I became interested in Default passwords at a young age when BIOS passwords were popular for the protection of your computer. BIOS is a small piece of software that controls all of your computer components and is the first thing that is started up with a computer.
You could reset it by removing the bios battery from the motherboard for a couple of minutes but if you have a malevolent sibling and a computer that’s under warranty so opening up would void that knowing the Default passwords was definitely a plus. These passwords are provided by BIOS Vendor.
These passwords are generic, and they are specific to manufacturers. In other words, all the manufacturers maintain a set of master passwords that can be used irrespective of whatever password the user has set. These passwords are not very hard to get by and can be easily accessed from the manufacturer’s website.
And, once those default passwords became public knowledge the practice of securing your BIOS died away. But, the problem persisted. Default passwords are the bane of modern Internet-connected devices’ existence. To connect to them and set them up you need access to them before any password is set up by the user, hence the need for a default password.
Fast forward a couple of decades and the issue with default passwords is bigger than ever. In the 2021 report, ‘Rise of the Machines 2021: State of Connected devices - IT, IoT, IoMT and OT’ from Ordr, and according to a report, 46 percent of connected devices are vulnerable to attack, which is a huge portion of the internet.
These devices include medical and manufacturing devices that are critical to business operations, along with network devices; IP phones; networked printers; video surveillance cameras and facility devices (such as badge readers) that are not designed with security in mind, cannot be patched, and cannot support endpoint security agents.
…
Ordr also discovered that popular consumer ‘devices’ are often connected to the enterprise network, including Peloton exercise bikes, which grew rapidly in popularity over the year and have been deployed in enterprise gyms, hospitality verticals, and healthcare organizations. Many of these exercise devices are deployed without security monitoring or segmentation, despite recent proven leaky API issues.
It is also important to note that once deployed IoT devices rarely get replaced or have their firmware replaced so there could be a device from a decade ago still connected to your network and making a huge hole in your network security.
Unknown to most people almost anything that is connected to the internet has an access point to it. More active devices like internet routers, wifi cameras, or any device that can be remotely configured have some form of a stripped-down version of Linux meant for embedded systems or some kind of Real-Time Operating System. If the default password is left on the device that device can become a node in the bot network. And, the default password for any device can be accessed online from sites like defaultpassword, datarecovery, and many more.
Almost a decade ago in 2012, an intrepid user undertook an interesting experiment. The document summarizing the experiment is well-written and well worth-a read.
A botnet was created from more than 420,000 Internet-connected devices and was used to perform one of the most comprehensive surveys ever entire Internet, and it was done illegally but with a White Hat on.
This could be the last single such survey as soon after most of the internet infrastructure transitioned to IPv6 which uses 128-bit addresses, theoretically allowing 3.4×1038 addresses compared to IPv4 which uses a 32-bit address space that provides 4,294,967,296 unique internet addresses.
The 420.000 devices that comprised the botnet actually are only about 25 percent of all unprotected devices found. The bot propagated only on machines with enough power (CPU or memory) to run its 60kb executable payload, that is less than a blank Word document. A total of 1.2 million unique unprotected devices were discovered. Please note that this is in 2012, before the Internet of Things explosion, The real number today could be significantly larger. The devices ranged from IPSec routers, Border Gateway Protocol routers, and x86 equipment with crypto accelerator cards to industrial control systems, physical door security systems, and most notably various flavors of consumer routers made the majority of unprotected devices.
The bot network was created using an IP port scanner that tries to open ports on individual addresses, specifically port 23 which is a port for remote access using telnet, a DOS-like command shell interface. If such a port is found on the targeted address the bot tries to connect using a telnet scanner that tries a few different login combinations, e.g. root: root, admin: admin, and both without passwords.
Ports are used to attach multiple services to a single internet address. For eg. if you connect to port 80 on a remote machine you have just connected to a web server, port 21 is for File Transfer Protocol, port 25 is used to send emails (SMTP), port 123 on time.microsoft.com is connected to each time your computer wants to check if its clock is set correctly, and so on.
Even with this basic and minimal attempt at logging in with just a few password combinations the botnet grew almost beyond control but the “be nice” attitude was maintained during the experiment with a readme.txt with an email address for contact placed on each accessed device. Also, a simple reboot of the compromised device would delete the bot.
Such a botnet could have easily been misused for DDoS attacks and other nefarious things. So hats off to Carna for maintaining good ethics.
So, how to get rid of default passwords? We can’t, not without losing convenience, be it for servicing or upgrade, or ease of deployment and manufacturing. There is always a need for an initial setup. Be it at the factory or in the user’s home. Cheaper solutions do it at home hence default passwords are so prevalent and more expensive solutions do it at the factory or at parts integrators.
The trend in the IoT is to have devices connected to the cloud so they can be monitored and controlled. This brings a host of issues
One solution is to take a step back and use hardware wallets. A USB-style device that holds all personal passwords. Much more sense than writing them down. Something like OnlyKey hardware password manager. I don’t have one so this is not a review but the idea grows on me day by day as the only solution to our oh-so-human limitation of forgetting passwords or using one for everything which is the worst thing you or anyone can make in our digital world.
Note that no matter how complex or how many authentication systems you have in place you are dealing with other human beings.
Priced at $55 they are not cheap but then again neither is a good wallet. So, we need to popularize the use of wallets but this time for our digital assets, otherwise, any talk about privacy is mute. Combine that with easy access to computation using AWS or Google Cloud services or one’s own Botnet a Rainbow table can be computed for almost any 10* or fewer characters long passwords.
So, having in mind that in the last 5 years, some of this happened
Yahoo data breach 2017 - Impact: 3 billion accounts
First American Financial Corp. data breach - 2019 Impact: 885 million users
LinkedIn data breach 2021 - Impact: 700 million users
Facebook data breach 2019 - Impact: 533 million users
Starwood (Marriott) data breach 2018 - Impact: 500 million guests
Canva data breach - 2019 - Impact: 137 million users
Chances that your password, that one special, is not out there is close to zero.
In regards to IoT devices, I would imagine an additional function of OnlyKey is to automate the generation of keys for attached USB devices over a COM port. This would enable home consumers to use their hardware wallets for the initialization of devices most probably using USB On-The-Go (USB OTG or just OTG) where an IoT device acts as a host.
Additional safety is to keep it in read-only mode. No new data, no new configuration data can be written.