These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

Always change your device’s default password.

These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

The release of the Mirai source code demonstrates just how easy it has become to hijack poorly-protected Internet of Things devices into botnets.

Mirai has become infamous in recent weeks after blasting the website of security blogger Brian Krebs off the internet with a massive distributed denial-of-service (DDoS) attack, powered by compromised internet-enabled DVRs and IP cameras.

What can you on an individual basis do about this at home or in the office to make sure you're not contributing to the problem?

Well, you can make sure that your IoT devices aren't "protected" by dumb default usernames and passwords, such as the following which are hardcoded into Mirai's source code:

UsernamePassword
666666666666
888888888888
admin(none)
admin1111
admin1111111
admin1234
admin12345
admin123456
admin54321
admin7ujMko0admin
adminadmin
adminadmin1234
adminmeinsm
adminpass
adminpassword
adminsmcadmin
admin1password
administrator1234
Administratoradmin
guest12345
guestguest
motherfucker
root(none)
root00000000
root1111
root1234
root12345
root123456
root54321
root666666
root7ujMko0admin
root7ujMko0vizxv
root888888
rootadmin
rootanko
rootdefault
rootdreambox
roothi3518
rootikwb
rootjuantech
rootjvbzd
rootklv123
rootklv1234
rootpass
rootpassword
rootrealtek
rootroot
rootsystem
rootuser
rootvizxv
rootxc3511
rootxmhdipc
rootzlxx.
rootZte521
serviceservice
supervisorsupervisor
supportsupport
techtech
ubntubnt
useruser

As Security Week reports, many of the vulnerable devices which have made up the Mirai botnet contain software and hardware manufactured by a Chinese company called XiongMai Technologies:

XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

Not changing a default username and password on an internet-enabled device is as good as having no password at all.

Be a responsible member of the community, change your passwords to something which is non-obvious, hard to crack, unique and not the password the device shipped with. And don't buy technology from firms who don't appear to have given a second's thought to security.

Manufacturers could clearly play their part, forcing users to choose a different password rather than allowing them to stick with reckless combinations like admin:password.

But as long as there is a demand for cheap IoT devices, there will be plenty of manufacturers happy to cut corners and put the internet community at risk.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

4 Responses

  1. Chris Rose

    October 11, 2016 at 12:13 pm #

    Hi Graham, I accept that advising people to change the password on IoT devices is something we should do (and I do this after being in this I.T. business for 40 years). But in the case of 99% of these devices the Telnet / SSH passwords cant be changed due to being hard coded into the firmware. So even if the users change the password on the Web interface the device is still vulnerable. An additional problem is that these low cost devices and a fair percentage of the upcoming 2 biliion devices Gartner predict will be on the IoT by 2020 are likely to be connected to the IoT for a minimum of five years.

    As I see it there are only two possible solutions to the existing 500,000 devices out there that have this problem.

    1) Get users to stop using them and replace them (and how likely is that to happen ?)

    2) Get ISP's to shutdown a users connection if the user has one of these devices participating in a DDOS attack. And the ISP to not reconnect the users until the device is secured or removed. (And I can't see this solution being implemented either – can you ?)

    These devices are already out there and 99.999% of the users who have them on their LANs have no idea what the bad guys are doing with their IoT devices.

    Pandoras box is already open !!

    • codlab in reply to Chris Rose.

      November 25, 2016 at 4:10 pm #

      3) stop using IoT devices with remote access :0)

  2. Jesse

    October 12, 2016 at 12:31 am #

    Thanks for posting. How would someone know if their devices are affected? What's the best way to check? Thanks

  3. coyote

    October 13, 2016 at 2:04 am #

    'Not changing a default username and password on an internet-enabled device is as good as having no password at all.'

    In some ways? Yes. In other ways? It's worse because many would think it 'secure'. After all, people use such stupid passwords by choice. No comment on those in particular.

    As for TELNET? Absolutely unacceptable. No option of disabling it? Also unacceptable. Making it harder but still possible is also unacceptable as is making it impossible or hard to change the passwords. Is the SSH service using proper configuration? Would be surprised but in any case the only solution in this problem is not having everything connected to the Internet. I don't see that happening so the next best thing is as usual awareness. But there is no fix here.

    I don't buy into the idea of accusing China (for example) of breaking into computer networks; I especially don't like it when there is little proof and worse is when the accuser is actually a perpetrator (esp looking at the USA but I know they aren't the only ones; they are however with what is arguably the loudest mouth). But I do find it ironic and amusing; it could be a conspiracy theory: the company works for the state and therefore deliberately has these vulnerabilities in so they can more easily exploit the devices in the world….

    But even if it was probable speculation and accusations aren't helpful but harmful.

Leave a Reply