3 comments

  • josephcsible 9 days ago
    If you forget your password to an IoT device, and the paper label on it wore off, is it now mandatory for it to be permanently bricked and instant e-waste?
    • Not necessarily, you could have a bootstrap operation where pressing a reset button, allows you to pass a public key to the device, which it will use to send back an encrypted new random username/password combo, which you could then log in with.

      A lot more convoluted, but you could make a nice CompanyNameDeviceSetup app, which could handle the minutiae.

      • nickff 9 days ago
        I think that any device which has this problem is basically bricked, from the average user's point of view. Most IoT gear just isn't worth the effort to try to fix.

        The only (partial) solution I can imagine is someone creating an open-source software for resetting the password to a non-standard setting, then evangelizing the standard. There are a few issues with this, and it would require adding some standard interface (USB or other) to every such device.

    • version_five 9 days ago
      This will end up just being really annoying and accomplish nothing, like most corporate password policies. It would be nice to see a focus on actually solving the problem, instead of the usual liability transfer. Best case scenario, the password is written on a sticker on the device. This is the norm where I live. I would love to see incentives for actual user friendly security enhancements.
      • timthorn 9 days ago
        > Best case scenario, the password is written on a sticker on the device.

        Yes, this is expected. The point is to prevent a population of devices being sold with admin/admin pre-programmed.

        • PeterisP 9 days ago
          Credential being stored on a sticker on the device does help against the device being remotely enrolled in a ddos/spam botnet.
          • partomniscient 9 days ago
            The sticker (while cost effective) is still problematic.

            Having the manufacture make it a permanent part of the device using something like engraving makes it more robust and harder to subvert. Unfortunately as a side effect it increases cost per unit.

            The sticker's not that bad, but it depends on the devices usage scenario.

        • justinludwig 9 days ago
          This is a nice start at standardizing basic IoT device security; other highlights:

          - manufacturers must tell customers up front about the lifespan of security patches and updates - manufacturers must provide a public point of contact for vulnerability disclosure

          • nickff 9 days ago
            I have to imagine that every company will say that there is no plan to offer security patches and updates, for liability reasons, and that very few users will care. I personally think that botnets of IoT devices are terrible, and wish that I had a useful suggestion for getting rid of them, but it's tough to combat end-user apathy.