Common Credentials Criminals Use in IoT Dictionary Attacks Revealed

Hackers don’t attack blindly, and they always rely on the one piece of information they know will help. Behind all IoT devices are humans, and humans make mistakes. One of the most common mistakes is keeping default passwords or choosing weak ones. Bitdefender’s telemetry reveals the most common credentials criminals use when trying to compromise IoT devices.

Many people buy or set up IoT devices in their homes and either don’t bother changing the default access credentials or they choose something simple that can be entered quickly. Routers are particularly susceptible to this practice, and they are especially vulnerable because they’re also home “guardians,” often lording over entire networks of other IoT devices.

People’s poor cybersecurity practices are well known in the industry, but criminals also exploit this information. So, when they develop malware and scanners capable of compromising IoT devices, they often use some of these bad habits against users.

Bitdefender is in a unique position to see what attackers actually do when trying to compromise a device. They often deploy dictionary attacks, using a list of common usernames and passwords that might fit, knowing there’s a good chance the victims failed to change them.

Bitdefender runs a network of honeypots that mirror real hardware criminals will find in the wild. This hardware is carefully monitored and allows security researchers to follow every step a hacker takes during the attack, including with credentials.

Telnet honeypots

The Telnet protocol has been around for years and is still in use today, although some companies have started to phase it out. It has serious security issues and shouldn’t remain open when not in use. Making matters worse, some manufacturers enable it by default in devices, making them vulnerable to attacks.

Some of the credentials in the following list reflect the targeted hardware, revealing default usernames and passwords and some poor user choices. Also, some of the password entries are empty because users sometimes disable the password.

SSH honeypots

Even if SSH is considered more secure than Telnet, weak or default passwords remain a problem. While the communication through SSH is encrypted, it doesn’t really help if the attacker can guess the credentials.

Some of you will likely recognize the default credentials in the following list because some known manufacturers implement them. SSH is the preferred way of accessing remote devices, but users will sometimes keep the default credentials.

Generic IoT devices

People can access some IoT devices through web interfaces, not just Telnet or SSH. Of course, attackers will also attempt to compromise those devices and follow the same practices by trying combinations of default credentials or weak passwords.

Best practices

If there were ever a time to change the default credentials of your IoT devices, it would be now. Bitdefender’s telemetry shows what credentials attackers attempt in their malicious campaigns. Many of their efforts to compromise devices would be thwarted by simply changing default usernames and passwords or by improving the existing passwords.

Of course, having an ISP that looks over its customers by deploying the Bitdefender IoT Security Platform in their routers also helps. Security embedded in the router does wonders for networks, blocking attacks and advising users of vulnerabilities present in their smart homes.