The office was as quiet as a crypt. All of a sudden, I heard a blood-curdling shriek pierce the silence. Darting between office equipment, I ran to the source of the caterwaul. I arrived at the cube where the noise originated, ready to confront any ghoul or goblin in sight. But there were no monsters to be slain. Instead, I found a colleague who was pale as a ghost and sobbing as she repeatedly clicked her Internet browser’s refresh button. She began to wail like a banshee; her worst nightmare had come true. Spotify, Reddit, and the New York Times had been taken offline by a distributed denial-of-service (DDOS) attack. Terrifying!
This attack relied on more than hocus-pocus to take down some of the top visited sites on the web. It employed a complex network of everyday devices. According to the Wired article What We Know About Friday’s Massive East Coast Internet Outage, this DDOS attack employed Mirai malware to possess millions of Internet-connected devices to create a zombie army. This malevolent force assaulted Dyn, one of the major companies providing Internet infrastructure, and shut off services for many online companies.
KrebsOnSecurity has been examining the source code of the Mirai malware. In its article Who Makes the IoT Things Under Attack?, the company dispels the botnet’s sorcery by revealing the usernames and passwords the malware is using to gain access to gadgets and gizmos. What’s most disconcerting is that these private safeguards are fairly generic and used on countless items as default administrator credentials.
Attempted usernames and passwords
| Username | Password |
| admin | 123456 |
| admin | 1111 |
| admin | pass |
| admin | password |
| 888888 | 888888 |
| 666666 | 666666 |
| guest | guest |
| root | 7ujMko0vizxv |
| root | 7ujMko0admin |
| root | 666666 |
| root | dreambox |
| root | zlxx |
| root | juantech |
| root | xc3511 |
| root | root |
| root | default |
| root | admin |
| root | pass |
| root | password |
| root | user |
| service | service |
| user | user |
Even though utilities are using these potentially vulnerable Internet-of-Things devices in efficiency programs, there are steps companies can take to keep gremlins from wreaking havoc:
- Require the customer to change the default access credentials. If you’re using trade allies to install smart devices, train the contractor to work with the customer to change the username and password on the device. Ideally, the password should not be shared with any other accounts and should have a combination of letters, numbers, and symbols.
- Select devices that allow for automatic updates to be enabled, and assist customers in setting up this option. It’s important to select a device whose firmware will be regularly maintained by the vendor.
Engaging in smart security practices up front can make these devices a lot less scary. No witchcraft required.
