1. When the IoT device is configured, most of the device users forget or simply are not
interested in changing the login credentials of the device, leaving it as it is.
2. When the IoT device is shipped, the default combination of userid/password becomes
a part of the list for the device’s “known exploits”. The manufacturers of the IoT device
continue working with the same combination of userid/passwords or generate similar
easy combinations, are then included in the list of known attack vectors.
3. It is surprising how many businesses use passwords such as “123456”, “root”, and
“admin” in today’s age as it is extremely easy for cybercriminals to guess these
passwords via modern tools.
A cybersecurity team from Symantec has unveiled the fact that during their study of IoT
devices, they found that most of the user passwords were quite weak which made their users
easy victims. They did this by configuring an Internet of Things honeypot, which usually acts as
an open router to collect data for IoT attacks. This study established that there were several IoT
systems which struggled with basic security strategies.
According to Symantec’s Threat Report, “admin” was the most used password by IoT
owners; almost 37 percent logins used this password. On a similar note “root” was used by 16
percent of the users. Next in line were passwords such as “1234”, “12345”, and “123456” which
made up around 25 percent of the attacks while even “password” was heavily used by users.
Some other examples of common weak passwords are “abc123”, “test”, and “admin123”.
So, what makes the IoT devices so used to weak passwords? It is possible that users are
simply unaware of good password practices and do not know how to change the default
passwords. Moreover, vendors are at fault too as they use hard-coding credentials for their IoT
devices, and not letting users change it.
How to make sure your password is strong?
Flash Question
California Ban
The US state, California, banned the use of weak passwords while enforcing several security
measures to ensure the security of IoT devices. Though, it does not seem law enforcement agen-
cies will have a crackdown on businesses and individuals to shut down their IT infrastructure
for the use of weak passwords; the law has made it mandatory that IoT devices are programed
from their manufacturing to use distinct passwords rather than adhering to the conventional
use of default login credentials.
The law is known as the “Information Privacy: Connected Devices” necessitates IoT devices
to equip themselves with an extensive list of security features so the users are made to use a new
authentication method prior to getting the device’s access for its first use along with similar
measures to make sure that devices are secured.
According to the CEO of High-Tech Bridge, Ilia Kolochenko who was positive of the
regulation, the move should inspire other governments so they can improve the security of
IoT and network devices that are beginning to pose an unseen but quickly growing privacy and
security threat. Mr. Ilia believes that IoT devices have become a major part of daily lives but the
use of weak and default passwords, a highly common practice, can negate its positive impact by
not only causing harm to data but can also go on to lead death and physical injuries.
Chapter 11 Security Challenges for IoT 285
Internet_of_Things_CH11_pp271-308.indd 285 9/3/2019 10:16:20 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.