Cybersecurity & Infosec Blog

As the number of devices connected to the internet increases, so does the number of devices that can be exploited by cyber criminals. You can mitigate this risk by changing the default device admin password, the default Wi-Fi password and ensuring all devices are on the most recent firmware release.

Surprisingly, this issue is not unique to consumers, many businesses have devices on their networks which still have default accounts assigned to them. Default accounts are easily found by a simple Google search. Sites such as Datarecovery.com post listings of known default accounts for hundreds of network devices.

In the home, every device that connects to the internet will have a default administrative account setup. Be it a router, modem, TV, doorbell camera… you name it, and there is a default account that MUST be changed.

So, what’s the big deal? The big deal is that if a cyber criminal gains access to your router, they can watch everything you do on the internet. They would have access to your home Wi-Fi network, which in turn gives them access to your computer, phone, printers, tablets, etc.

A survey done by Brodbandgenie.co.uk in 2018 revealed that 82% of respondents have NEVER changed administrator passwords on their Wi-Fi routers. This is concerning. I have no doubt there are millions of Wi-Fi routers in the U.S. that are vulnerable due to defaults not being changed.

Changing the default password, and in some cases the default administrator account name, is not difficult. In fact, these instructions usually come with the device. Also, instructions on changing default passwords on most devices can be found on-line as mentioned previously.

In a similar survey, Broadbandgenie found that nearly 48% of those surveyed didn’t change default settings because they didn’t know why they’d need to. In addition, 51% said they’ve never done anything to secure any of their internet facing devices.

As the IoT (Internet of Things) continues to grow, so must educating people on the importance of securing their devices. There are some manufacturers that are starting to force admin password changes during device setup and that auto-update when new firmware is available; this is a huge step in the right direction. But, until all devices feature some kind of forced security setup, this will unfortunately continue to be a vulnerability that could easily be mitigated if everyone understood the importance of locking their devices down.

How to change admin password on popular routers:

Netgear

Linksys

TP-Link

AT&T Routers

Additional Reading:

us-cert.cisa.gov/ncas/alerts/TA13-175A

zdnet.com/article/is-admin-password-leaving-your-iot-device-vulnerable-to-cyberattacks/

lifewire.com/changing-default-password-on-wifi-network-816567

bleepingcomputer.com/news/security/survey-reveals-users-have-no-clue-about-router-security/

While no security measure is 100% hack proof, adding two-factor authentication (2FA) is the single most important step you can take in securing your on-line accounts. According to TeleSign, over 73% of consumers reuse passwords across accounts, which is a terrible practice. But, adding two-factor authentication to every account will help mitigate this risk.

After adding 2FA to your accounts you'll be required to present two forms of authentication when logging in: your normal credentials - user name or email address and password - then the code received from the 2FA solution. The code is provided through either a text message or a mobile app. Most accounts will allow you to choose the method of 2FA, however there are some that will only allow the use of texted codes. Either way, a hacker would need to get access to your email address or username, password and phone before they could log in to your account. Not an impossibility, but highly unlikely to happen.

That is not to say that a hacker couldn't gain access to your account through a social engineering attack where they may be able to reset your account. But, this is unlikely unless you are a high-profile target and is beyond the scope of this post.

2FA should be used on all of your accounts if possible. At a minimum you should be using 2FA on every account with sensitive data: bank accounts, email, social network accounts, credit card accounts, etc. Each of your accounts should offer step-by-step instruction for enabling 2FA.

By enabling 2FA you might be slightly inconvenienced by having to enter an additional 6 characters to access your accounts, but you have greatly reduced the odds of your accounts being hacked. Add to that using a different long password for each account and you've gone a long way to securing your information.

A few of the more popular 2FA apps (there are many others):

Authy

Google Authenticator

Microsoft Authenticator

Additional Reading:

NIST - Back to Basics MFA

Two-Factor For Apple ID

Two-Step Verification with your Microsoft Account

How Two-Factor Authentication Keeps Your Accounts Safe