CISA urges vendors to get rid of default passwords

After Iranian-linked hackers last month went on a crude hacking spree that impacted water facilities, in part by using default passwords, the Cybersecurity and Infrastructure Security Agency is now urging vendors to get rid of default passwords altogether.

Citing “years of evidence,” the agency said on Friday that manufacturers need to “take ownership of customer security outcomes” by not passing the buck to customers.

“Studies by CISA show that the use of default credentials, such as passwords, is a top weakness that threat actors exploit to gain access to systems, including those within U.S. critical infrastructure,” the agency said.

While the latest impetus for this warning was the hacking binge that targeted the Israeli technology manufacturer Unitronics, which resulted in hits on multiple U.S. water facilities, warnings about default passwords on internet-facing devices have gone on for years. The hacking spree made headlines as Unitronics left the default passwords as “1111.” That information was widely available and known on hacking forums, CISA said.

That wave and other “recent intrusions” highlight “the significant potential for real-world harm caused by manufacturers distributing products with static default passwords,” the agency said.

Friday’s release is a part of a broader call by the agency for software manufacturers to stop pushing the burden of security practices onto their customers, and instead consider cybersecurity as a product and safety issue.

The call to action comes shortly after CISA, the National Security Agency and Office of the Director of National Intelligence released additional secure-by-design guidance for open source software development. The release is a product of the Enduring Security Framework’s Software Supply Chain Working Group, which is made up of NSA, ODNI and CISA. The guidance is a part of a larger effort to secure the software supply chain that stems from an executive order on improving U.S. cybersecurity.

“Software incorporated and/or utilized through open source may have embedded issues. It is imperative that we pay close attention to how these modules are bundled with the software at release,” the release said.

The guidance focuses on recommended practices for adopting and managing open source software as well as tracking the use of such code through a software bill of materials (SBOM). The guidance includes considerations such as how to select open-source software, risk assessments, export control, maintenance, vulnerability response and SBOMs.

Aeva Black, the open source software security lead at CISA, said in a statement that “organizations that do not follow a consistent and secure-by-design management practice for the open source software they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident.”