Why your IoT devices may be vulnerable to malware

SEP 08, 2021

Image: iStock/NanoStockk

Only 33% of users surveyed by NordPass changed the default passwords on their IoT devices, leaving the rest susceptible to attack.

You may make a concerted effort to protect your computers and network with strong passwords and robust security. But what about your Internet of Things devices? A new survey from password manager NordPass reveals that many IoT devices are saddled with their default passwords, making them an open target for cybercriminals.

In a survey of 7,000 people across Australia, Canada, France, Germany, the Netherlands, the UK and the United States, NordPass found that only 33% of users changed the default passwords on their IoT devices. The rest continued to use such built-in passwords as "admin" or "123456." Such simple passwords are easy to hack, paving the way for malware and other types of cyberattacks.

Beyond sticking with the default passwords, many users failed to properly secure their IoT devices in other ways. Among the respondents, only 36% changed the default password on a router, only 20% added a VPN to a router, and just 13% said they chose to buy IoT devices based on strong security features or not buy devices based on weak security features.

Over the past few years, the lack of proper IoT security has led to a variety of incidents in which cybercriminals actively hit devices with default or weak passwords. In 2012, the Carna botnet targeted routers with default passwords or no passwords. This attack scooped up information about IPv4 addresses, leading to a detailed image of the internet.

In 2016, the Remaiten malware infected Linux-based routers by brute-forcing default username and password combinations. After infecting a device, Remaiten managed to launch distributed denial-of-service attacks and download additional malware. And in 2017, the BrickerBot malware tried to log into IoT devices with weak security as a way to run malicious commands designed to disable them.

"Many people think that most IoT devices don't hold that much personal data compared to laptops or smartphones," NordPass security expert Chad Hammond said in a press release. "However, it's important to protect IoT devices, too."

To help you properly secure your IoT devices, NordPass offers the following tips:

  • Change your default password immediately. Create and apply a strong and secure password on your device using a password generator or a password manager.
  • Update your IoT devices. Check your devices to see if they automatically receive security updates. If not, make sure they're running the latest firmware. Remember that software updates are vital as they fix security flaws and patch bugs.
  • Install a VPN on your router. A VPN can thwart man-in-the-middle attacks by encrypting your traffic, thereby compensating for the poor encryption built into many IoT devices.