Default Passwords in IoT Devices
Quick Take
Default passwords in IoT devices are a significant security threat. Hackers love targeting them because, honestly, most people don’t even bother to change them.
- Botnets are like Mirai-based on default credentials.
- Enterprises rolling out IoT devices without password hygiene are inviting disaster.
- Restrictions are beginning to tighten, but the danger is still immense.
If you still have factory-issue passwords on your IoT devices, like admin/admin or root/root… go fix that now.
Introduction
I’ve worked in cybersecurity long enough to see multiple generations of the same mistakes recycled, just in different forms. In the early 2000s, it was default SNMP strings and weak Windows admin passwords. Today? It’s IoT devices with default logins so atrocious, it’s like leaving your front door open while installing a low-wattage flashing “Rob Me” neon sign.
With IoT devices everywhere (smart cameras, smart thermostats, networked coffee machines), attackers have a treasure trove of targets. And they are aware the majority of users will not modify the default password.
Here’s the thing — default passwords are literally a gift basket of attack vectors. Whenever I do a security audit, at least a few devices with factory credentials still remain. Even in big enterprises. If you’re rolling out IoT without good authentication? You’re asking to get hacked.
Let’s dig into the problem.
Defending Against Password-Based Attacks
The IoT security threat typically begins with one of the password problems:
1. Default Credentials
- A number of the IoT devices come with default passwords and often these default passwords are hardcoded as well.
- The attackers don’t even need exotic exploits—just a list of common defaults.
- In some devices you can’t even change the admin password (bad design).
2. Weak Passwords
- Some people still use “123456” or “password” (honestly, 2024—why?).
- This will take seconds to brute-force short, simple passwords.
- Not enough IoT devices perform any form of rate-limiting, making dictionary attacks a breeze.
3. Unmanaged Credentials
- Big enterprises deploy hundreds of IoT devices lacking adequate credential provisioning. Even one compromised device can be a beachboard for lateral movement within a network.
4. Remote Exploits & Botnets
- If an attacker breaks in, it’s game over—they can change firmware, steal data, or conduct attacks.
- Hacked IoT devices get pooled into gigantic botnets (Mirai, Mozi, etc.).
- Remember Mirai? Downed half the internet in 2016 with default passwords.
And these attacks are not hypothetical. I’ve had firsthand experience of unsecured IoT devices being a factor in large scale breaches.
Real-World Incidents
Want proof? Here are some examples I have witnessed firsthand:
Case 1: The Intelligent Boardroom Turned Spy Room
A financial firm I consulted for had smart conference room equipment connected to their corporate network. Problem? Default admin credentials had never been modified. Microphones accessed and streamed meeting audio on an external network.
Yes. That actually happened.
Case 2: The Botnet That Crippled a Retail Chain
This recent bandwidth load case reminded me about a client in retail who faced a mysterious bandwidth overload, leading to repeated crashing of its POS systems. After investigation? More than 300 of their smart CCTV cameras were compromised—becoming an instrument in a huge botnet all because they still had their default passwords.
Case 3: The Bank with Exposed ATMs
I recently worked with a bank that had ATM networked cameras which were running with the default root credentials. If attackers had noticed, they could’ve hijacked them to steal footage, gather PINs and stage skimming attacks. Scary? Yes. Preventable? 100%.
Best Practices for Securing IoT Passwords
Password security isn’t rocket surgery. But companies still get it wrong. Here’s what needs to happen:
1. Change Default Passwords. Always.
No matter whether you’re connecting a router, camera, or thermostat, the first thing you should always do is change the credentials.
2. Use Strong, Unique Passwords
- At least 12-16 characters.
- Uppercase letters, lowercase letters, numbers, symbols.
- No shared passwords between devices.
3. Utilize Password Management Solutions
- Use password vaults or enterprise credential management.
- If deploying hundreds of IoT devices, make credential handling automatic.
4. Turn Off Remote Access (If You Don’t Need It)
- The default setup for many IoT devices is remote admin panels enabled.
- Disable it if you don’t need it. Less exposure = more safety.
5. Use MFA (If Available)
While many Internet-of-Things devices lack such a feature, others do allow for something like multi-factor authentication. If available, use it.
Awareness Training — Humans Are the Vulnerability
Let’s be blunt. There is no magic pill when it comes to maintaining proper digital security, and no amount of wheel-spinning with security controls will make up for users ignoring basic best practices.
What Companies Need to Do:
- Instruct employees to never use factory passwords.
- Practice basic password hygiene (for example use password policies that make sense and not just arbitrary complexity rules).
- Provide IT staff with training for securing IoT deployment.
- Conduct internal penetration tests to reveal vulnerabilities before attackers do.
- Start publicly shaming bad IoT vendors. Manufacturers should be called out if they hardcode default credentials and provide no mechanism for changing them.
Final Thoughts
Having just returned from DefCon, the hardware hacking village there spurred this train of thought seeing that we are repeating all the same mistakes from the 90s. It is important to remember IoT devices will become security disasters waiting to happen if we do not pay attention to passwords!
IoT security should be taken seriously by companies because attackers certainly are. Deploying IoT devices without password management, security policies, or monitoring is playing with fire. And fire spreads fast. Let’s solve this before the next Mirai-style attack takes down half the internet again.