Internet

15% of All IoT Device Owners Don’t Change Default Passwords

15% of All IoT Device Owners Don't Change Default Passwords  #IoT #malware #infosec

  • For example, if we’d said that just five passwords would grant you access to 10% of all the IoT devices available online, you’d be right to feel concerned.
  • Malware authors who want to build botnets use brute-force (dictionary) attacks and lists of default passwords to break into these devices, take them over, and add them to a botnet of IoT equipment.
  • Five username-password combos is all you need
    After performing several mass Internet scans, according to Positive Technology experts, just five username and password combos will be enough to get your hands on a large number of IoT devices, may they be DVRs, IP cameras, routers, smart washing machines, or anything list can be expanded with many other username and password combos to improve an attacker’s chances at expanding his botnet.
  • According to Kaspersky Labs, today we have tens of thousands of exploitation attempts and brute-force attacks on any given IoT device exposed to the Internet.
  • To stay safe, device owners should follow these basic rules:
    ✓ Change default login passwords
    ✓ Disable ports and services they don’t use (Telnet, SSH, FTP, etc.)
    ✓ Install firmware updates at regular intervals
    ✓ Check device settings and make sure the device is not exposing administrative panels over the Internet
    Image credits: Positive Technologies, Kaspersky Labs

Simple statistics can tell you a lot about the state of security in a market niche. For example, if we’d said that just five passwords would grant you access to 10% of all the IoT devices available online, you’d be right to feel concerned.

@campuscodi: 15% of All IoT Device Owners Don’t Change Default Passwords #IoT #malware #infosec

Simple statistics can tell you a lot about the state of security in a market niche. For example, if we’d said that just five passwords would grant you access to 10% of all the IoT devices available online, you’d be right to feel concerned.

According to security researchers from Positive Technologies, this happens because 15% of all device owners don’t change the default password for the devices they buy.

This leaves millions of equipment exposed online that features the same password listed in their documentation manual. Malware authors who want to build botnets use brute-force (dictionary) attacks and lists of default passwords to break into these devices, take them over, and add them to a botnet of IoT equipment.

In recent months, this practice has become the de-facto technique that almost any malware author wannabe uses to put together his personal DDoS cannon.

After performing several mass Internet scans, according to Positive Technology experts, just five username and password combos will be enough to get your hands on a large number of IoT devices, may they be DVRs, IP cameras, routers, smart washing machines, or anything else.

This list can be expanded with many other username and password combos to improve an attacker’s chances at expanding his botnet. For example, Mirai, the IoT malware responsible for the biggest DDoS attacks ever recorded, used only 62 username & password combos to create its botnet.

Almost all of today’s IoT malware families use this list, plus a few more additions, new additions that aid these malware families brute-force their way into new victims.

On top of these, many also improve their chances of infection by incorporating ready-made exploits that take advantage of unpatched vulnerabilities, allowing an attacker to take root-level control over the targeted device.

According to Kaspersky Labs, today we have tens of thousands of exploitation attempts and brute-force attacks on any given IoT device exposed to the Internet.

Despite this constant danger, very few device owners understand the risk they are exposing themselves. Not all change default passwords, and very few update the device’s firmware to patch against publicly known exploits. According to Positive Technologies, on average, a device remains unpatched for three to four years.

This is a big issue, especially since Kaspersky has noted an explosion in 2017 in terms of the number of IoT malware samples.

According to Pen Test Partners, more dangerous vulnerabilities lie in waiting, that could give IoT malware the same boot persistence that desktop malware currently enjoys.

Furthermore tools like Shodan, Censys, or ZoomEye, allow malware authors to identify vulnerable devices exposed online.

For example, via simple Shodan queries, Positive Technologies experts have identified millions of vulnerable routers exposed online via various ports or services.

These devices can be hacked today. All a malware author needs to do is read some infosec blogs and Reddit threads in order to keep up with the most recent security flaws that emerge. And, they emerge, believe us! There’s been at least one IoT-related bug report each day for the past few months.

To stay safe, device owners should follow these basic rules:

Image credits: Positive Technologies, Kaspersky Labs

15% of All IoT Device Owners Don’t Change Default Passwords

Let’s block ads! (Why?)

IoT Newsletter

Click to comment

You must be logged in to post a comment Login

Leave a Reply

To Top
Social Media Auto Publish Powered By : XYZScripts.com