The number of IoT devices is skyrocketing, with projections of over 15 billion connected devices by the end of 2023 and over 17 billion connected devices by the end of 2024. This surge hasn’t gone unnoticed by bad actors who wish to exploit this budding industry’s many vulnerabilities. The devastating impact of such vulnerabilities was evident in the 2016 Mirai Botnet attack, which utilized IoT devices with default SSH and telnet credentials to disrupt a significant portion of the Internet.
Fast forward 7 years from the Mirai Botnet incident, and we still witness an escalating number of attacks on IoT devices with hardcoded credentials. The potential consequences grow more severe as these devices increasingly infiltrate our daily lives, managing everything from ovens and cars to smart locks. Attacks on these essential gadgets can disrupt lives and, in extreme situations, even pose lethal threats.
The fledgling state of the IoT industry often drives manufacturers to prioritize speed over security, hastening to introduce their products before ensuring robust protection. Consequently, they might resort to hardcoded credentials or delegate security responsibilities to hardware vendors.
Such lapses present a goldmine for cyber attackers. By cracking just one password, they could potentially gain control over millions of globally connected IoT devices. This vast network of devices can be manipulated to disrupt services, distribute spam, attack more devices, and much more. Aggravating the problem, many of these hardcoded credentials are embedded within the software or firmware, making post-breach password changes challenging, if not wholly impossible.
While cloud developers have abundant computing and storage resources at their disposal, IoT developers operate under stricter limitations. Every bit of data and computational power must be meticulously optimized, ensuring devices remain compact and energy-efficient. This often compels them to use SSH with hardcoded credentials for remote device management.
SSH certificates offer a viable solution to IoT device security. Given that numerous IoT devices run on Linux versions compatible with OpenSSH, they’re already primed to support SSH certificate authentication. This means that manufacturers can, without additional resource allocation, securely manage IoT devices using temporary SSH certificates, eliminating the pitfalls of hardcoded credentials.
At Keytos, our identity specialists are dedicated to streamlining and fortifying your IoT development journey. Our EZSSH offering is a total gamechanger, providing an SSH CA service that facilitates company-endpoint SSH access management via temporary certificates. Moreover, EZCA’s IoT PKI synergy with Azure’s IoT Hub ensures your IoT offerings remain secure, ushering in a passwordless era. To better grasp IoT device security, schedule a FREE consultation with one of our identity experts today!