Join today’s leading executives online at the Data Summit on March 9th. Register here.
This article was contributed by Roy Dagan, CEO of SecuriThings.
Password rotation is a fundamental first line of defense for IoT devices, including those that uphold physical, from security cameras to access control systems, alarm systems, and more. But many IoT devices come with default credentials that are never rotated, leaving the door open for malicious actors to compromise them. In fact, our research indicates most organizations don’t maintain or rotate device passwords at all. Shockingly, the “Admin/Admin” user ID and password is still likely the most used credential across all IoT devices.
The reason? The work required to update or rotate passwords regularly across many devices has not been widely automated. Typically, rotating device passwords has to be carried out manually across each device. This is a daunting task for any IoT operations team managing a fleet of IoT devices, which likely includes different makes and types. It’s no surprise many physical security teams fail to address password rotation at all.
What could possibly go wrong?
In the world of physical security, infrequent password rotation increases the risk that cyberattacks on vulnerable IoT devices will endanger people or property. Surveillance cameras are an easily understood example. At an airport, compromised video surveillance can impact passenger security and aircraft operations safety. At a casino, it becomes the stuff of movies with George Clooney. IoT attacks are common and inevitable – it’s “how soon,” not “if.” A 2019 Forrester Consulting study found that 67% of enterprises had already experienced an IoT security incident.
But really, who would target video cameras, and why?
In early 2017, days before Trump’s presidential inauguration, hackers in Romania took over a hundred of Washington, DC’s outdoor surveillance cameras. A spam email received by Washington, D.C. Police allowed a malware infection while the hackers slumbered in Bucharest, apparently unaware they had targeted police. They awoke to discover they controlled some important U.S.-based video feeds — and were the target of a global manhunt. It took three days to remove all software, restart each camera, and reload software, underscoring the importance of password rotation for cyber resiliency. This was no coordinated plot by masterminds or terrorists. It was a blundering, brute force attack; its success was a cutting comment on IoT security.
State actors and saboteurs of infrastructure
Four days before Presidents Trump and Putin had their infamous private tête-à-tête at the 2018 Helsinki summit, hackers from China launched waves of brute-force attacks on internet-connected devices in Finland, seeking control of anything that could collect audio or visual intelligence. China was not alone; other nations also sought to eavesdrop. Traffic aimed at remote command-and-control features for Finnish devices spiked before the summit, hitting levels unprecedented for Finland. Each failure to install and update strong passwords gave the credential-stuffing attacks better odds of success. Russia, meanwhile, was the presumptive culprit in the 2015 pre-Christmas cyberattack that shut down part of Ukraine’s electricity grid. The Ukraine attack may have been a collaboration between cybercrime groups and Russian intelligence. It relied on hijacked passwords, suggesting password rotation could have stalled the attack.
These known attacks are undoubtedly only the tip of the iceberg as nations probe each other’s critical infrastructure, preparing to wreak havoc and confusion if the day of unrestrained conflict comes. The case for rotating passwords on IoT devices is, we trust you’ll agree, very strong.
Advantages of automation for compliance and security of IoT device fleets
Here’s why automation is key to efficiently rotating credentials on IoT devices to uphold security and compliance:
- It enables organizations to efficiently update passwords for any number of devices or device groups, regardless of their physical location.
- An automated password rotation platform can use — and maintain — a single password repository that complies with regulatory mandates and organizational policies.
- A platform designed for heterogeneous (multivendor) device fleets will be vastly more time-efficient than IT staff in rotating passwords on different models of devices from different manufacturers.
It’s startling that IoT device fleets have been built up to their current scale without automated password rotation being established as a necessary standard. One study concluded that trying just these five default credentials — support/support, admin/admin, admin/0000, user/user and root/12345 — gives you or any hacker access to at least 10% of all IoT devices. That translates into billions of undefended targets.
Password updates are urgent
Comprehensive password rotation may not be the sophisticated cutting edge of security, but it’s one of the highest-ROI security measures possible, and should not be put off. One reason is that it’s time-urgent; the average IoT device gets attacked just within five minutes of connecting to the internet.
In theory, the automation of password rotation liberates IT professionals to focus on higher-value tasks. In practice, most organizations simply don’t do tedious, manual device password updates. They have just skipped them, and that’s worse than doing them inefficiently. While the automation of password rotation can be an upgrade from manual processes; it often is, in reality, the debut of password security for an IoT device and the most practical way to achieve security compliance.
Password rotation is a must
Password rotation can’t wait for a strategic debate. It’s a tactical imperative. All organizations with IoT devices can be virtually certain that every device deployed will be targeted at some point. It’s time to define requirements and acquire the capability to automate both maintenance and management of your device fleet. Automation can handle other valuable operations such as updating firmware and monitoring device integrity for security compliance. Those benefits will only add strength to the business case for addressing password rotation immediately.
Roy Dagan is the CEO of SecuriThings.
