Internet of Things Access Authority Failure Through Factory Default Credentials on Internet-Exposed Devices at Mirai Botnet

The proliferation of internet-connected devices — cameras, routers, DVRs, baby monitors, smart appliances — created a vast population of network-accessible computers running embedded operating systems, typically Linux-based, with remote administration interfaces accessible via Telnet or SSH. These devices were manufactured by hundreds of companies, many of which prioritized ease of setup and low cost over security. Devices shipped with factory-default credentials — username and password combinations like admin/admin, root/root, admin/password, or manufacturer-specific defaults — printed in user manuals and widely documented online.

The devices were designed to be plugged in and immediately functional. Manufacturers did not require users to change the default credentials before the device connected to the internet. Many devices had no mechanism to enforce a credential change — the default password worked indefinitely. Some devices had hard-coded credentials that could not be changed at all. Consumers configured their home networks to allow remote access — to view camera feeds from a phone, for example — exposing administration interfaces to the entire internet. Millions of devices sat on the public internet protected only by credentials that were identical across the product line and publicly documented.

Mirai, created in 2016 by three American college students, was a relatively simple piece of malware. It scanned random IP addresses across the internet, identified devices with open Telnet or SSH ports, and attempted to log in using a table of 62 factory-default username and password combinations covering the most common IoT device manufacturers. When a login succeeded, Mirai installed itself on the device and enlisted it into a botnet — a network of compromised devices that could be commanded to flood a target with traffic simultaneously.

On October 21, 2016, the Mirai botnet launched a distributed denial-of-service attack against Dyn, a major DNS infrastructure provider. The attack generated an estimated 1.2 terabits per second of traffic — an extraordinary volume assembled from hundreds of thousands of individually low-powered devices acting in concert. Because Dyn provided DNS resolution for many major websites, the attack disrupted access to Twitter, Netflix, Reddit, GitHub, PayPal, Spotify, and numerous other services for users across the eastern United States. The internet's basic navigation infrastructure was overwhelmed by traffic generated by cameras and DVRs that had shipped with default passwords.

The devices had authentication. A login screen appeared. A username and password were required. The authentication mechanism functioned exactly as designed. But the credentials were not individualized. The same username and password that worked on one device worked on every device of that model — and across many models from different manufacturers, since the default combinations converged on a small number of common pairs. The authentication verified that the entity logging in knew the credentials. It did not verify that the entity was authorized, because the credentials were public knowledge. Authentication without individualized credentials is authentication that authenticates everyone.

No mechanism required credential changes before internet exposure. The gap was not that devices lacked a login process — they had one. The gap was that the step between "device has authentication" and "device has meaningful authentication" was left entirely to the end user, who in most cases was a consumer with no security expertise who wanted their camera to work. The manufacturer shipped the device with the access control in place but not activated in any meaningful sense. The login screen existed. The security the login screen implied — that only authorized users could access the device — did not exist as an enforced condition. The form of access control was present. The substance of access control was absent.

The three creators pleaded guilty in December 2017 and were sentenced to probation and community service. The released source code spawned numerous variants. The attacks prompted legislative responses including California's SB-327 (2018), the first U.S. state law requiring IoT manufacturers to equip devices with unique preprogrammed passwords or require credential changes before first use. The UK's Product Security and Telecommunications Infrastructure Act (2022) and the EU's Cyber Resilience Act established similar requirements — encoding in law the principle that security defaults, not user configuration, must provide baseline access control for connected devices.