One of the biggest issues that IoT has is keeping everything secure. Putting devices online is a double-edged sword: it allows benevolent useful services to connect to it, but it can also allow malicious agents to harvest data from it.
This was proven a few days ago when a list of 500,000 IoT credentials made their way onto the Internet. The list was posted on a hacker forum for anyone to see and use.
How Did the Credentials Get Leaked?
The leaker managed to get their hands on the password by scanning the Internet for IoT devices. When an IoT device has a remote connection feature, it keeps a port open to listen for incoming connections. This is called a TelNet port, and the hacker looked for these ports on the Internet.
When the hacker found a port, they then attempted to breach it. They do this by using either default usernames and passwords or using the more well-used passwords on the Internet.
Once a breacher gains access, all they need to do is note down these details and build a database out of confirmed credentials. They can then publish this database on the Internet for other hackers to use.
What Will Happen Now?
The main use of the database was to act as a bot list. The breacher also operated a DDoS service operator, and credentials like these are valuable for DDoS owners.
DDoS attacks work when a large number of devices try to connect to the same website, thus overloading it with requests. The more devices in a DDoS attack, the better the attack.
As such, DDoS service operators want to create as big of a network of bots (botnet) as possible. By harvesting login details of devices, the operators can spread their range and make their “army” more powerful.
It’s likely that if the breached users don’t change their credentials, their devices will be used in these DDoS accounts. If they don’t, they may not even realize their device is being used to take down websites.
How to Avoid a Credentials Leak
If you like using remote-controlled IoT devices but are not so keen on having your credentials leaked, you need to tighten up your security to ensure that nobody conscripts your gadgets into a botnet.
Remember how the hackers managed to get the details in the first place? They used default or weak passwords to crack into devices and gain control. As such, to defeat this kind of attack, your gadgets need to have strong passwords.
Some devices will have a randomly-generated password given to it as the factory default, which is typically pretty strong. Others, however, will have the same username and password combination as every other.
If your device’s password looks weak, change it to something stronger. That way, when a hacker finds the TelNet port of your device and tries to crack it, they’ll be met with a brick wall that will keep them out.
Internet of Credentials
While it is worrying that a hacker recently released 500,000 IoT credentials to the Internet on a hacking forum, it can be avoided by changing your passwords to something stronger.
Does this encourage you to check your password hygiene? Let us know below.