Trends in Technology

Weak Passwords Could Signal the End of the Internet of Things (IoT) Before it Begins

October 2, 2020 by Bobby J Davidson
Read similar articles in: IoT

Weak passwords can seriously compromise the security efforts of any organization by making any device susceptible to hacking. The Internet of Things (IoT) is being marketed as being the savior of the digital age but could weak passwords spell doom for it? The signs don’t look great because there is no denying that weak passwords place companies who are deploying IoT devices at greater risk of falling prey to a cyberattack. We’ve already seen the attacks targeting IoT devices, and they’re using weak passwords as a tool to launch their attacks and get inside.

In 2019, cybercriminals took advantage of poor password management to launch an attack on popular IoT devices in offices such as phones and printers. We’re in 2020 now, and there have already been IoT attacks targeting routers that resulted in a password data dump on hacker forums. Part of the vulnerable and hacked passwords were default passwords being used by manufacturers to give the appearance that IoT security had layers. The reality is that most of these passwords only create the illusion that there is safety for users, who think that because the device comes with a password attached to it; this is the only thing they need for security.

The real outcome in these scenarios is that there is a massive attack surface that is being governed by poorly defended endpoints, which is an invitation to cybercriminals to gain entry with ease. When we look at the overwhelming evidence, we can only come to one conclusion; without proper password management, IoT security will become unsustainable in the long-term.

Weak Passwords Originate in the Development Phase

The Internet of Things (IoT) is the hottest commodity in the 21st century, and at the Consumer Electronics Show (CES) in January, there were IoT devices everywhere, and in every conceivable form. We have reached a point where every item out there that we can imagine has some form of smart technology built into it, meaning there is a massive rush to get these devices into the hands of consumers before someone else does that.

It’s a race between manufacturers who are only focused on getting their smart devices into the market as soon as possible. However, in this race to capitalize on the massive potential of IoT, there is woeful negligence when it comes to security. The real question is, “How far down the priority list is password security or any kind of security for these manufacturers?”

There are thousands of connected devices shipped with default passwords as the standard, which was exactly the case when 600,000 GPS trackers that were manufactured in China came with the default password ‘123456.’ This is not safe in any shape or form. The problem lies with the government, which simply doesn’t see IoT security as a high-priority issue at this moment.

That is precisely why the regulations around default passwords and the requirement for building security into IoT devices are minimal at the moment. This means that the responsibility of securing these devices lands on the shoulders of IT departments and the users, which shouldn’t be the case. We can see the results of it already because users and IT departments are struggling to keep up.

The work isn’t limited to just replacing the default passwords because it is about growing smarter about overall password management. To illustrate why that is important, you must consider the fact that over 60% of users choose to use the same password across multiple devices, access points, and websites.

In the current environment, hackers and cybercriminals can easily obtain passwords that were exposed previously in a breach and use that to gain access to other devices and systems. Experts are concerned that with poor password management and weak passwords, there are going to be more attacks directed towards smart devices, especially if IoT security matters aren’t seen as pressing concerns from the beginning and addressed across the entire development and sales ecosystem.

Everyone Should Assume Responsibility for IoT Security

The one thing everyone can agree on is that change isn’t going to come easily. IoT users are set in their ways when it comes to passwords, and the IT departments have to deal with more pressing matters than the need to monitor IoT passwords. That’s because they have to assume responsibility for hundreds of other devices throughout their organizations.

However, that hasn’t stopped IoT from becoming one of the biggest players in the overall threat landscape because the security levels of these devices are hardly worth mentioning. There is a flip side to this — any change that brings about an improvement in device security is going to cost a lot of money, whether it is on the development side, where the cost will be passed onto the consumers, or the user side.

In the end, the cost is always going to win because everyone wants cheaper products. However, there is still hope for securing IoT devices, and companies are turning towards solutions other than passwords for authentication. For instance, Amazon is currently testing connecting their payment kiosks in brick-and-mortar stores to biometric identification methods that would ask consumers to use the palms of their hands to verify their identity, which is going to be linked to their debit or credit card.

Manufacturers need to start taking security seriously in the development stage, and companies should start using advanced authentication options. Until that is done, it is going to be up to company security policies and the users to secure their IoT devices. That requires a simple step, which is to immediately change the default passwords and set passwords that are unique and strong.

If we continue using weak passwords on IoT devices, we are going to be placing the organization’s data and networks at risk unnecessarily.