A list of IP addresses and login credentials (many of them just “admin:admin,” unfortunately) for more than 8,000 telnet-accessible Internet of Things (IoT) devices was recently posted on Pastebin, Ars Technica reports.
GDI Foundation chairman Victor Gevers told Ars that the 8,233 devices used just 144 different login credentials, and at least 1,774 of the addresses were still accessible using the posted credentials as of the end of last week.
The most common user name and password combinations in the list, according to Gevers, were root:[blank] (782 instances), admin:admin (634), root:root (320), admin:default (21), and default:
The Pastebin post first went up in June, but Ars reports that it remained relatively unnoticed until last week, when NewSky Security researcher Ankit Anubhav tweeted a link to it. It then jumped from a few hundred views to over 16,000 before it was removed.
The Danger of Default
Varonis technical evangelist Brian Vecci told eSecurity Planet by email that a leak as big as this one opens the door to a wide variety of infections and exploits. “Not only do consumers need to be mindful of what they put on their network and do what they can to secure their devices, but manufacturers have an obligation to make security an essential part of the design with IoT products,” he said.
Vecci said any product that uses the same set of default credentials for all devices will inevitably end up with a significant number that end up installed and never configured, leaving them wide open to hackers.
“Device manufacturers need to build better security into the design of their products and services to ensure that even if a consumer doesn’t take the time to customize the device, it’s not accessible and inviting abuse,” Vecci added. “Some manufacturers, for example, are beginning to minimize the risk of devices being hacked by randomizing factory default credentials and disabling remote access by default.”
Improving Cyber Security
A recent Irdeto survey of 7,882 consumers found that 90 percent of respondents believe it’s important for manufacturers to ensure that cyber security is built into all connected devices.
Still, 56 percent of respondents think end users and manufacturers share responsibility for ensuring device security. Just 20 percent believe the manufacturer is solely responsible.
Fully 89 percent of respondents have at least one connected device in their home, and 81 percent have more than one.
“Today’s connected world needs consumers to be vigilant about security threats,” Irdeto director of IoT security Mark Hearn said in a statement. “On the device manufacturer side, there must be a better ‘defense-in-depth’ approach to cyber security that integrates multiple layers of security into a system. This approach, combined with ongoing security updates to protect against the latest threats, is critical to mitigate attacks targeting IoT technologies.”
To that end, a bipartisan group of U.S. senators earlier this month introduced the IoT Cybersecurity Improvement Act of 2017, which would require that IoT devices used by the government be patchable, rely on industry standard protocols, not use hard-coded passwords, and not have any known security vulnerabilities.
“My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” bill co-sponsor Sen. Mark Warner said at the time.