While conducting research on the susceptibility of
Internet of Things (IoT) devices to hacking,
researchers at Ben-Gurion University found many device manufacturers and owners made a hacker’s job quite easy.
Off-the-shelf IoT devices often have their default passwords posted online, usually by the device manufacturer to aid in quick device setup.
It was easy work to get these passwords: The Ben-Gurion research team were often able to find default passwords in under 30 minutes with a simple Google search.
The problem is that if a default password is online for a device owner to use, an attacker can and will easily find it too. Luckily for attackers, many IoT device owners never change the default passwords for their device once they have it set up, and often the device manufacturer doesn’t encourage the device owner to do so.
Even worse in some cases, the default password can’t be changed. Unfortunately, that gives the illusion of security to unwitting device owners – because it has a password – but leaving a default password in place isn’t much of an improvement over having no password at all.
