As the Internet of Things (IoT) quickly flood into the market place, into our homes and into our places of employment, my years of pen testing experience and every research project I spin up reminds me IoT has weak defaults -- especially default passwords, which will be the undoing of all of us.

You would think after pointing out the issues with default password for years most of us would learn to start changing those passwords before deployment. Unfortunately that's not the case. I think we are aware of the massive Distributed Denial of Service (DDoS) attacks that have taken place and impacting availability of resources and services on the Internet over the last couple weeks. Malware infected IoT devices are being used to cause these DDoS.  The malware, also know as Mirai, leveraged default passwords in IoT devices to infect these devices and mark them as part of a large Bot-Net which was then used to conduct DDoS attacks. As we begin to use IoT-based technology more, we need to be diligent about how default settings, such as passwords, are maintained. As shown by these DDoS attacks, if we do not properly reconfigure the passwords on our devices when they are deployed, then they could potentially be used to cause mayhem on the internet, impacting us all.

To go beyond the simple network service password issues we have other default settings that are typically overlooked. The two that come to mind are Wi-Fi SSID and WPA/WPA2 Pre shared keys. Since a large number of the IoT based technologies also utilize Wi-Fi services, we need to take a closer look at these solutions during deployment.

First, lets talk about the Service Set Identifier SSID. SSID is the human readable name that gets assigned to the wireless network. You may be thinking, "what's wrong with the SSID name? It can't be used to attack me." Maybe not directly, but it does often reveal the product details that have been deployed and that information can then be used by a malicious actor to plan out how he or she can attack you. I always encourage users to rename the SSID to something completely different and unrelated to yourself or your location. This may not stop a knowledgeable attacker but at least it doesn't make their job easier.

Next are Wi-Fi passwords, typically referenced as Pre-Shared Keys (PSK). Though the default setting of the PSK may appear to be complex (Figure 1), it is not and in many cases is easily cracked in a short period of time. For example, if a malicious actor is successful in identifying the product that is in use, they can then identify the standard default PSK length and pattern being used. This information can then be leveraged further to decrease the length of time needed to crack the PSK. So the solution is to never trust the defaults, but rather change the defaults when you deploy the technology.

Figure 1:  Default WPA2 PSK

So when it comes to proper use of passwords, whether network or Wi-Fi, I would recommend a long password that is at least 32 characters, contains alpha numeric, upper and lower case, and a special character. I know such passwords can be difficult or impossible to remember, I feel your pain. So another option is passphrases. Passphrases can be difficult to guess and crack, but often are easy for the owner to remember because it has meaning to them. For example the phrase “My favorite vacation was in Peru” is 32 characters including spaces, making it hard to guess. It has meaning to me, the owner, so I can more easily remember it. If you want to make this password even better, you could easily change some characters to numbers or special characters and modify the case on other characters. *For example “my faVorit3 vaCation wa$ in Peru.” It's the same phrase just made more secure with a few simple alterations. With these minor alterations, it makes the passphrase more complex and it is unlikely anyone will ever guess or easily crack your password.

*Editor's Note: This is not Deral's password, and it shouldn't be yours either. It's already been used on the internet!