Io T Devices

Is Your Vacuum Cleaner Spying on You? The Vulnerabilities of Hard-coded Default Credentials in IoT Devices

Is Your Vacuum Cleaner Spying on You? The Vulnerabilities of Hard-coded Default Credentials in IoT Devices

By Chris Mitzlaff, Sr. Sales Engineer

Recently, I read an article about the security vulnerabilities of robot vacuum cleaners. Now, you may be asking yourself: “Who cares? It’s just a mindless vacuum cleaner!” However, many common autonomous devices such as robot vacuum cleaners have cameras installed (some even have night vision). In the case of vacuum cleaners, cameras are used to see where the device is going, have sensors for obstacle avoidance, Wi-Fi enabled for smart phone commands and best of all, hackable “default hard-coded credentials.” The story of IoT devices and default credentials is becoming a tired one. So many internet-connected devices are now available with potentially vulnerable hard-coded default credentials that it makes one cringe.

In fact, one needs to look no further than the latest VPNFilter and the Mirai botnet attack to see how vulnerable hard coded credentials really are. Mirai used the default credentials of many IoT devices to attack websites via DDoS, crippling websites on the East Coast with a flood of requests (almost 500GBps), overwhelming DNS servers using devices such as Internet cameras, routers, refrigerators, and yes, even things like your robot vacuum cleaner. VPNFilter was designed to attack routers with generic credentials, infect them and even go so far as installing packet sniffers and proxies to read everything that traverses through a home network.

The endless flexibility and intelligence that the Internet of Things has given to our society has been of great convenience to many. However, at what point is convenience really worth the invasiveness or other hazards of using hackable technology? Obviously, internet permeated technologies aren’t going anywhere and are becoming more unavoidable (unless you live in a bubble). As a person who works in the cyber security industry selling to enterprises, I recommend that organizations implement safeguards such as adding a network monitoring tool like PacketSled so they can observe all their communications. But what can an individual do to help protect herself/himself? Here are a few suggestions:   

  1. First and foremost, change your passwords regularly. Yeah, this seems obvious but the majority of people in the world use 1-2 passwords for everything for the purpose of convenience. Vendors are starting to make headway helping consumers generate unique passwords for new devices, requiring stronger passwords and removing hard-coded backdoors. But when the average user still relies on simplistic passwords like “Joespassword1234,” there’s still an issue.
  2. Use a password manager. Seriously, use one. 
  3. If something doesn’t need to connect to the internet, don’t connect it. Does your fridge, washer, dryer, crockpot, pressure cooker, TV, etc. really need to be connected to the internet? Likely, you connected it to see what it could do and then you forgot about it.
  4. Don’t bring your IoT devices into the corporate network. This can create all kinds of problems for your network and security teams and could end up costing you your job.

Corporations should spend the time and money to train personnel on the basics of security and encourage ongoing education in this ever-changing landscape. Use tools that will give you visibility into rogue devices and check them regularly. The best days for security personnel are the ones where they don’t find anything! Remember, convenience isn’t secure and being secure is rarely convenient.

Chris Mitzlaff is a senior sales engineer at PacketSled. Contact him at chris.mitzlaff@packetsled.com

About PacketSled

PacketSled is the network analytics platform of choice for security teams globally. Used by enterprises and MSSPs for real-time data analysis, threat hunting and incident response, the platform leverages continuous internal network monitoring and retrospection to provide network forensics and security analytics. Security teams can integrate PacketSled into their orchestration engine, SIEM, or use PacketSled independently to dramatically reduce the resources required to respond to persistent threats, malware, insider attacks, and nation state espionage efforts.

The company has been named an innovator in leading publications and by security analysts, including SC Magazine, earning a finalist award in 2018 for network visibility. For continuous product updates and industry news, please visit us at www.packetsled.com or follow us @packetsled.