ADVICE FROM THE LMLP: Take note before you install any “Internet of Things” devices!
…focusing on weak passwords with IoT devices alone risks missing the larger point, security experts warn.”
These devices have tons of issues,” says Billy Rios, the founder of the security firm Whitescope and a recognized expert on the security of embedded systems. “The reason that Mirai just exploited weak passwords as that it was all it needed to do. Why put more effort into it than you need to?”
A bigger problem than the default password, says Mr. Rios, is the shoddy manner in which internet-connected objects like cameras are deployed, allowing even nontechnical criminals and mischief makers to locate them with a simple online search.
Even without malicious software to speed the process along, finding insecure IoT devices is as easy as running an internet search. Search engines like Shodan have long allowed the curious to search for internet-connected machines in the same way that web surfers use Google to search for web pages. On any given day, a search for common IP-enabled cameras like this turn up tens of thousands of devices that can be accessed directly from the internet.
In many cases, that’s because the third-party firms that install and manage them on behalf of businesses, local governments, or even consumers want easy, remote access to them, Rios says. “Truck rolls – having to go out in person to service a device – are expensive,” he says. Allowing the cameras to be reachable from the public Internet makes it very easy to deploy and maintain or manage them remotely.