Security researchers have discovered that hardcoded security keys are being reused rather than giving each Internet of Things (IoT) device unique keys.
These “lazy” makers of routers and IoT devices are therefore leaving the devices open to the possibility of being hacked. Around 4,000 vulnerable devices were found.
Censys, having similar functions to the original search engine (shodan.io) for internet-connected devices, was used by the research team to discover the vulnerable devices. Censys collects data on hosts and websites via scans of the IPv4 address space and maintains a database of how they are configured using two companion tools—ZMap and ZGrab.
Zakir Durumeric, University of Michigan researcher, leader of the Censys project and inventor of ZMap, explained that his team is trying to maintain a database of everything on the internet. Durumeric says that ZMap is capable of determining whether the machines online have security flaws that should be fixed prior to being exploited. Obvious bugs in addition to issues caused by IT administrator failures can also be found.
“We have found everything from ATM machines and bank safes to industrial control systems for power plants. It's kind of scary,” Durumeric stated.