While conducting research on the susceptibility of Internet of Things (IoT) devices to hacking, researchers at Ben-Gurion University found many device manufacturers and owners made a hacker’s job quite easy.
Off-the-shelf IoT devices often have their default passwords posted online, usually by the device manufacturer to aid in quick device setup.
It was easy work to get these passwords: The Ben-Gurion research team were often able to find default passwords in under 30 minutes with a simple Google search.
The problem is that if a default password is online for a device owner to use, an attacker can and will easily find it too. Luckily for attackers, many IoT device owners never change the default passwords for their device once they have it set up, and often the device manufacturer doesn’t encourage the device owner to do so.
Even worse in some cases, the default password can’t be changed. Unfortunately, that gives the illusion of security to unwitting device owners – because it has a password – but leaving a default password in place isn’t much of an improvement over having no password at all.
Exacerbating this issue, the researchers also found that many of the default device passwords posted online were shared across devices made by the same manufacturers.
The fact that many smart device owners never change the default passwords is well-known by security researchers and cybercriminals alike. In many cases, finding internet-enabled devices left wide open to access – without even a default password – only takes a quick search on Shodan, colloquially called the “Google for internet-connected devices.”
Often the devices found on Shodan have been in the realm of the corporate or industrial, like exposed marketing databases or industrial control systems, but consumer-grade devices are increasingly turning up there too.
After gaining access, the Ben-Gurion researchers were able to remotely control the devices they were researching, including thermostats, baby monitors, and home security cameras. Aside from being able to spy on homeowners, access to these IoT devices usually gave the researchers clear access into the personal home networks of their owners, as Wi-Fi credentials weren’t well-secured within the devices either.
Getting a foothold into a home Wi-Fi network to infect devices with malware, all via a poorly-secured internet-enabled coffeemaker, might sound somewhat ludicrous, but it’s sadly entirely possible. And with IoT devices continuing to flood the market, it’s a scenario we’re likely to see play out repeatedly. After all, unsecured IoT devices were the backbone of the Mirai botnet.
The advice to device owners is clear: Don’t make it so easy for an attacker. Make sure you’re not using default passwords – replace it with a password that is unique and complex.