IT professionals have long understood the importance of changing the default password for network connected hardware devices (printers, switches, wireless access points, etc.). In the world of the Internet Of Things it seems everything is connected to the internet, the locks to your house, the refrigerator, your car, the wireless router from the cable company, the list goes on. All of these devices have a default user name and password for managing settings. IT professionals should know better than to ever leave those administrator passwords as default, but does the general public?
In September of 2015, the InfoSec Institute published a detailed article regarding the exploitation of corporate printers (InfoSec Institute). In January 2016, several news outlets reported on hackers using the storage in network connected printers and multi-function devices to store and execute malicious code (SecurityWeek). In March, it was reported how hackers printed anti-Semitic flyers to thousands of publicly accessible printers (WashingtonPost). As recently as Friday September 9, Security Week reported on a new malware variant, Mal/Miner-C, discovered by Sophos that specifically targets network attached storage devices, leveraging default user name and passwords (SecurityWeek).
Whether you are an IT professional or a home consumer, hackers continue to exploit vulnerabilities in other network connected devices beside your traditional computer. Based on the recent discovery of Mal/Miner-C, hackers continue to see the default user name and password as a way into those devices. Clearly we are not doing a good enough job at adhering to what amounts to age old advice; change the default administrator password immediately and disable any unused or unnecessary services. If you don’t plan to have your refrigerator order your groceries for you, turn that service off and be sure to change the default password on that fancy new garage door lifter.