Freaking out about fiendish IoT exploits? Maybe disable telnet, FTP and change that default password first?

Home devices are so poorly guarded, attackers don't even need sophisticated tools

While netizens and journalists worry about criminals and spies using sophisticated cyber-weapons to hijack Internet of Things devices, basic security protections are being overlooked – and pose a far greater threat.

Miscreants targeting internet-connected devices, especially those found in homes and small offices, won't need special exploits leveraging code vulnerabilities to break in, because the username and password "admin" will typically get them just as far.

That's according to eggheads at Stanford University and the University of Illinois at Urbana-Champaign in the US, and Avast Software in the Czech Republic. They've concluded IoT security is so completely devoid of basic protections that in many cases an attacker would not even need to resort to malware or complex exploits to compromise a device or network.

For an academic study, seen by The Register ahead of its release online today, the team collected telemetry from 83 million devices via home network scans of 16 million Avast customer volunteers, and found that basic security measures, such as strong passwords or non-default credentials were nowhere to be found.

For example, the study, due to be formally presented at this summer's Usenix security symposium, noted that 30 per cent of TP-Link routers encountered during the research had an open HTTP port on the local network and used the default admin/admin username-password combination. The researchers also found that 14.6 per cent of all routers had either FTP or Telnet services open, and many of those also used passwords that would be trivial to guess.

At the same time, media coverage and infosec vendors' marketing hype push the idea that sophisticated exploits and hidden firmware vulnerabilities are the big threats, rather than insecure out-of-the-box configurations and default login credentials.

'Shiny exploits'

"What we see coverage of are these shiny exploits that go after devices that no one has, no one cares about, that are never going to be used," said Zakir Durumeric, an assistant professor at Stanford and co-author of the report.

"We should be terrified about the fact that half of these routers have guessable passwords and that there's no security precautions really sitting between any of these infected machines and these devices."

IoT in a city illustration

Enterprise IoT security sucks so much, it's made Intel and Arm work together to tackle it


Durumeric went on to note that further danger is posed by many IoT devices continuing to use ancient protocols like FTP and Telnet for their communications, rather than more secure methods of transmission. This is compounded by the use of weak credentials on those connections – for example 9.3 per cent of TP-Link routers studied had an FTP port open to the internet, with 55 per cent also using a weak password.

"We have seen these very old protocols make a return, FTP had been deprecated and these other protocols like telnet have unquestionably been abdicated. There are much more secure protocols that are used today on normal computers," he said.

"It has not been a priority for these devices to use these more secure protocols."

Fortunately, Durumeric noted, the study also found reason to believe that tackling the issue may not be as hard as it seems. For starters, the market dominance of a handful of vendors means that just 100 companies account for around 90 per cent of all IoT devices, and in areas like voice assistant boxes just two vendors (Amazon and Google) control 90 per cent.

This means that if these top-tier vendors can clean up their acts and improve the security of their hardware, the strong majority of IoT hardware can become significantly more secure and better protected.

Maybe then, perhaps, we can start to worry about vulnerability exploits. ®

Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022