More evidence that using weak or default passwords is a bad idea: they really are the first thing hackers try out when attempting to take over a device.
Security company F-Secure has a set of 'honeypot' or decoy servers set up in countries around the world to detect patterns in cyberattacks. The vast majority of traffic to these servers is a result of their discovery during scans of the internet by hackers looking for devices to access.
The company said it has seen a significant increase in the traffic to these honeypots in the second half of last year. It said the rise in 'attack traffic' reflects the increasing number of threats to Internet of Things (IoT) devices.
"Honeypot traffic was driven by action aimed at the SMB and Telnet protocols, indicating continued attacker interest in the Eternal Blue vulnerability as well as plenty of infected IoT devices," the company said.
According to its data, SMB port 445 was the most-targeted port over the period, indicating that attackers are still keen to use SMB worms and exploits such as Eternal Blue, like Trickbot. Telnet was also commonly targeted, likely as part of attacks on IoT devices. The same is the case with probes of SSH on port 22, which enables secure remote access and is commonly associated with full administrative access.
Once a potentially vulnerable device is discovered, the next thing that attackers want to do is try to gain access to it.
According to F-Secure, the "ever-present" top choice of passwords for hackers to try was 'admin' -- a password which really should not used for any device, and especially not one connected to the internet. Other bad passwords on the list include '12345', 'default', 'password' and 'root'. Last year the UK's National Cyber Security Centre (NCSC) noted that the only slightly more complicated '123456' has been found 23 million times in the breaches.
The passwords that hackers try also reflect the sorts of devices they are currently targeting, F-Secure said: included on the list of the most commonly-tried passwords were the factory defaults for digital video recorders and embedded devices such as routers.
"Brute forcing factory default usernames and passwords of IoT devices continues to be an effective method for recruiting these devices into botnets that can be used in DDoS attacks," F-Secure warned.
The UK recently set out guidelines recommending that all consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.