15 PER CENT OF PEOPLE who own Internet of Things (IoT) devices don't bother changing the default password, Postive Technologies has revealed.
Crap passwords are a problem, too, with Positive Technologies also revealing that just five of the most popular username and password combinations are enough to get administrative access to one out of every 10 devices, according to research by cyber security company Positive Technologies.
Therefore, the default and most popular pairings go hand-in-hand. They are: admin/admin, admin/0000, user/user, root/12345 and support/support.
This means that millions of devices, from DVRs to IP cameras, are extremely vulnerable, and malware coders that want to build botnets can use a list of default passwords to easily gain access to these devices and add them to a botnet of IoT equipment which can then be used as a distributed-denial-of-service (DDoS) weapon on a particular network.
This is how the Mirai botnet began; IoT devices had been infected by attacks on Telnet ports 23 or 2323 using a list of 62 standard passwords. After connecting to the network, each infected device started scanning for randomly generated IP addresses.
What followed were huge DDoS attacks on journalist Brian Krebs, DynDNS, Liberia, Deutsche Telekom and a US college. The botnet reportedly encompassed 380,000 devices simultaneously and the key issue here was that there was no requirement for non-factory set passwords on these devices.
Other IoT malware campaigns use similar tactics to Mirai - adding other username and password pairs onto the list to improve its chances to expanding the botnet.
However, even once they gain access, the botnet code is not stored in long-term memory and therefore doesn't survive a restart of the infected device.
This could change in the months to come, as security specialists at Pen Test Partners said they have discovered a new vulnerability that could enable the Mirai IoT worm and other IoT malware to survive between device reboots - creating what would be a far more resilient or even permanent IoT botnet. µ
What could possibly go wrong...
Committee clams firm failed to implement 'adequate security'
Meme Ban means Meme Ban
It's anonymous data at first but the NYT figured out how to make it personal