Default is a FAULT – Founding Document – Draft version 0.1

Default is a FAULT – Founding Document

Version: 0.1 (Draft)
Date: 4 September 2017

 

This project is currently at a starting point. We wish to learn from the public how this project can be done better – so please, do share your thoughts with us in any possible way – via the “Contact Us” form at our web site or by sending us an email to info@defaultisafault.com.
Thank you!

  • Project name
    • Default is a FAULT
      • DIAF for short
    • The name aims to describe the project’s vision, that default passwords are a stupid and bad thing for information security.
      (It also has a bit broader meaning – that one should always question the default configuration of owned digital hardware and software, possibly changing the configuration’s values to be more secure)
      .
  • Vision
    • Eliminate the use of default passwords
      .
  • Mission
    • Eliminate the concept of default passwords, especially in hardware based products, hence encouraging the use of unique passwords by vendors and product owners, aiming to minimize the risk of their hardware being breached
      .
  • The need
    • Imagine you are interested in buying a front door for your home. At the store of the first vendor you try, the salesman tells you that the door’s key of the specific door you will get – is the same for all the doors this vendor sells, and anyone in the world can easily find and use this key – so anyone in the world can open your home door.
      Yes, there is an ability, for free, to change the key pattern, but it is not easily changed by non-technical customers.
      Will you buy a door from this vendor? Or will you reject the vendor as not serious about security, hence driving you to move on to find a more secure conscious vendor? I believe the answer is clear…
    • The above door story is simply a metaphor to what is happening today for almost all computerized hardware products, with emphasis on networking devices, like home routers, Wi-Fi access points and so on – which multiplies the risk by many factors because these products are connected to the Internet while acting as the digital “door” to your home network, hence increase the risk of breaking into your network by using these products’ default passwords
    • In almost all cases the default user and default password grant the one who use them – the highest possible permissions, full control, on the reference device, an account know as either “Administrator” (or “Admin” for short) or “Root”, meaning that this account can do whatever is possible to be done to and by the device, including the most destructive actions
    • In addition, the information about these default password is easily accessible to anyone on the Internet – here are some Internet sites that hold and index many default passwords, by many vendors and for many models:
      • http://www.defaultpassword.com
      • https://cirt.net/passwords
      • Also, try to use an Internet search engine to search for the default password for your own home internet connection device plus the term “default password” and see how easily you will find this data – which means anyone on the Internet can find it too
    • Next, some examples of how many devices are accessible from the Internet to be logged into:
      • We will be assisted with a web site called censys.io, that scans the internet for networked devices and index the results
        • For example, Cisco is a well-known networking devices vendor. Let’s search for devices that are marked as being from Cisco plus the word “Wi-Fi”, hence our assumption is that we will find Cisco devices that have a wireless Wi-Fi capabilities
          • The following link use a search of
            manufacturer: cisco AND (wifi OR wi-fi) AND protocols: (“80/HTTP” OR “443/HTTPS”)
            https://censys.io/ipv4?q=metadata.manufacturer%3A+cisco+AND+%28wifi+OR+wi-fi%29+AND+protocols%3A+%28%2280%2FHTTP%22+OR+%22443%2FHTTPS%22%29
          • Another search is for HP (Hewlett-Packard) devices:
            manufacturer: Hewlett-Packard AND protocols: (“80/HTTP” OR “443/HTTPS”)
            https://censys.io/ipv4?q=metadata.manufacturer%3A+Hewlett-Packard+AND+protocols%3A+%28%2280%2FHTTP%22+OR+%22443%2FHTTPS%22%29
            (Here you will probably find many printers)
          • Once the results have loaded – click on any result link, and in the next page click on the “Go” button next to a section value of either “80/HTTP” or “443/HTTPS”, which will forward you to the device in question.
            Many times the result will be either a simple “pop-up” window, asking to supply the device’s “user name” and “password” or a “log in” link will be somewhere on the web page – both will lead to the device administration interface
          • DO NOT SUPPLY ANY DATA AND DO NOT ATTEMPT A LOGIN – AS IT WILL MOST LIKELY BE CONSIDERED AS A CRIME, AN ATTEMPT TO PERFORM A NON-AUTHORIZED ACCESS. JUST SIMPLY CLOSE THE BROWER’S TAB
          • As you can see, the above combined simple steps (finding accessible devices and finding their default user name and password) can make anyone a malicious hacker and access unprotected devices anywhere in the world, quickly and easily
        • We don’t claim that the elimination of default passwords will prevent all possible device hacking options, but it will surely prevent easy breaching to devices of non-technical owners of many products
          .
  • Target audience
    • Vendors
      • Vendors are the primary target audience of this project as they are the source for the default password, embedded inside the hardware they manufacture
      • Vendors will be encouraged to cease the use of default password for their products, and instead use a different, unique and random password for each unique product they manufacture (e.g. per serial number)
    • Customers
      • Customers are affecting the vendors as they are the ones who decide which products to buy, and they are the ones affected by the products’ default security level – putting many of them, mostly the non-experts, in a risk for being hacked because of default passwords
      • Customers who will prefer to buy products that are more secure, because these products will not use default passwords – will direct vendors to do the right thing to do, which is to eliminate the use of default passwords
    • Governments and regulation bodies
      • These entities also has great effect on vendors and they can force the vendors to make sure their products demonstrate a minimal level of Information Security, like not using default passwords – the same idea like, for example, car vendors must comply with many safety regulations and standards
      • Governments and regulation bodies will be encouraged to set, preferred by a country/state/federal laws, that it will be illegal to sell digital products that has an authorization mechanism that use default passwords
        .
  • Principles
    • This project is based on good will, positive attitude and plenty of supporting information to drive the change
    • Vendors
      • The project will maintain a public index of as much as possible relevant vendors, focusing at start on the most popular ones – and how many of their selling products are using or not using default passwords
      • Each vendor will receive a grade that will represent how good does this vendor comply with eliminating default passwords
      • The source of the data for calculating the grade will come from official and digitally signed declarations by the vendors themselves, based on forms created by this project
      • This project does not have the resources to verify the level of credibility these reports and they will be published to all on the project’s web site. We are certain that the vendor’s customers and competitors will the ones to verify these deceleration and inform this project of any mismatches, which will be discussed with the vendor in question and possibly published on this web site
      • How vendors are expected to replace the default passwords? – for example, at the manufacturing process they will set for each unique device a unique, long and complex “admin” password, at the software/firmware level and also engrave the password on the external side of the hardware or stick a strong glue sticker with the password on the device (we believe engraving is a more lasting option)
    • Customers
      • Customers will be heavily informed on the risk of default passwords and encouraged to choose products that have been declared, by the vendors, as not using a default password
    • Governments and regulation bodies
      • These entities will be heavily informed on the risk of default passwords to their citizens and encouraged to legislate relevant laws, that will officially prohibit the sale of products with low level of Information Security, hence prevent the sale of products with default passwords
        .
  • Resources
    • This project is based purely on volunteering of its operators
    • Contributors will not be paid with money, money-equivalent or any other benefits.
      However, they will of course be allowed and encouraged to publicly mention their contribution to this project as a their contribution to the community
    • Contributions, either by money or service or product, will be considered base on the needs of the project and the identity of the donor
      • Contributions by vendors affected by this project are strictly prohibited
      • Every contribution will be publicly presented on the project’s site – including the financial amount (or other essence of the benefit) and the name of the donor
        .
  • Who are we
    • The founder of this project is Eitan Caspi, from Israel (LinkedIn, private Hebrew blogs, English Information Security blog)
    • Currently I, Eitan, am the only member in this project… I will be very happy if others will join the ride if they agree with the project’s goal and path – as detailed about, and will be willing to contribute some of their time and skills to promote this project

If you are willing to help – please use either the “Contact Us” form or send an email to volunteers@defaultisafault.com and state who are you, how can you contribute to the project and how much time can you dedicate to it (e.g. “two hours a week”). Thank you!

Again – This project is currently at a starting point. We wish to learn from the public how this project can be done better – so please, do share your thoughts with us in any possible way – in the comments below, via the “Contact Us” form at our web site or by sending us an email to info@defaultisafault.com.

Thank you!