Weekly IoT Worries: Weak & Easily Guessable Passwords

Simply defined as the use of easily brute-forced, publicly available, or unchangeable credentials. This includes backdoors in firmware and client software that grants unauthorized access to in-production systems.

Connected Devices and Internet of Things (IoT) endpoints are particularly flawed when it comes to using weak or guessable passwords. This is primarily due to how these devices are designed to simply work when plugged in.

On top of that, many connected devices have limited processing resources, so hardcoding things like passwords can reduce the need to have writable memory, therefore saving manufacturers money while putting their customers at increased risk.

These weak passwords allow malicious actors to gain unauthorized access and provide them with the perfect platform to launch a plethora of other attacks, such as ransomware, botnets, and other malware or persistent attacks.

The issue of password management on connected devices is further troubled by the general lack of a central ecosystem to maintain and change passwords. Add to the equation that non-IT and non-security employees maintain many organizations’ connected devices in the form of facilities management. To better control the password problems IoT presents on the corporate network. These groups need to work together to test and secure devices before deploying.