Internet-connected devices in your home or office will be vulnerable to botnets and other attacks, if you don’t change the original login credentials.
The number of internet-connected devices has risen as the IoT has become a greater presence in homes and workplaces. However, in the rush to get involved in the trend, some device manufacturers have released products with poor security, which in turn have been breached for malicious purposes including espionage and DDoS attacks.
Arguably it was the rise of the Mirai botnet — which was comprised of IoT devices such as routers and security cameras — that finally brought this security threat to public attention. The botnet was involved in a series of DDoS attacks that knocked some of the biggest internet services offline, including Netflix, the PlayStation Network, and Twitter.
Embarrassingly bad security
Now cybersecurity researchers at Symantec have revealed the most common passwords used on IoT devices are often weak, and thus susceptible to hackers. Researchers set up an IoT honeypot — which appears on searches as an open router — to observe attacks against IoT devices. The most common passwords used by attackers to gain brute-force access show that many systems lack even rudimentary security.
The top ten passwords used to access the honeypot are detailed in Syamtec’s Internet Security Threat Report for 2017. The most common is simply ‘admin’, accounting for 36.5 percent of all logins, while ‘root’ is used for a further 16 percent.
Next, ‘1234’, ‘12345’, and ‘123456’ account for about a quarter of attacks on the honeypot, while ‘password’ also ranks amongst the most commonly used passwords to access devices.
The default password for the Ubiquiti brand of routers, ‘ubnt’ features in the top ten, likely because routers were targeted following the revelation that an old vulnerability hadn’t been patched.
Other weak passwords used to breach IoT devices include ‘test’, ‘admin123’, and ‘abc123’.
Why do so many devices have such poor passwords?
First, users might not have any idea how to change them, Symantec suggests. And second, vendors are hard-coding usernames and passwords into devices without giving users the ability to change them.
“There are so many devices with poor security of default credentials, it just makes it so easy to launch massive scanning efforts and automatically add vulnerable devices to your botnet and use that as DDoS service for hire,” Symantec researcher Dick O’Brien told ZDNet.
“You can’t have hard-coded credentials in devices like that; you need to be able to make it apparent that the end user has to change the password on it,” he said. “Hopefully greater awareness is going to seep into the market in the coming year.”
Attacks on the increase
Greater security of IoT devices is going to be needed as more and more device enter the market, providing even more targets for cybercriminals.
Cyberattacks on Symantec’s honeypot almost doubled from January to December last year. An average of 4.6 unique IP addresses hit the honeypot every hour in January, rising to 8.8 in December, with an attack taking place every two minutes during peak times, such as when Mirai was expanding.
The threat of insecure IoT devices is a global problem too, with infected devices targeting the honeypot from across the globe. China accounted for over a quarter of IoT-based attacks, followed by the United States, Russia, and Europe.
Image: Symantec
These metrics measure the countries in which the IP address of the attacking device was based. However, that doesn’t necessarily mean the attackers themselves were based in these countries.
With billions more devices set to be connected to the internet by 2020, more must be done to ensure the security of IoT. “Currently, the poor security on IoT devices is just making life easier for cyber criminals,” Symantec warns.
‘Admin’, ‘root’, ‘124356’, ‘password’. No wonder there has been an endemic of cyberattackers hijacking Internet of Things (IoT) devices when default passwords are this poor and users aren’t bothering to change them — or worse, don’t have the option to.
