These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

Always change your device’s default password.

Graham Cluley
Graham Cluley
@[email protected]

These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet

The release of the Mirai source code demonstrates just how easy it has become to hijack poorly-protected Internet of Things devices into botnets.

Mirai has become infamous in recent weeks after blasting the website of security blogger Brian Krebs off the internet with a massive distributed denial-of-service (DDoS) attack, powered by compromised internet-enabled DVRs and IP cameras.

What can you on an individual basis do about this at home or in the office to make sure you’re not contributing to the problem?

Sign up to our free newsletter.
Security news, advice, and tips.

Well, you can make sure that your IoT devices aren’t “protected” by dumb default usernames and passwords, such as the following which are hardcoded into Mirai’s source code:

Username Password
666666 666666
888888 888888
admin (none)
admin 1111
admin 1111111
admin 1234
admin 12345
admin 123456
admin 54321
admin 7ujMko0admin
admin admin
admin admin1234
admin meinsm
admin pass
admin password
admin smcadmin
admin1 password
administrator 1234
Administrator admin
guest 12345
guest guest
mother fucker
root (none)
root 00000000
root 1111
root 1234
root 12345
root 123456
root 54321
root 666666
root 7ujMko0admin
root 7ujMko0vizxv
root 888888
root admin
root anko
root default
root dreambox
root hi3518
root ikwb
root juantech
root jvbzd
root klv123
root klv1234
root pass
root password
root realtek
root root
root system
root user
root vizxv
root xc3511
root xmhdipc
root zlxx.
root Zte521
service service
supervisor supervisor
support support
tech tech
ubnt ubnt
user user

As Security Week reports, many of the vulnerable devices which have made up the Mirai botnet contain software and hardware manufactured by a Chinese company called XiongMai Technologies:

XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

Not changing a default username and password on an internet-enabled device is as good as having no password at all.

Be a responsible member of the community, change your passwords to something which is non-obvious, hard to crack, unique and not the password the device shipped with. And don’t buy technology from firms who don’t appear to have given a second’s thought to security.

Manufacturers could clearly play their part, forcing users to choose a different password rather than allowing them to stick with reckless combinations like admin:password.

But as long as there is a demand for cheap IoT devices, there will be plenty of manufacturers happy to cut corners and put the internet community at risk.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet”

  1. Chris Rose

    Hi Graham, I accept that advising people to change the password on IoT devices is something we should do (and I do this after being in this I.T. business for 40 years). But in the case of 99% of these devices the Telnet / SSH passwords cant be changed due to being hard coded into the firmware. So even if the users change the password on the Web interface the device is still vulnerable. An additional problem is that these low cost devices and a fair percentage of the upcoming 2 biliion devices Gartner predict will be on the IoT by 2020 are likely to be connected to the IoT for a minimum of five years.

    As I see it there are only two possible solutions to the existing 500,000 devices out there that have this problem.

    1) Get users to stop using them and replace them (and how likely is that to happen ?)

    2) Get ISP's to shutdown a users connection if the user has one of these devices participating in a DDOS attack. And the ISP to not reconnect the users until the device is secured or removed. (And I can't see this solution being implemented either – can you ?)

    These devices are already out there and 99.999% of the users who have them on their LANs have no idea what the bad guys are doing with their IoT devices.

    Pandoras box is already open !!

    1. codlab · in reply to Chris Rose

      3) stop using IoT devices with remote access :0)

  2. Jesse

    Thanks for posting. How would someone know if their devices are affected? What's the best way to check? Thanks

  3. coyote

    'Not changing a default username and password on an internet-enabled device is as good as having no password at all.'

    In some ways? Yes. In other ways? It's worse because many would think it 'secure'. After all, people use such stupid passwords by choice. No comment on those in particular.

    As for TELNET? Absolutely unacceptable. No option of disabling it? Also unacceptable. Making it harder but still possible is also unacceptable as is making it impossible or hard to change the passwords. Is the SSH service using proper configuration? Would be surprised but in any case the only solution in this problem is not having everything connected to the Internet. I don't see that happening so the next best thing is as usual awareness. But there is no fix here.

    I don't buy into the idea of accusing China (for example) of breaking into computer networks; I especially don't like it when there is little proof and worse is when the accuser is actually a perpetrator (esp looking at the USA but I know they aren't the only ones; they are however with what is arguably the loudest mouth). But I do find it ironic and amusing; it could be a conspiracy theory: the company works for the state and therefore deliberately has these vulnerabilities in so they can more easily exploit the devices in the world….

    But even if it was probable speculation and accusations aren't helpful but harmful.

  4. Simon Peacock

    Default passwords are not necessarily an issue if they are both strong and random. I am working on an IOT device in which the only way to get the password is from the MQTT frame (why didn't they allow encryption from the start?) and every unit has a unique, long strong password. CPU has secure storage and the password isn't able to be changed or viewed (this is a sensor type device, no user access at all). My beef is the lack of thought in protocols, sure I could use TLS or SSL but this is an 8-bit controller with 16k of FLASH, no user access, one button startup. All it would have taken is some extra salt within the protocol to make it more secure so that passwords are never sent clear text and never sent the same.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.