A simple design change can fix the Internet-of-Things’ biggest security hole.
Thirty minutes. That’s the time it took a team of researchers from Ben-Gurion University in Israel to access security cameras, baby monitors, doorbells, thermostats, and other internet-of-things, not-so-smart devices. It didn’t require any special hacking techniques. Anyone can do it.
The research show how easy it is to extract the default hard-coded passwords of any machine when you have physical access to itPut that information into a Google search box and, within a few minutes, you will find a site or a forum post somewhere describing how to enter into that device using the manufacturer’s default administration user name and password.
Any pedophile, thief, ex-spouse, or regular Peeping Tom can use this information to gain access to any of these devices installed in your home. A government or criminal organization can also use these user/password combos to control many devices at once, in order to mine data, spy, or launch global internet attacks.
The research was led by Yossi Oren, who is in charge of the Implementation Security and Side-Channel Attacks Lab at Cyber@BGU. With his colleagues, he analyzed 16 popular high and low-end IoT devices, using different reverse-engineering techniques that show how easy it is to extract the default hard-coded passwords of any machine when you have physical access to it.