Common Credentials Criminals Use in IoT Dictionary Attacks Revealed

Bitdefender Internet Security Software

Hackers don’t attack blindly, and they always rely upon the one piece of information they know it’s going to help. People are behind all IoT devices, and people make mistakes. One of the most common mistakes is never changing the default passwords or choosing weak ones. By using Bitdefender’s telemetry, we take a closer look at what are the most common credentials criminals use when trying to compromise IoT devices.

Many people buy or set up various IoT devices in their homes and they either don’t bother changing the default access credentials or choose something simple that can be entered quickly. Routers are particularly susceptible to this practice, and they are especially vulnerable because they’re also home “guardians,” often lording over entire networks of other IoT devices.

People’s poor cybersecurity practices are well known in the industry, but criminals also use this information. So, when they develop malware and scanners capable of compromising IoT devices, they often use some of these bad habits against users.

Bitdefender is in a unique position to see what attackers actually do when trying to compromise a device. They will often deploy dictionary attacks, using a list of common usernames and passwords that might fit, knowing there’s a good chance the victims failed to change them.

Bitdefender sets up a network of honeypots that mirror real hardware criminals will find in the wild. This hardware is carefully monitored and allows security researchers to follow every step a hacker takes during the attack, including credentials.

Telnet honeypots

The Telnet protocol has been around for many years, and it’s still in use today, although some companies have started to phase it out. It has serious security issues, and it shouldn’t remain open when not in use. Making matters worse, some manufacturers enable it by default in devices, making them vulnerable to attacks.

Some of the credentials in the following list reflect the targeted hardware, revealing default usernames and passwords and some poor user choices. Also, some of the password entries are empty because users sometimes disable the password.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Usernames

 

Passwords

 

admin

 

CenturyL1nk

 

root

 

xc3511

 

admin

 

admin

 

root

 

Zte521

 

root

 

root

 

root

 

Pon521

 

default

 

default

 

admin

 

 

 

root

 

admin

 

root

 

vizxv

 

support

 

support

 

root

 

 

 

root

 

123456

 

guest

 

guest

 

admin

 

1234

 

root

 

default

 

guest

 

12345

 

default

 

S2fGqNFs

 

default

 

OxhlwSG8

 

default

 

 

 

SSH honeypots

Even if SSH is considered more secure than Telnet, weak or default passwords remain a problem. While the communication through SSH is encrypted, it doesn’t really help if the attacker can guess the credentials.

Some of you will likely recognize the default credentials in the following list because some known manufacturers implement them. SSH is the preferred way of accessing remote devices, but users will sometimes use the default credentials.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Usernames

 

Passwords

 

nproc

 

nproc

 

knockknockwhosthere

 

knockknockwhosthere

 

admin

 

admin

 

pi

 

raspberry

 

root

 

root

 

pi

 

raspberryraspberry993311

 

root

 

admin

 

user

 

user

 

support

 

support

 

admin

 

password

 

admin

 

 

 

root

 

123456

 

ubnt

 

ubnt

 

admin

 

7ujMko0admin

 

root

 

1234

 

guest

 

guest

 

root

 

password

 

admin

 

1234

 

0

 

0

 

0101

 

0101

 

Generic IoT devices

People can access some of the IoT devices through web interfaces, not just Telnet or SSH. Of course, attackers will also attempt to compromise those devices and follow the same practices by trying combinations of default credentials or weak passwords.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Usernames

 

Passwords

 

admin

 

admin

 

superadmin

 

[email protected]

 

user

 

user

 

user

 

@User1234

 

root

 

root

 

admin

 

password

 

admin

 

admin123

 

admin

 

123456

 

draytek

 

1234

 

Polycom

 

456

 

admin

 

Bz0NAG49

 

admin

 

superpass

 

admin

 

qP9Yh1ELd9

 

admin

 

qwerty

 

admin

 

password123

 

Best practices

If there were ever a time to change the default credentials of your IoT devices, it would be now. Bitdefender’s telemetry shows what credentials attackers attempt in their malicious campaigns. Many of their efforts to compromise devices would be thwarted by simply changing the default usernames and passwords or by improving the existing passwords.

Of course, having an ISP that looks over its customers by deploying the Bitdefender IoT Security Platform in their routers also helps. Security embedded in the router does wonders for networks, blocking attacks and advising users of vulnerabilities present in their smart homes.