15% of IoT Devices use default passwords: Research

IoT security is a growing concern, but exactly how many devices are vulnerable to cyberattack? According to a report published by security researchers from Positive Technologies, just five sets of password allow online intruders to access 10% of all the connected IoT devices.

The reason behind this is that 15% of device owners don’t change the default passwords of the devices they buy, the report says.

After several mass Internet scans, the researchers found out that just five sets of usernames and passwords gave them access to a great number of IoT devices, including IP cameras, routers, DVRs and smart washing machines.

The five sets of default username and passwords, according to the report, are also support/support, admin/admin, admin/0000, user/user and root/12345.

Hackers have combined common usernames and passwords to gain even more access to more devices. Mirai, the malware that caused the recent high-profile DDoS attack, had only 62 sets of username and password to create the botnet

When a malware takes over IoT devices, hackers can then add the IoT devices into their attacking networks and simultaneously send data from millions of IoT devices around the world into one server, causing it to crash and go out of service.

The Mirai made its first presence in August 2016. On September 20, the botnet had grown to 150,000 devices and attacked Minecraft servers hosted by French provider OVH. More DDoS attacks followed, on DynDNS, Liberia, Deutsche Telekom and a U.S. college. A person who published the Mirai code claimed that the botnet had controlled over 380,000 devices.

At the end, the report provides some suggestions on securing IoT devices, such as IoT devices should restrict access from the Internet to the administration panel, CLI and FTP; update to the latest firmware version; manufacturers should ask customers to use strong passwords; and a cap limit on brute-force attempts.