The office was as quiet as a crypt. All of a sudden, I heard a blood-curdling shriek pierce the silence. Darting between office equipment, I ran to the source of the caterwaul. I arrived at the cube where the noise originated, ready to confront any ghoul or goblin in sight. But there were no monsters to be slain. Instead, I found a colleague who was pale as a ghost and sobbing as she repeatedly clicked her Internet browser’s refresh button. She began to wail like a banshee; her worst nightmare had come true. Spotify, Reddit, and the New York Times had been taken offline by a distributed denial-of-service (DDOS) attack. Terrifying!

Stock image of a grim reaper composed of zeros and ones.

This attack relied on more than hocus-pocus to take down some of the top visited sites on the web. It employed a complex network of everyday devices. According to the Wired article What We Know About Friday’s Massive East Coast Internet Outage, this DDOS attack employed Mirai malware to possess millions of Internet-connected devices to create a zombie army. This malevolent force assaulted Dyn, one of the major companies providing Internet infrastructure, and shut off services for many online companies.

KrebsOnSecurity has been examining the source code of the Mirai malware. In its article Who Makes the IoT Things Under Attack?, the company dispels the botnet’s sorcery by revealing the usernames and passwords the malware is using to gain access to gadgets and gizmos. What’s most disconcerting is that these private safeguards are fairly generic and used on countless items as default administrator credentials.

Attempted usernames and passwords

By hacking usernames and passwords, Mirai source code can turn Internet-enabled devices into evil botnets. These default authenticators are hardcoded into the source code and are easily compromised.
Username Password
admin 123456
admin 1111
admin pass
admin password
888888 888888
666666 666666
guest guest
root 7ujMko0vizxv
root 7ujMko0admin
root 666666
root dreambox
root zlxx
root juantech
root xc3511
root root
root default
root admin
root pass
root password
root user
service service
user user

Even though utilities are using these potentially vulnerable Internet-of-Things devices in efficiency programs, there are steps companies can take to keep gremlins from wreaking havoc:

  • Require the customer to change the default access credentials. If you’re using trade allies to install smart devices, train the contractor to work with the customer to change the username and password on the device. Ideally, the password should not be shared with any other accounts and should have a combination of letters, numbers, and symbols.
  • Select devices that allow for automatic updates to be enabled, and assist customers in setting up this option. It’s important to select a device whose firmware will be regularly maintained by the vendor.

Engaging in smart security practices up front can make these devices a lot less scary. No witchcraft required. 

Contributing Authors

Senior consultant, Management Consulting

Jeffrey Daigle is an expert on contact center operations, customer experience, channel design, operations, digital engagement, and journey mapping...