View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

55% of IoT Device Passwords are 123456 says Symantec

Brute-forcing doesn't need much brute, or much force...

By claudia glover

55% of passwords on Internet of Things devices are 123456, according to a study released by cybersecurity company Symantec.

Internet of Things (IoT) attacks are on this rise this year, as noted in its Threat Landscape Trends Report for the first quarter of 2020, which is worrying as they are typically spectacularly under-protected.

(Cybersecurity company Palo Alto has also reported that 98 percent of IoT device traffic is unencrypted…)

Read This! JIRA Tickets, Jabber Servers and… Gmail Accounts? FBI Papers Reveal Cyber Criminals’ IT Infrastructure

With everything from thermostats to speakers online, that is a huge amount of data up for grabs for anyone who can spare enough time to guess 123456.

Once taken over, the device will be used within a botnet to attack more devices. The highest number of attacks are emanating from the US at the moment, at 23 percent, closely followed by China, at 19 percent. This means that America and China are the two countries worst hit by IoT attacks.

Palo Alto’s March threat report went into further detail:

“We’re witnessing a shift away from attackers’ primary motivation of running botnets to conduct DDoS attacks via IoT devices, to malware spreading across the network via worm-like features, enabling attackers to run malicious code to conduct a large variety of new attacks”.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Symantec Report

IoT attacks are not the only cyber threat on the rise in 2020.

Business Email Compromise (BEC) scams have resulted in £1.77 billion in losses for victims, Symantec found.

Almost 31,000 organisations have been targeted so far in 2020, making them the most damaging and effective type of cyber crime, at least according to the FBI, who cited BED scams  as one of the top three cyber crimes with the highest reported losses, as stated in their 2019 Internet Crime Report.

Phishing Scams

Phishing attacks have also made a comeback. After a slump in 2019 they are back fighting fit in 2020, now accounting for one in every 4,200 emails, claims Symantec. This figure is startling as there are on average 306.4 billions emails sent each day in 2020.

The popularity of phishing attacks has been ascribed to the pandemic, as hackers have been trying to make the most out of the population’s panic, as well as home phishing kits, which allow novices to get much further than they normally would.


Finally, the number of unique websites compromised with formjacking code increased in Q1 2020 as more criminals vie for their share of this malicious activity. Formjacking is where cyber criminals inject malicious javascript code into a website, to take over the functionality of some of its pages and lift sensitive information.

There were 7,836 websites compromised with formjacking code in Q1 2020, up from 7,663 the previous quarter.

Don’t Leave Before You’ve Read This! IBM Blames “Third Party” for Global Cloud Outage








Topics in this article : , , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.