Default Passwords and the Internet of Things: Inviting Data Breaches Over for Dinner

Let’s admit it – growing up, before cell phones and caller ID, we all may have made a prank phone call or two.  I know I did, usually to my neighbor or friend’s parents.  Invariably, the calls were all very similar and followed a very specific joke:

Hi, this is Bill from the electric company. Is your refrigerator running? It is?  Well you better catch it…(laughter).”

If this joke were told today, it may sound more like this:

Hi, this is Bill from your refrigerator. I have just come into $30 million US and need help moving it to a new bank. Please click the link below…”

Yes, it’s a typical Nigerian scam email, and according to new research, the email is indeed coming from inside your refrigerator.  Researchers have uncovered a new cyber-attack that uses smart appliances and connected devices to send out more than 750,000 spam emails.

This is the cost of living in the age of the Internet of Things.  As our world continues to shrink and become more connected – like Google running your thermostat – we’re going to see attackers take advantage of these connections for more attacks of this nature. 

The reason they’re able to use these connected devices as the launching pad for attacks of this nature is because the appliances typically are not set up properly and are secured using only a default password – which can be found through a simple internet search.

The topic of default passwords has been tackled numerous times, but it’s a problem that persists both for consumers and for the enterprise

Default passwords need to be thought of as backdoor privileged access points – the types of access points that attackers have targeted for some of the most devastating breaches in recent memory.  Attacks through default credentials have plagued the critical infrastructure industry, and will continue to be an ongoing problem for enterprises as more devices become connected.

The first step to solving this problem is admitting there is a problem – 86 percent of large organizations grossly underestimate their privileged account security problem. Organizations need to start by identifying all privileged access points across their enterprise.  Only by gaining a true account for all default passwords and privileged access points can a business start the process of securing itself from their soda machines, printers and refrigerators.

Thursday, January 23, 2014