Earlier this year, the usernames and passwords for more than 8,000 internet of things devices were posted online so hackers could easily access them. The security breach was a perfect illustration of the IoT’s security problems: Of the 8,000+ username and password combinations, only 142 were unique. Even more stunning, about half of all usernames and passwords used the same obvious combination: admin/admin.
Internet-enabled devices like routers, security cameras, and even smart fridges have become one of the primary modes of denial-of-service attacks, in which groups of malware-infected computers overwhelm a target server, bombarding it with more requests than it can handle. Lists like this one helped hackers find enough devices to create such an attack. According to Ars Technica, the list (which has since been taken down) contained about 33,000 combinations on it, corresponding to about 8,200 individual IP addresses (it included redundancies as well as multiple username-password combinations for some devices). Ars says that some combos indicate the device had already been hacked (apparently the combo “mother/fucker” is a tell-tale sign), sometimes even several times.
Schwab’s visualization drives home the severity of the problem. Most of the top 10 most-used passwords on the list were simply the factory settings–people hadn’t bothered to change the names and passwords on their devices, straight out of the box.. Hackers have likely already enlisted those devices into botnet armies. Of the 8,200 IP addresses, about 1,700 could be accessed using the listed username and password.
So please: Before you plug in that new smart light, change the username and password to something a bit more complicated than admin/admin.