While netizens and journalists worry about criminals and spies using sophisticated cyber-weapons to hijack Internet of Things devices, basic security protections are being overlooked – and pose a far greater threat.
Miscreants targeting internet-connected devices, especially those found in homes and small offices, won't need special exploits leveraging code vulnerabilities to break in, because the username and password "admin" will typically get them just as far.
That's according to eggheads at Stanford University and the University of Illinois at Urbana-Champaign in the US, and Avast Software in the Czech Republic. They've concluded IoT security is so completely devoid of basic protections that in many cases an attacker would not even need to resort to malware or complex exploits to compromise a device or network.
For an academic study, seen by The Register ahead of its release online today, the team collected telemetry from 83 million devices via home network scans of 16 million Avast customer volunteers, and found that basic security measures, such as strong passwords or non-default credentials were nowhere to be found.
For example, the study, due to be formally presented at this summer's Usenix security symposium, noted that 30 per cent of TP-Link routers encountered during the research had an open HTTP port on the local network and used the default admin/admin username-password combination. The researchers also found that 14.6 per cent of all routers had either FTP or Telnet services open, and many of those also used passwords that would be trivial to guess.
At the same time, media coverage and infosec vendors' marketing hype push the idea that sophisticated exploits and hidden firmware vulnerabilities are the big threats, rather than insecure out-of-the-box configurations and default login credentials.
"What we see coverage of are these shiny exploits that go after devices that no one has, no one cares about, that are never going to be used," said Zakir Durumeric, an assistant professor at Stanford and co-author of the report.
"We should be terrified about the fact that half of these routers have guessable passwords and that there's no security precautions really sitting between any of these infected machines and these devices."
Enterprise IoT security sucks so much, it's made Intel and Arm work together to tackle itREAD MORE
Durumeric went on to note that further danger is posed by many IoT devices continuing to use ancient protocols like FTP and Telnet for their communications, rather than more secure methods of transmission. This is compounded by the use of weak credentials on those connections – for example 9.3 per cent of TP-Link routers studied had an FTP port open to the internet, with 55 per cent also using a weak password.
"We have seen these very old protocols make a return, FTP had been deprecated and these other protocols like telnet have unquestionably been abdicated. There are much more secure protocols that are used today on normal computers," he said.
"It has not been a priority for these devices to use these more secure protocols."
Fortunately, Durumeric noted, the study also found reason to believe that tackling the issue may not be as hard as it seems. For starters, the market dominance of a handful of vendors means that just 100 companies account for around 90 per cent of all IoT devices, and in areas like voice assistant boxes just two vendors (Amazon and Google) control 90 per cent.
This means that if these top-tier vendors can clean up their acts and improve the security of their hardware, the strong majority of IoT hardware can become significantly more secure and better protected.
Maybe then, perhaps, we can start to worry about vulnerability exploits. ®