setup passwords that require activation of more secure authentication methods, including phishing-resistant MFA, and disable themselves after the setup process.
• The purpose of the initial setup and the specification of instance-unique credentials require physical access.

Build Organizational Structure and Leadership

Product and public safety concerns are fundamentally at the core of cybersecurity issues; thus, manufacturers should make sure that business units in charge of product and service design, development, and delivery understand this.

Manufacturers should ensure that design and development teams engineer products with built-in security and safety by default.