These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

[allheart55 Cindy E]

 

 

The release of the Mirai source code demonstrates just how easy it has become to hijack poorly-protected Internet of Things devices into botnets.

 

Mirai has become infamous in recent weeks after blasting the website of security blogger Brian Krebs off the internet with a massive distributed denial-of-service (DDoS) attack, powered by compromised internet-enabled DVRs and IP cameras.

 

What can you on an individual basis do about this at home or in the office to make sure you're not contributing to the problem?

 

Well, you can make sure that your IoT devices aren't "protected" by dumb default usernames and passwords, such as the following which are hardcoded into Mirai's source code:

 

Username Password

666666 - 666666

888888 - 888888

admin - (none)

admin - 1111

admin - 1111111

admin - 1234

admin - 12345

admin - 123456

admin - 54321

admin - 7ujMko0admin

admin - admin

admin - admin1234

admin - meinsm

admin- pass

admin - password

admin - smcadmin

admin1 - password

administrator - 1234

Administrator - admin

guest - 12345

guest - guest

mother - fucker

root - (none)

root - 00000000

root - 1111

root - 1234

root - 12345

root - 123456

root - 54321

root - 666666

root - 7ujMko0admin

root - 7ujMko0vizxv

root - 888888

root - admin

root - anko

root - default

root - dreambox

root - hi3518

root - ikwb

root - juantech

root jvbzd

root - klv123

root - klv1234

root - pass

root - password

root - realtek

root - root

root - system

root - user

root - vizxv

root - xc3511

root - xmhdipc

root - zlxx.

root - Zte521

service - service

supervisor - supervisor

support - support

tech - tech

ubnt - ubnt

user - user

 

As Security Week reports, many of the vulnerable devices which have made up the Mirai botnet contain software and hardware manufactured by a Chinese company called XiongMai Technologies:

 

XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

 

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

 

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

 

Not changing a default username and password on an internet-enabled device is as good as having no password at all.

 

Be a responsible member of the community, change your passwords to something which is non-obvious, hard to crack, unique and not the password the device shipped with. And don't buy technology from firms who don't appear to have given a second's thought to security.

 

Manufacturers could clearly play their part, forcing users to choose a different password rather than allowing them to stick with reckless combinations like admin:password.

 

But as long as there is a demand for cheap IoT devices, there will be plenty of manufacturers happy to cut corners and put the internet community at risk.

 

Source: Graham Cluley