Default Username and Password in Internet of Things

Abstract: There are several vulnerabilities and consequences resulting from the use of the authentication method of default username and password. This study uses the Mirai attack targeting Dyn in 2016 as the main motivation. The key vulnerability in the attack on Dyn, was the authentication method of default username and password. This study performs an analysis on the Internet of Things devices available for Swedish consumers with the focus on identifying and mapping devices using the method of default username and password. Other methods of authentication are also identified as well as analyzed. The results show that most of the devices does not use the authentication method of default username and password, this does not necessarily result in a simple answer on whether the product is secure or not. Factors such as how the authentication method is implemented and how the method works in the real-world is important. The information on implementation and real-world use found in the manuals has not always been clearly detailed by the manufacturers, raising further questions on the security of IoT devices.