Misconfigured IOT Devices
There are billions of IoT devices online — more connected things than people in the world. A forecast from International Data Corporation (IDC) estimates that there will be more than 41 billion connected IoT devices in 2025. But this rise of IoT devices also comes with scores of new security challenges.
The default or zero credentials threat
IoT devices include everything from smart watches, thermostats, bulbs, refrigerators, smart TVs, baby monitors, alarms to medical equipment, food sensors, traffic routing, air-conditioning — to name a few. One of the IoT challenges is the weak authentication and the use of default credentials in these devices that have usually embedded systems with no configuration required. According to a 2020 whitepaper Internet of Things (IoT) | The rise of the connected world from Deloitte, about 70% of the devices are configured to use the factory-set default usernames/passwords.
Many users will never change these default passwords, and many device manufacturers share their default credentials online. According to Symantec and its Threat Landscape Trends – Q2 2020 report, ‘123456’, ‘Default’, ‘admin’, ‘user” and ‘root’ are among the top 10 passwords used in IoT attacks (‘123456’ being the most commonly used). Avast researchers discovered that 600,000 Chinese manufactured GPS trackers had ‘123456’ as default password. And these devices were exposing real-time GPS coordinates of children. Yet another example includes baby monitors that had the default password ‘123’ written on the back of the device, allowing hackers to spy on users. And if that is not enough, you would also be able to easily find websites allowing you to look directly for IoT device default passwords per brand and model. These loose password protocols are but one reason why IoT devices are exceptionally vulnerable to malware and a host of other cyber attacks. The threat of default credentials is significant and is beginning to be recognized as such. For instance, in July 2020 the U.K. government proposed a new consumer protection law banning single, universal passwords for devices.
The vulnerabilities threat
In addition, there are also plenty of devices with no passwords or authentication at all. Both hackers and security researchers are using search engines for the Internet of Things, like Shodan or Censys, are able to detect vulnerable “things” connected into the Internet such as security cameras, webcams, SCADA, air-conditioning, etc. Many articles relate stories of hackers or researchers having access to complete stranger’s webcams — posing dangers to both privacy and security, as cameras could be compromised for spying or even blackmail purposes. With search engines like Shodan or Censys enterprises can search by IP, server, type, ports, banner, etc. This capability allows cybersecurity analysts to detect CVE (Common Vulnerabilities and Exposures) vulnerabilities. For instance, BlueKeep (CVE- 2019-0708) is a software vulnerability that affects older versions of Microsoft Windows (such as Windows XP, Windows 7 and Windows Server 2008 R2). It attacks the operating system’s Remote Desktop Protocol (RDP) and allows for the possibility of remote code execution. Vulnerable systems could be infected with cryptocurrency miners or even ransomware in some instances. Approximately 1 million systems were vulnerable to the BlueKeep vulnerability in May 2019. According to the SANS Internet Storm Center, in November 2020 over 245 000 systems were still left unpatched and therefore still running the vulnerable Windows RDP service. That represents 25% of the original number, a rather high number more than 18 months after the disclosure of the vulnerability and in the middle of a ransomware spree.
How can CybelAngel helps prevent IoT attacks
Traditional vulnerability management solutions are incapable of guaranteeing the safety of IoT assets at scale. Hence businesses worldwide rely on CybelAngel to prevent harmful attacks by detecting and securing vulnerable IoT devices before these are breached. CybelAngel’s Asset Discovery and Monitoring solution eliminates shadow risk by alerting you to vulnerable assets through a white-hat, risk-based approach that allows your organization to prevent attacks against valuable data…or persons. Get your demo of our Asset Discovery & Monitoring solution just CLICK HERE.