At the end of August, well-known security researcher Johannes Ullrich conducted a simple experiment that showed just how hostile the Internet is for connected devices.

Ullrich, the dean of research for the SANS Technology Institute, connected a digital video recorder to the Internet and left it there for nearly two days, rebooting the device — essentially wiping the slate clean — every five minutes. It only took two minutes, on average, for the DVR to be compromised by an attack. And not just any type of attack, but the most basic of approaches: Someone used the default password for the device.

The experiment underscores the spotty security plaguing so many of the connected devices that make up the so-called Internet of Things. While some devices have well-thought-out protections, others can easily be exploited by attackers. "This is not just about DVRs, but any device connected to the Internet with default passwords," Ullrich said. "Devices running Linux and using one of these default passwords — they are getting popped within minutes."

There are millions — if not, billions — of vulnerable devices connected to the Internet — from home routers to video cameras, and from medical devices to thermostats. The Internet of Things is firmly in the sights of attackers, and unfortunately, the bad guys don't have to work very hard as manufacturers making these devices continue to build in default passwords across these devices, a practice that should've been stopped years ago.

In the summer of 2016, for example, attackers quickly spread malware across the Internet, armed only with a list of 62 commonly used and default passwords for — mostly — connected video cameras. The malware, the now well-known Mirai, scanned the Internet, infected the camera, and then used the device to keep scanning, while awaiting new commands.

An early command was to create a massive denial-of-service attack — an unprecedented massive flood of data — to make inaccessible the Web site of noted security journalist Brian Krebs in September 2016. The following month, attackers used the Mirai botnet — and other attack networks — to disrupt the operations of Dyn, an Internet infrastructure provider, and its clients, reportedly including Netflix, Twitter and CNN.

While smaller attacks happened earlier in the summer, the massive data floods against Krebs and Dyn made Mirai the poster boy for the dangers of insecure devices. "IoT botnets did not start with Mirai, they just gained a lot of exposure," said Ben Herzberg, security group research manager for security firm Imperva.

Mirai raised awareness of the danger of IoT devices to cyber security professionals, but attracted the attention of potential attackers. The release of Mirai's source code also fueled attackers' efforts.

In October, for example, another group introduced Hajime, which also uses default passwords to infect devices. Hajime is both stealthier and more technically sophisticated than Mirai. Because neither malware overwrites the flash memory of the compromised device — a restart resets the device back to a clean slate, and still vulnerable — a single IoT device can be serially attacked by different malware, Waylon Grange, a malware analyst with Symantec, wrote in a January blog post.

"One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware (or) worms that are out there scanning for devices with hardcoded passwords," he said. "This cycle will continue with each reboot until the device is updated with a newer, more secure firmware."

Beyond Botnets

While most IoT compromises have led to the creation of botnets, security experts warn that more sophisticated attacks will become more common. Of significant concern for companies is an attacker using an insecure device as a beachhead — a technique known as pivoting.

The breach of retail giant Target happened in just this way. An attacker used the interface to the company's HVAC system to gain a foothold in the retailer's network, leading to the leak of more than 100 million records, including credit-card data.

Perhaps the most oddball pivot is the reported hack of a connected fish tank that led to the compromise of a North American casino, and could have resulted in 10GB of data being transferred to another country, according to an unverified report in the annual threat report of anti-malware firm DarkTrace.

Companies should be prepared for more sophisticated attacks that reach beyond default passwords, said SANS's Ullrich. "There are a number of other vulnerabilities — like Web application vulnerabilities in the admin interfaces for the devices — but at this point, it is too easy to go after the default passwords," he said.

Because the Internet of Things often connects the digital network to a physical device — such as a thermostat, x-ray machine or an industrial centrifuge — compromising the device can lead to physical damage. Attackers — most thought to be nation-state agents — are already accomplishing such attacks. The Stuxnet attack on Iranian uranium processing facilities in 2009 and 2010, and the more recent ransomware attacks on hospitals — causing operational disruptions — have both shown the vulnerability of connecting insecure digital devices with physical systems.

"We are seeing a lot of attacks beyond default passwords and other low-hanging fruit," said Brian Witten, senior director of Symantec Research Labs Worldwide. "We are already seeing a wide range of these attack techniques done at scale."

Unfortunately, there is no easy defense. Most manufacturers only rarely patch, and most users wouldn't know how to patch the devices on their own.

For companies, the regular approach to information-technology systems — firewall and patch — does not necessarily work either. The business version of the Internet of Things tends to be devices needed for operation: Door locks, temperature controls and other physical systems.

Yet, there are things that the average company can do.

1. Don't Connect Unprotected IoT Devices to the Internet

The first line of defense for companies should be to put any connected device behind a good router with a firewall. While the approach can limit a device's functionality, it also prevents attackers from attempting to access the device via brute-force password guessing.

In addition, experts say a single firewall is not enough. Companies should also segment their network, preventing devices from accessing critical data and servers. Regularly monitoring the network for anomalous activity can also pick out when a device is acting strangely.

2. Manage the Devices

Every business should know what devices are connected to their network and manage every single one, from the time it connects until it leaves. Default passwords should be changed, the device should be regularly checked to ensure it has the latest update, and the users who can access the device should be limited.

Sensible in theory, but many devices do not have any way to be managed, SANS's Ullrich said.

"These devices tend to be so difficult to secure, because you don't have any integrated patch management systems for them," he said. "You can put them behind firewalls, but then you may lose a lot of functionality because you need to connect to those devices."

3. Be Prepared to be DDoSed

Finally, companies need to be prepared to be a target, even if their devices are not vulnerable. The widespread availability of connected devices with default passwords and easy vulnerabilities means that attackers have a ready supply of would-be bots to turn into a massive denial-of-service attack, warned Imperva's Herzberg said.

"Organizations need to understand that this huge availability of IoT bots means that something that was very expensive or much more expensive a couple of years ago is cheaper for attackers these days," he said. "So, they need to prepare themselves for an attack."