While conducting research on the susceptibility of Internet of Things (IoT) devices to hacking, researchers at Ben-Gurion University found many device manufacturers and owners made a hacker’s job quite easy.
Off-the-shelf IoT devices often have their default passwords posted online, usually by the device manufacturer to aid in quick device setup.
It was easy work to get these passwords: The Ben-Gurion research team were often able to find default passwords in under 30 minutes with a simple Google search.
The problem is that if a default password is online for a device owner to use, an attacker can and will easily find it too. Luckily for attackers, many IoT device owners never change the default passwords for their device once they have it set up, and often the device manufacturer doesn’t encourage the device owner to do so.
Even worse in some cases, the default password can’t be changed. Unfortunately, that gives the illusion of security to unwitting device owners – because it has a password – but leaving a default password in place isn’t much of an improvement over having no password at all.
Exacerbating this issue, the researchers also found that many of the default device passwords posted online were shared across devices made by the same manufacturers.
The fact that many smart device owners never change the default passwords is well-known by security researchers and cybercriminals alike. In many cases, finding internet-enabled devices left wide open to access – without even a default password – only takes a quick search on Shodan, colloquially called the “Google for internet-connected devices.”
Often the devices found on Shodan have been in the realm of the corporate or industrial, like exposed marketing databases or industrial control systems, but consumer-grade devices are increasingly turning up there too.
After gaining access, the Ben-Gurion researchers were able to remotely control the devices they were researching, including thermostats, baby monitors, and home security cameras. Aside from being able to spy on homeowners, access to these IoT devices usually gave the researchers clear access into the personal home networks of their owners, as Wi-Fi credentials weren’t well-secured within the devices either.
Getting a foothold into a home Wi-Fi network to infect devices with malware, all via a poorly-secured internet-enabled coffeemaker, might sound somewhat ludicrous, but it’s sadly entirely possible. And with IoT devices continuing to flood the market, it’s a scenario we’re likely to see play out repeatedly. After all, unsecured IoT devices were the backbone of the Mirai botnet.
The advice to device owners is clear: Don’t make it so easy for an attacker. Make sure you’re not using default passwords – replace it with a password that is unique and complex.
Naked Security
The password to your IoT device is just a Google search away
Researchers at Ben-Gurion University were often able to find default passwords in under 30 minutes with a simple Google search.
Graham T
Thinking about all the IOT stuff in my house (thermostat, lights, plugs, Alexa) as far as I can recall the only thing any of them wanted when first plugged in was the wifi password – only after that did the accompanying app encourage me to set up an account with a user name and password to gain full usage.
The attitude seems to be “what can we do” first and “is this safe?” only comes later (if at all!) This phenomona was observed as recently as CES 2018.
To counter this, I backed Fingbox which monitors eveything connected to my router. To use their example, If you think about airport security, if firewalls and anti virus are the internal security (bag check, X-rays) then Fingbox is the fence that runs round the preminiter, stopping unwanted access.
[link redacted]
This seems to be useful as I’ve also read about McAfee producing very similar technology
[link redacted]
The future of IOT seems bright, if it means security has to be treated as a separate issue then so be it. Just so long as people are aware.