Criminals are constantly attempting to log into digital video recorders by using their default credentials, the SANS Institute has found.
The organisation revisited recorders because their lack of security helped the Mirai botnet run riot in October 2016, thanks to its modus operandi of logging into devices using their default passwords. Mirai built an army of digital video recorders (DVRs) and used them to spawn history's biggest DDoS attack. Mirai also spawned widespread panic and/or concern about Internet of Things security, or the lack thereof.
Johannes B Ullrich, dean of research at the SANS Technology Institute, thought it would be interesting to see if such an attack could still work, so hung an "Anrai"-branded DVR on the net, with default configuration and password "xc3511" unchanged, power cycled it every five minutes and watched for 45 hours and 42 minutes.
The results of that effort were scary: 1,254 logins with the default password. Or one every two minutes.
It gets worse. Ullrich says SANS sees "100,000-150,000 sources participating in telnet scans" so between clueless users and manufacturers who don't implement on-activation password changes, he thinks Mirai-style attacks are here to stay.
The one ray of sunshine he offers is that "many of these devices are buggy enough, where the owner is used to regular reboots", which means bad actors will be locked out of the devices. For two minutes anyway. ®