Following the news about the Hackers Test Stolen Emails W/IoT Devices (stories The WSJPYMNTS, Krebs on Security), Rod Schultz, IT security experts from Rubicon Labs and STEALTHbits commented below.

Rod Schultz, VP of Product at Rubicon Labs:

rod-schultz“Experts may have known about vulnerabilities in the networking protocols that were exploited for over 10 years, but the world has understood the dangers of a virus for over a century. Connect a device to a network and you must model that device as a biological entity. History has shown that certain biological viruses have catastrophic impact on society, and now that we are connecting billions of devices to a network it’s time everyone understands that the same thing is going to happen to digital things. Technological progress must be coupled with advances in security. Devices require unique credentials and identities that will create a more diverse attack surface and go a long way toward preventing this style of viral attack on our expanding digital world.”

Brad Bussie, CISSP, Director of Product Management at STEALTHbits:

Brad-Bussie“The main problem facing the Internet of Things stems from the common vulnerability known as the default password. How many devices do consumers purchase that have a default username and password that are never changed? Many internet routers, cable boxes and other devices connected to the internet all have default profiles used for configuration. The intention is for the end users to change the default password or to even create another user account once the device setup is complete, but most devices do not enforce this activity. So what are we left with? Millions of devices with admin and password as the only login information that an attacker needs. Gone are the days where simply being behind a firewall that’s set to deny most incoming traffic means a protected device.

“Hackers have databases with massive username and password combinations, and these databases grow bigger every day and with each data breach. In order to get in front of this wave crashing down on the Internet of Things, device manufacturers need to enforce a username/password change the first time a device is configured, and promote uniqueness for both.”

Information Security Buzz