In a recent article, a project led by a computer science professor at Columbia University conducted preliminary scans of some of the largest Internet Service Providers (ISPs) in North America, Europe, and Asia. He and his team uncovered thousands of embedded devices susceptible to attack – thanks to default credentials and remote administration panels being available to the Internet. It is amazing to us that there are still many people (and possibly organizations) who don’t take into account the security implications of not changing credentials on outward facing devices! This goes beyond patching systems and having strong password policies. It’s highly unlikely you’re developing strong passwords internally if you’re not even changing what attackers know is true externally.
The fact that these devices are available is quite scary. It becomes trivial for an attacker to take over control of what is likely the only gateway in a residential network. The average user has little need to access these devices on a regular basis, so hardening the password and recording it on paper or even using a password vault like TrueCrypt is a good option for reducing the threat level. More importantly, how many home users need outside access to their gateway?
This all goes back to the common theme of being an easy target. If you let attackers see you as the low hanging fruit, you’re just asking to become a statistic. This is the digital equivalent to walking down a dangerous street at night with your head down, shoulders slumped, avoiding eye contact, and having hundred dollar bills popping out of your pockets! We can’t make it easy for them. It’s important that we make them think twice about attacking us- and simple things like changing default passwords or patching our machines (automatic updates, anyone?) allow us to take advantage of that 80% result with only 20% effort!