These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

Always change your device’s default password.

These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

The release of the Mirai source code demonstrates just how easy it has become to hijack poorly-protected Internet of Things devices into botnets.

Mirai has become infamous in recent weeks after blasting the website of security blogger Brian Krebs off the internet with a massive distributed denial-of-service (DDoS) attack, powered by compromised internet-enabled DVRs and IP cameras.

What can you on an individual basis do about this at home or in the office to make sure you're not contributing to the problem?

Well, you can make sure that your IoT devices aren't "protected" by dumb default usernames and passwords, such as the following which are hardcoded into Mirai's source code:

Username Password
666666 666666
888888 888888
admin (none)
admin 1111
admin 1111111
admin 1234
admin 12345
admin 123456
admin 54321
admin 7ujMko0admin
admin admin
admin admin1234
admin meinsm
admin pass
admin password
admin smcadmin
admin1 password
administrator 1234
Administrator admin
guest 12345
guest guest
mother fucker
root (none)
root 00000000
root 1111
root 1234
root 12345
root 123456
root 54321
root 666666
root 7ujMko0admin
root 7ujMko0vizxv
root 888888
root admin
root anko
root default
root dreambox
root hi3518
root ikwb
root juantech
root jvbzd
root klv123
root klv1234
root pass
root password
root realtek
root root
root system
root user
root vizxv
root xc3511
root xmhdipc
root zlxx.
root Zte521
service service
supervisor supervisor
support support
tech tech
ubnt ubnt
user user

As Security Week reports, many of the vulnerable devices which have made up the Mirai botnet contain software and hardware manufactured by a Chinese company called XiongMai Technologies:

XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

Not changing a default username and password on an internet-enabled device is as good as having no password at all.

Be a responsible member of the community, change your passwords to something which is non-obvious, hard to crack, unique and not the password the device shipped with. And don't buy technology from firms who don't appear to have given a second's thought to security.

Manufacturers could clearly play their part, forcing users to choose a different password rather than allowing them to stick with reckless combinations like admin:password.

But as long as there is a demand for cheap IoT devices, there will be plenty of manufacturers happy to cut corners and put the internet community at risk.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , , ,

4 Responses

  1. Chris Rose

    October 11, 2016 at 12:13 pm #

    Hi Graham, I accept that advising people to change the password on IoT devices is something we should do (and I do this after being in this I.T. business for 40 years). But in the case of 99% of these devices the Telnet / SSH passwords cant be changed due to being hard coded into the firmware. So even if the users change the password on the Web interface the device is still vulnerable. An additional problem is that these low cost devices and a fair percentage of the upcoming 2 biliion devices Gartner predict will be on the IoT by 2020 are likely to be connected to the IoT for a minimum of five years.

    As I see it there are only two possible solutions to the existing 500,000 devices out there that have this problem.

    1) Get users to stop using them and replace them (and how likely is that to happen ?)

    2) Get ISP's to shutdown a users connection if the user has one of these devices participating in a DDOS attack. And the ISP to not reconnect the users until the device is secured or removed. (And I can't see this solution being implemented either – can you ?)

    These devices are already out there and 99.999% of the users who have them on their LANs have no idea what the bad guys are doing with their IoT devices.

    Pandoras box is already open !!

    • codlab in reply to Chris Rose.

      November 25, 2016 at 4:10 pm #

      3) stop using IoT devices with remote access :0)

  2. Jesse

    October 12, 2016 at 12:31 am #

    Thanks for posting. How would someone know if their devices are affected? What's the best way to check? Thanks

  3. coyote

    October 13, 2016 at 2:04 am #

    'Not changing a default username and password on an internet-enabled device is as good as having no password at all.'

    In some ways? Yes. In other ways? It's worse because many would think it 'secure'. After all, people use such stupid passwords by choice. No comment on those in particular.

    As for TELNET? Absolutely unacceptable. No option of disabling it? Also unacceptable. Making it harder but still possible is also unacceptable as is making it impossible or hard to change the passwords. Is the SSH service using proper configuration? Would be surprised but in any case the only solution in this problem is not having everything connected to the Internet. I don't see that happening so the next best thing is as usual awareness. But there is no fix here.

    I don't buy into the idea of accusing China (for example) of breaking into computer networks; I especially don't like it when there is little proof and worse is when the accuser is actually a perpetrator (esp looking at the USA but I know they aren't the only ones; they are however with what is arguably the loudest mouth). But I do find it ironic and amusing; it could be a conspiracy theory: the company works for the state and therefore deliberately has these vulnerabilities in so they can more easily exploit the devices in the world….

    But even if it was probable speculation and accusations aren't helpful but harmful.

Leave a Reply