Why Credentials Are the Achilles Heel of IoT Security

Michael Greene -
iot device credential security
Illustration: © IoT For All

The security of IoT devices hinges on the strength of their credentials. According to Verizon’s most recent Data Breach Investigations Report credentials are one of the hackers’ most sought-after targets—ahead of bank, medical and personal data. When you consider the plethora of digital accounts and connected technologies in use today it’s easy to understand why bad actors find credentials so appealing. What’s harder to grasp is why companies continue to fall victim to credential-based attacks. As IoT devices and systems become increasingly complex, it’s imperative that organizations take action to shore up this critical vulnerability. Understanding and addressing the following major credential security challenges is the first step.

Default Passwords

By 2029, Gartner expects that more than 15 billion IoT devices will be connected to enterprise infrastructure. While this trend brings numerous business advantages, it also introduces a new credential-related security challenge. Until relatively recently, many connected devices were shipped with a default password as standard. This was the case with 600,000 GPS trackers that were shipped in 2019 with a default password of 123456. This poor security practice put customers in a dangerous position that allowed hackers to easily gain access to spy on users, spoof the tracker’s location, or intercept emergency calls to family members or authorities. In addition, the use of default passwords also opened the manufacturer up to vulnerabilities—for example, bad actors could hijack the accounts, change passwords, and lock customers out, leading to customer support and reseller vulnerabilities.

While this trend has begun to change with the introduction of California’s IoT Law, it’s still a good security practice to update credentials prior to deploying IoT technologies. In addition, it’s essential that companies monitor the integrity of IoT credentials on an ongoing basis along with an automated response action if any sign of compromise is detected.

Poor Password Practices

Another primary driver of credential security is peoples’ notoriously poor password habits. When faced with managing credentials for numerous online accounts and services employees typically create simple, easy-to-remember passwords. In addition, people often reuse the same password across multiple accounts or slight variations of the same root phrase—for example, “P@ssword1” and “P@$$word1.”

This isn’t a problem to be found solely among entry-level employees or those who work in non-technical fields. Nearly a quarter of IT security leaders in a recent survey admitted to using the same passwords across both work and personal sites. If any of these credentials have been exposed in a prior breach, it’s akin to rolling out the welcome mat for hackers. These bad actors have access to a treasure trove of compromised passwords via the Dark Web, cracking dictionaries, and other sources; it’s only a matter of time before they use them to infiltrate IoT devices and enterprise systems.

Emerging Authentication Mechanisms

Another credential security challenge is understanding the limitations of the various emerging authentication mechanisms to determine which ones to use and how to best deploy them.

  • Multi-factor Authentication: MFA relies on an additional authentication factor in order to grant access to the account—for example, using a password in conjunction with an SMS text message code. MFA can be relatively strong from a security standpoint, depending upon the factors used, however, users typically find it cumbersome and don’t proactively enable it when given the option. For example, Microsoft reports just an 11% MFA adoption rate among its enterprise cloud users.
  • Adaptive Authentication: Adaptive authentication cross-references IP address, geolocation, device reputation, and other behaviors to assign a risk score to an inbound login and step-up factors accordingly. Because these systems are typically tuned aggressively to increase effectiveness, they often introduce additional authentication steps in situations that don’t warrant them—leaving employees feeling frustrated.
  • Biometric Authentication: Biometrics have been touted as a magic pill for credential security, but we’re unlikely to see widespread biometric adoption in the near future. In addition, biometric systems still utilize a fallback password-based mechanism when the system fails or becomes unavailable. Finally, biometrics come with their own security challenges. After all, employees can’t update their retina or fingerprints.

Securing the Password Layer

As the above underscores, when it comes to IoT credential security there is no substitution for securing the password layer. MFA and other authentication strategies certainly have their place, but unless companies can get a handle on password security, they will continue to fall victim to attack. So, what should organizations do?

One of the most cost-effective approaches is to implement automated credential screening that checks for compromised passwords both when a new password is created and on a daily basis. This takes the onus of creating overly complex passwords off of employees and helps companies eliminate the threat of compromised passwords without eating up significant IT resources.

Employees may be the ones creating passwords, but the responsibility of credential security ultimately lies with organizations. Bad actors will continue to target credentials as a means of attack, but with the right dynamic credential screening solution, companies can safeguard passwords and sensitive data while successfully warding off these attempts.

Michael Greene - CEO, Enzoic

Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All.