Resetting an IoT gateway to its factory defaults is a fundamental security best practice before deployment and integration. This process, often called device hardening, ensures the device is in a known, clean state. It erases any non-standard configurations, user accounts, or potential malware that might have been introduced between manufacturing and deployment. By starting from a trusted baseline, the integrator can then proceed to apply a secure configuration, such as creating strong credentials and disabling unnecessary services, thereby minimizing the initial risk profile of the device before it connects to the cloud.

A. Write down the default login and password

This action documents a known, high-risk vulnerability. Security best practices mandate changing default credentials immediately, not recording them for use.

B. Remove all logins and passwords that may exist

This is not a standard or feasible procedure. Devices require administrative accounts for configuration, and attempting to remove all credentials could render the device inaccessible.

C. Create new credentials using a strong password

While this is a critical security step, it should be performed after a factory reset. A reset ensures the underlying system is not already compromised, making the new credentials secure.

---

1. National Institute of Standards and Technology (NIST). (2021). IoT Device Cybersecurity Guidance for the Federal Government. NIST Special Publication 800-213A. In Section 3.2.1

"Device Configuration

" the guidance states

"Organizations should establish and implement a process for configuring IoT devices to a standardized

secure baseline before they are deployed." A factory reset is the primary method to return a device to its original baseline state

from which secure configurations can be applied.

(DOI: https://doi.org/10.6028/NIST.SP.800-213A)

2. European Union Agency for Cybersecurity (ENISA). (2020). Guidelines on Securing the IoT - Secure Software Development Lifecycle. In Section 5.3

"Secure deployment and maintenance

" the document emphasizes the need for a secure initial state. It states

"The device should be in a secure state when delivered to the customer... This includes having a procedure to reset the device to a secure state (e.g. factory reset)." This highlights the factory reset as a core mechanism for ensuring a secure starting point.

(Reference: Page 29

Section 5.3)

3. Carnegie Mellon University

Software Engineering Institute. (2019). SEI-CMU IoT Security and Privacy Checklist. The checklist for "Device Integrator/Operator" includes the step: "Change all default passwords and configuration settings on the device." To ensure all settings are known and secure

starting from a factory default state is the most reliable method before applying new

secure configurations.

(Reference: "Device Integrator/Operator Checklist

" Item 1)