Weak passwords can hurt any organization’s security efforts and make any device easily hackable, but could they also be the greatest point of failure for internet of things (IoT) security? Weak passwords certainly put companies deploying IoT devices at greater risk of falling victim to a cyberattack.

We have already begun to see attacks targeting IoT devices, and they are using weak passwords as their way in. In 2019, threat actors took advantage of poor password management to go after popular office IoT devices like printers and phones. Already in 2020, we’ve seen an IoT attack target routers and result in a password data dump on a hacker forum.

Included among the vulnerable (and hacked) passwords are default passwords used by manufacturers that give the appearance of IoT security layers. In reality, all these passwords do is create an illusion of safety for users who assume that because there is a password attached to the device when it comes out of the box, that is all that is needed. The actual outcome in these situations is a larger attack surface of poorly defended endpoints for malicious actors to penetrate with ease.

Without better password management, IoT security could quickly become unsustainable.

Weak Passwords Begin During Development

The IoT is a hot commodity. At the Consumer Electronics Show (CES) in January, IoT devices were everywhere, in every conceivable form. We are close to reaching a point where every item we can imagine has smart technology built in, which means there is a rush to get those devices to consumers before someone else does.

“Manufacturers are focused on getting smart devices into the market as quickly as possible, but in this race to capitalize on the IoT’s potential, security is often woefully neglected,” explained Michael Greene, CEO of Enzoic, in an email conversation.

How far down the priority list is password security — or any kind of security — for these manufacturers?

“Numerous connected devices ship with default passwords as standard, as was the case with 600,000 GPS trackers manufactured in China that had a default password of ‘123456’,” said Greene. Government doesn’t see IoT security as a high-priority issue either, so regulations around default passwords — and the need to build security into IoT devices at all — are currently minimal. This means the responsibility of securing these devices lands on the shoulders of users and IT departments.

But users and IT departments aren’t keeping up. The work here isn’t limited to simply replacing default passwords, according to Greene. Rather, it must include growing smarter about overall password management. To illustrate why this is necessary, consider the fact that nearly 60 percent of users employ the same password across multiple devices, websites and other access points, according to a survey from LogMeIn.

“In this environment, a hacker can easily obtain a password that was previously exposed in a breach and use it to gain access to other systems and devices,” Greene added. Because of poor password management and weak passwords overall, he believes we’ll see more attacks directed at smart devices, especially if matters of IoT security aren’t viewed as pressing concerns from the start and addressed across the entire development and sales ecosystem.

IoT Security Is Everyone’s Responsibility

Change won’t come easily. Users are set in their ways regarding passwords, and IT departments often have more immediate issues than the need to monitor IoT passwords, especially if they are responsible for dozens or hundreds of devices across their organizations.

Yet the IoT is becoming a major player in the overall threat landscape, said Yaniv Balmas, head of cyber research at Check Point Software Technologies, during a conversation at CPX360 in New Orleans. The security level of these devices is already relatively low, but any change that improves device security costs money, either on the development side — in which case the cost is typically passed on to the consumer — or on the user side.

“Cost tends to win,” said Balmas, “and we want cheaper products.”

But all is not lost when it comes to securing IoT devices. Companies are turning to solutions beyond passwords for authentication. For example, Amazon is looking at connecting its payment kiosks in brick-and-mortar stores to biometric identification methods that would prompt the customer to use the palm of their hand to verify their identity, which would be linked to a credit or debit card. Another positive step is the IoT Security Rating Program instituted by UL, formerly Underwriters Laboratories. The UL Verified Mark will alert consumers to the security risks and standards associated with a wide array of IoT devices.

Manufacturers must take security more seriously in the development stage, and companies must leverage advanced authentication options as they become available. Until then, it will be up to users and company security policies to ensure IoT devices are secure. This will require a simple first step: immediately changing default passwords to something strong and unique. As long as we continue to use weak passwords on IoT devices, we will be putting our organizations’ networks and data at risk unnecessarily.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…