How can an attacker flash their credentials to get into my device?

It’s a question for our always connected era: How can an attacker in Country A find, attack, and get into a smart device in Country B?

It starts even before an attacker flashes a set of credentials around. This process often begins with attackers launching an automated search for devices with open doors and windows with IP/Port scanning scripts. These can find uncover open ports on a device, with each open port linked to a corresponding service communicating over it – and do this within minutes. Every minute, the Avira honeypot, with profiles of smart TVs, routers and IP cameras, collects almost ten attacks – an average of 14,125 attacks each day. By allowing attackers in and recording their steps, this gives researchers an interesting discovery window into their tactics and strategies.

Attackers are knocking at the door

But here we want to talk about how, once the device has been located, the attackers will try to enter the device. It works something like aggressive, door-to-door salesmen, with the attackers stepping up to the device port and giving a quick knock to see what happens. Most of the time, there are no Hollywood style reactions to these attackers. In fact, nothing – no reaction – is the most common response of all with the device ports figuratively unlocked, open, and swinging in the breeze.

Unauthenticated access is just way too easy

The most common credentials – usually a two-part combination of user name and password — is in fact, nothing. Attacks with blank or empty credential slots made up a 25.6% of the total, vastly outnumbered other top credential combinations like the classic “admin | admin” combination. This easy unauthenticated access is an open option for attackers thanks to careless manufacturers and sysadmins.

Some protocols like older versions of ADB does not even have the authentication process. They were not designed to be exposed in the first place. Even the name emphasizes this – Android Debug Bridge — that it is only for debugging and should not be left open on the final product. Other protocols like Telnet and SSH support authentication, but developers leave them open to make them easier to use (for attackers also).

The problem with brute forcing a credential

Not every device is without a password – and this leads attackers to try brute force attacks where they guess the password by running every possible combination. The traditional – and the dumbest – brute force method is to run through all the options. Having no clue about the target, finding this correct password can potentially take years to finish.

Brute forcing gets smart

But again, careless manufacturers and sysadmins have made this process even more simple with default passwords. Yes, default passwords are just about as bad as having no password – and they make the brute-force process significantly easier. Armed with a list of default passwords, attackers can now work more quickly and effectively.

Let’s take a look at “178.128.58.222” one of the attackers mentioned previously. The credentials in the below table are not random. On the contrary, they are all known default username/passwords.


There is no default happy end

From the perspective of the end users, there is no easy answer on how to defend a smart device from the latest security and privacy risks. But here are two points to consider:

It’s gonna be a rough ride – The popularity of various credential combinations show manufacturers are lagging in implementing security into their product design. On one hand there are blank and weak default passwords which are the first to be exploited by attackers. In addition, users selection of passwords such as “admin” also make hacking much easier.

Consider the gateway – Given the near impossibility of enabling users to secure devices on their home network, it’s time to consider a gateway solution that detects and stops suspect behavior within the network. To be effective, this solution will incorporate a variety of AI skills to sort out the flood of data and be positioned at the router level — something like the Avira SafeThings and TP-Link venture.