Default and Weak IoT Credentials

Default and Weak IoT Credentials is the most critical and widely exploited IoT security vulnerability, responsible for the recruitment of millions of devices into botnets like Mirai, Hajime, and their variants. This vulnerability exists when IoT devices ship with factory-default usernames and passwords (often "admin/admin", "root/root", or blank credentials) that users never change, when devices use hardcoded credentials that cannot be changed, or when devices enforce weak credential policies that allow trivially guessable passwords.

The scale of this vulnerability is staggering: billions of IoT devices are deployed worldwide, including IP cameras, routers, smart home devices, industrial control systems, medical devices, and building automation systems. Many of these devices have never had their default credentials changed. The Mirai botnet demonstrated the catastrophic potential of this vulnerability when it compromised hundreds of thousands of IoT devices using a dictionary of just 62 common default credential pairs, and used them to launch the largest DDoS attacks in internet history, disrupting major services including DNS provider Dyn, GitHub, and Netflix.

The problem is compounded by the IoT ecosystem's structural deficiencies: devices are often deployed by non-technical users who are unaware of the security implications, manufacturer documentation rarely emphasizes credential changes as a critical first step, firmware update mechanisms are frequently absent or cumbersome, and the sheer number of deployed devices makes centralized credential management impractical without purpose-built IoT management platforms. Many IoT devices also lack adequate user interfaces for credential management, offering only web interfaces accessible on default ports with no encryption.

Attackers exploit default IoT credentials through automated scanning at internet scale. Tools like Masscan, ZMap, and custom scripts scan the entire IPv4 address space for common IoT service ports: Telnet (23), SSH (22), HTTP management interfaces (80, 8080, 8443), RTSP for cameras (554), and protocol-specific ports for industrial devices (Modbus/502, BACnet/47808). When an open port is found, the scanner attempts authentication using databases of known default credentials for hundreds of device manufacturers and models. The entire scan-and-compromise cycle can be completed in minutes for individual devices and hours for internet-wide campaigns.

The Mirai botnet source code, publicly released in 2016, provided a template that has been adapted by dozens of subsequent botnets. The attack sequence is straightforward: scan random IP addresses for open Telnet ports, attempt login with a dictionary of 62 default credential pairs covering most consumer IoT devices, upon successful authentication execute commands to determine the device architecture (ARM, MIPS, x86), download and execute the appropriate botnet binary, and add the device to the command-and-control network. Modern variants have expanded to exploit additional protocols (SSH, HTTP APIs) and include larger credential dictionaries.

Beyond botnet recruitment, default credentials on specific device types enable targeted attacks. Default credentials on industrial control systems (PLCs, SCADA systems, HMIs) allow manipulation of physical processes—water treatment, power generation, manufacturing. Default credentials on IP cameras enable surveillance and privacy violations. Default credentials on network routers and switches allow network reconfiguration, traffic interception, and DNS hijacking. Default credentials on medical devices could potentially endanger patient safety. Enterprise IoT devices with default credentials provide initial access to corporate networks for lateral movement attacks.

• Botnet recruitment enabling large-scale DDoS attacks that can disrupt major internet services and cost target organizations millions in mitigation and lost revenue
• Unauthorized surveillance through compromised IP cameras, baby monitors, and audio-enabled devices in homes, offices, and sensitive facilities
• Network compromise when IoT devices serve as pivot points for lateral movement into corporate, industrial, or home networks
• Critical infrastructure manipulation when default credentials on industrial control systems allow unauthorized modification of physical processes
• Cryptojacking where compromised IoT devices are used for cryptocurrency mining, consuming power and degrading device performance and lifespan
• Privacy violations and regulatory penalties when compromised devices expose personal data or enable unauthorized monitoring in violation of GDPR, CCPA, or sector-specific regulations

1. Implement unique per-device credentials at the factory level. Each device should ship with a unique, randomly generated password printed on a physical label attached to the device. Eliminate shared default credentials across device populations entirely. The initial password should have sufficient entropy (minimum 12 characters with mixed character types) to resist brute-force attacks.
2. Force credential change on first device setup. The device should not be functional until the user sets a new password that meets minimum complexity requirements. The setup wizard should be unavoidable—devices should not fall back to default credentials if the setup process is interrupted or skipped.
3. Implement account lockout and rate limiting on all authentication interfaces. After 5-10 failed authentication attempts, lock the account temporarily (progressive lockout with increasing delays) and generate an alert. This prevents brute-force attacks even if credentials are weak.
4. Disable unnecessary network services and protocols by default. Telnet should never be enabled—use SSH exclusively for remote management. Disable UPnP to prevent automatic port forwarding that exposes management interfaces to the internet. Web management interfaces should only be accessible from the local network by default.
5. Implement centralized IoT device management platforms that enforce credential policies across device fleets. Enterprise deployments should use certificate-based authentication or integration with directory services (LDAP, RADIUS) rather than local device credentials. Consumer IoT platforms should support cloud-based credential management with MFA.
6. Deploy network-level IoT security controls: segment IoT devices on dedicated VLANs isolated from production networks, implement network access control (NAC) that prevents devices with default credentials from joining the network, and monitor IoT network segments for anomalous outbound connections indicative of botnet command-and-control communication.
7. Implement automated credential auditing using tools that scan internal networks for IoT devices with default or weak credentials. Schedule regular audits and integrate results into vulnerability management workflows. Use threat intelligence feeds to stay current on newly disclosed default credentials for IoT devices in your environment.

Begin by inventorying all IoT devices on the network using active scanning tools (Nmap, Masscan) and passive discovery techniques (network traffic analysis, DHCP logs, ARP tables). Identify device types, manufacturers, and models through banner grabbing, HTTP response fingerprinting, and MAC address OUI lookups. Build a comprehensive IoT asset inventory that maps each device to its known default credentials using databases like the Default Password Database or manufacturer documentation.

Conduct systematic credential testing against all discovered IoT devices. Use tools like Hydra, Medusa, or custom scripts to test default credentials for each identified device model against Telnet, SSH, HTTP, and protocol-specific authentication endpoints. Test both manufacturer-specific default credentials and generic defaults (admin/admin, root/root, admin/password, admin/1234). Verify whether devices enforce account lockout or rate limiting by measuring how many failed attempts are permitted before lockout activates.

Test credential management capabilities: verify that devices support password changes, that new passwords must meet minimum complexity requirements, that default credentials are invalidated after password change (some devices maintain backdoor accounts), and that credential changes survive firmware updates and device reboots. For devices with web management interfaces, test whether the interface is accessible from the internet (port scan from external perspective), whether it uses HTTPS, and whether it is vulnerable to brute-force attacks. Use Shodan or Censys to identify your organization's IoT devices that may be internet-exposed with default credentials before an attacker does.