05 Aug Security, Privacy, and the Internet of Things: Consider the Problem of Default Passwords
By Roland Thomas, Information System Security Manager
As information technology evolves, there are two fundamental truths that plague the cybersecurity industry and keep life exciting for those of us actively engaged in the arena:
- Hardware, firmware, and software designers and developers make every effort to ensure that their products “work” properly when “used” properly. Vulnerabilities tend to exist when those products are used “improperly,” e.g. stuffing a thousand characters into a 10-character buffer, sending raw SQL commands to a web form, etc.
- Security is tough, and implementing it properly takes time. If the survival of your business is selling products, being first to market wins the game. This means that functionality is job 1, followed by free patches and upgrades to provide performance, reliability, and – just maybe –security.
The challenge of providing cybersecurity is exacerbated by the growth of the Internet of Things (IoT). Wikipedia defines IoT as: “The extension of Internet connectivity into physical devices and everyday objects.” Embedded with electronics, Internet connectivity, sensors, and so forth, these devices can communicate and interact with others over the Internet via your home or office Wi-Fi network and they can be remotely monitored and controlled.
Therein lies a big problem: If you can remotely monitor and control your IoT devices, then so can someone else.
Before you dismiss a hacker’s ability to access your <enter IoT device here> into the “who cares” realm, consider this example described in the Washington Post: How a fish tank helped hack a casino. In this case, hackers used an internet-connected thermometer in a fish tank to gain a foothold in the network and were then able to exfiltrate 10GB of data – right out through the fish tank thermometer!
Or consider this nugget from 3 years ago: Mirai malware scans for Internet of Things (IoT) devices that are using default passwords and then enslaves those devices into a botnet.
The Issue of Default Passwords
Here is an interesting question: Why are IoT devices still using default passwords? The answer is simple: users can’t change them. Have you ever wondered how to change the password on your thermostat, Fitbit, TV, or refrigerator? You’ll find it can’t be done. (We’re not talking about your Wi-Fi password, we’re talking about the default password on the (typically) Android operating system that controls the device.)
The result of this situation is a house (or an office) full of “things” with default passwords and access to your network. If hackers can take over any one of those “things,” they can use that foothold to pivot to other devices on your network. For example, they could mine your home computer for credit card information or passwords, or could turn it into an FTP server, email spam sender, or cryptocurrency miner. Even worse, they could use it for illegal activities such as child pornography or to attack other systems. Maybe they unlock your door, turn off your alarm and help themselves to your stuff while you’re at work. Or maybe they just watch you for a while through your security cameras or webcam.
If you have business devices connected to your home network, this could provide a gateway into your company. As IoT devices are also adopted at offices, the risk shows up inside organizations as well (see the internet-connected fish tank example above).
Security and Privacy Risks Inherent in IoT Devices
Organizations need to take a risk management perspective to better understand the security and privacy risks inherent in IoT devices – before they are installed. A good place to start is this NIST document that outlines these risks and suggests countermeasures. Then follow it up with the proposed changes to NIST SP 800-53 rev 5, currently in draft.
The techniques and suggestions provided for your organization could just as easily help secure your home network. However, until IoT product providers fix the default password problem, you should think twice about using these kinds of devices.