Admin is NOT the worst password of all

Forget about 12345 or P@ssW0rd, an Avira honeypot set up to find new smart device threats has identified an even more insecure credential – nothing.

“The most commonly used credential is blank, which means that the attackers just enter an empty username and password,” says Avira threat analyst Hamidreza Ebtehaj. “This is even more common than admin.”

Credentials in this case are a two-part combination of the user name and the password which hackers enter into Avira’s smart device honeypot while attacking it. Attacks with blank or empty credential slots made up a 25.6% of the total, vastly outnumbered the other top credential combinations. This blank category even exceeded share of default IoT device credentials such as “admin | QWestM0dem” and “admin | airlive” (24.0%) and the collection of general default credentials(23.4%) with those timeless classics such as “admin | admin”, “support | support”, and “root | root”.

Specific IoT malware attacks, where the hackers zeroed in on a known vulnerability made up 25%  of the total. The two top credential pairs were “root | xc3511” and default | S2fGqNFs” – two internet connected web cams which have gone to market under a number of names.

“These stats were collected on Friday, September 13,” he adds. “The numbers, especially for IoT malware-related stats, do vary slightly based on ongoing attacks, but the general distribution has remained consistent for some time now.”  

What’s a honeypot

A honeypot is a decoy device, computer or network set up to lure in hackers. An established element in cyber-defense strategies, honeypots enable researchers to attract and engage hackers while uncovering their newest techniques and preferred targets. “We let attackers in with any combination of usernames and passwords, they are allowed in our honeypot even with empty passwords,” explains Hamidreza.

Honey, who is my smart device talking to?

This particular honeypot mimics the features and behaviors of online devices such as routers and smart IoT devices as it draws in hackers. As it makes itself visible and seemingly vulnerable online, it uses three of the most common protocols used with smart devices – Telnet, Secure Shell, and Android Debug Bridge.

Aiming at the second phase

Each smart device attack has two largely automated phases. The first phase is simply selecting the target. For this, the attackers can use IP/port scanning, they might get information from other attackers/botnets. they might blindly scan the internet with Shodan, or they might have a database of the vulnerable devices.

The second phase is when the hackers work to infect the identified device – and this is where the honeypot plays a critical role. In addition to recording the credentials used in the attack, the honeypot also collects data on infection vectors, malicious scripts, and malware.

This time, it’s not just the users

Smart devices are often criticized for their inbuilt insecurity – and their users not changing the default passwords. But Hamidreza says the issue is more than lazy device users. “Common users have no knowledge of these protocols and they are not even aware that their devices might be accessible by hackers. We can’t expect users to log into a terminal and change the configuration of the protocols they have not even heard of.” Much of the blame rests on the device manufacturers and developers.

The dumb smart device conundrum

The problem with many smart devices is that they were just not designed with security in mind. Vulnerabilities and hacking of these connected devices has resulted in everything from people getting notices to subscribe to PewDiePie or, more seriously, the Mirai botnet and the world’s largest DDoS knocking parts of the internet offline. Industry agreements on smart device standards are only now getting past the planning stages, leaving millions of insecure devices online.

Remaining in uncertainty

Those with smart devices have three basic security options:

  1. Do an online search for any reported potential vulnerabilities in their devices.
  2. Check for firmware updates to patch any known vulnerabilities or issues in their devices.
  3. Scan their network for open ports that could be inviting hackers in.

This post is also available in: GermanFrenchItalian

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.
Avira logo

Scan your home network for open ports