A new malware known as Silex is bringing smart devices to their knees.
The Silex malware, according to ZDNet, ruins smart devices by gaining access to and destroying a device’s storage, eliminating its firewall and removing its network configuration. From here, the device stops working.
Silex was reportedly created by a 14-year-old hacker who goes by the pseudonym Light Leafon, according to ZDNet. The malware went unknown until it was spotted by Larry Cashdollar, a security exploit researcher, on Tuesday. “It’s using known default credentials for IoT devices to log in and kill the system,” Cashdollar told ZDNet, which reports that Silex first affected 350 devices and then quickly spread to over 1,500 more.
So, Silex is targeting pretty much any UNIX like OS with default login credentials. Doesn't matter if it's an ARM-based DVR or an x64 bit system running Redhat Enterprise if your login is root:password it could wreck your system.
— Larry W. Cashdollar (@_larry0) June 25, 2019
The smart home device Achilles heel: Using default passwords
The prevalence of Internet of Things devices that ship with default passwords is nothing new. Research by Positive Technologies from 2017 showed that default passwords to 15 out of 100 IoT devices had never been changed. While not the majority, that’s certainly a large chunk of the 26 billion smart things devices out in the wild. The hacker is presumed to be inspired by the botnet BrickerBot, which plagued smart devices back in 2017. Both Silex and BrickerBot before it rely on default login credentials to gain control.
The danger associated with most of the devices around us having guessable passwords is obvious. So much so that, in 2018, California banned hardware from shipping with guessable logins like “password” and “123456.” The law also required that device makers force users to change a device’s built-in password upon setup.
How to prevent Silex from ruining your devices
The Silex malware relies on guessing your device’s user name and password. Since this malware is so new, it may be a while before your smart device issues a fix for the hack. So what can you do in the meantime?
“If users buy a device with standard, hard coded credentials, the best thing they can do is change the username and password for the device as quickly as possible,” says Tendermint’s director of security Jesse Irwin, a former staffer at the popular password management app 1Password.
The good news is that changing your device’s default admin password may help prevent an attack against the Silex malware. The bad news: all devices are not created equal. Changing the admin password on a DVR may be more difficult than changing it on a router, for example.
Irwin notes that when trying to figure out the default username and password on an Internet-connected device, there are a few places people should look. Manufacturers often print usernames and passwords stickers to put on devices, or they include the information in user guide or setup instructions.
“If a device’s credentials cannot be changed, there are deeper technical measures that can be taken,” says Irwin. “But if you are not able to take care of those things on your own, return it.” The great thing about the booming market for connected devices, is that there are almost always other, safer options for available, she adds.
More must-read stories from Fortune:
—The fall and rise of VR: The struggle to make virtual reality get real
—“It’s just lazy”: Current’s CEO on Facebook Calibra’s similar logo
—Slack went public without an IPO. Here’s how a direct offering works
—Welcome to the next generation of corporate phishing scams
—Listen to our new audio briefing, Fortune 500 Daily
Catch up with Data Sheet, Fortune‘s daily digest on the business of tech.
