IoT devices are growing in popularity with 18 billion devices connected by the end of this year. This growth in popularity has captured the attention of hackers exploiting vulnerabilities on this relatively new industry. The world has already seen some major attacks caused by hardcoded credentials in IoT devices, one of the most notable attacks was the Mirai botnet attack in 2016 where attackers created a large botnet made of IoT devices with default SSH and telnet credentials brought down a large part of the internet.
6 years after the Mirai botnet attack, successful attacks on IoT devices with hardcoded credentials continue to grow as does the threat on consumer safety and wellbeing. As IoT devices control more systems that consumers interact with daily (e.g. ovens, vehicles, smart locks, etc.), an attacks on these devices becomes more disruptive and in some cases life threatening.
The IoT market is still a relatively new market, the current rush to market pushes IoT device makers to focus on being first to market rather than focusing on shoring up security in existing and future devices. Often, this means using hardcoded credentials for device management or leaving the device security for their hardware vendors to manage.
This lack of security makes the IoT space a paradise for hackers, meaning if a hacker manages to brute-force one password the hacker can get access to millions of devices around the world with internet capabilities, creating large botnets that can be used to: bring down services, send spam, expand the botnet by attacking more endpoints, and more. To make matters worse, many of these hardcoded passwords are hardcoded in code or in firmware making it hard and sometimes impossible to rotate passwords once they are compromised.
While developers that develop cloud services have nearly unlimited resources when it comes to compute and storage, IoT developers are very constrained, every byte and every compute cycle must be accounted for to make the IoT devices smaller and more power efficient. Meaning that these developers do not have the space or compute to create their own management API with proper authentication and authorization. Pushing IoT Developers to use SSH with hardcoded credentials to remotely manage the devices remotely.
SSH Certificates are a great alternative to hard-coding credentials for IoT devices. Since many of these devices are running a version of Linux with OpenSSH, support for SSH Certificate authentication is already supported. Meaning that with no extra resources, IoT device manufacturers can securely access IoT devices through SSH by creating short term SSH Certificates. Substituting the insecure practice of hard-coding credentials.
At Keytos our team of identity experts make your IoT development experience as easy and secure as possible. From our EZSSH solution, an SSH CA as a service that allows companies to manage SSH access to their endpoints with short term SSH certificates; to EZCA’s integration with Azure’s IoT Hub, our solutions will enable you to secure your IoT products by launching you into a password-less reality. Schedule a meeting with one of our security experts for a free consultation on IoT security.