Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label AI password attacks. Show all posts
Login Credentials
AI in robotics AI password attacks Cyber Security Data protection data security Device Security Login Credentials

Yarbo Robotic Lawnmower Flaw Exposed Thousands of Devices With Shared Passwords

 

A single password opened thousands of Yarbo’s robot mowers worldwide, leaving owners in over thirty nations vulnerable without knowing it. While testing how these smart devices manage login requests, analyst Andreas Makris spotted the weak point - simple as typing “admin” into a forgotten backdoor. Some of these exposed devices operate using Linux platforms, linked straight to the web, depending on camera inputs, location signals, wireless links - also automatic map functions. 

Units across many regions used identical preset login details, investigators found. Remote entry into such hardware could happen without consent, Makris explained. Midway through the review, personal data came into view - email addresses, exact lawn mower locations, and network credentials laid bare. Testing revealed a real-time display pinpointing above 11,000 units active in at least thirty nations. 

While examining traffic patterns, digital trails linked each machine to specific geographic points. Visibility extended beyond basic details once hidden layers were uncovered. Not just limited to leaked information, the dangers included remote hijacking of lawn robots. Through experiments, scientists showed unauthorized users might trigger motion controls, switch on built-in imaging tools, while also probing residential networks for weak spots - all from a distance. 

Operating much like standard web-linked machines, these gadgets may end up pulled into coordinated hacking efforts. Such capabilities raise concern about their role in broader digital threats. A test shown to journalists supposedly let someone in Germany steer a 200-pound lawn mower near a home in New York, though they were separated by thousands of miles. Commands sent from afar took priority over hands-on operation, yet people close by received no warning when shifts occurred.  
Warnings emerged about gadgets placed close to critical infrastructure raising wider safety risks. Not far from power stations or manufacturing zones, fragile automated machines might operate, Makris noted - highlighting growing unease over threats to both physical setups and digital networks. Fixing the problem via firmware patches did not work - systems kept falling back to identical default passwords. 

Even after updates, the same login details resurfaced across devices. Experts pointed out that swapping passwords alone misses larger flaws: built-in factory access remains, while remote management tools stay vulnerable by design. Later, Yarbo admitted the issues once details emerged. Though based openly in New York, it holds ties to Hanyang Tech located in Shenzhen, China. Reports indicate the firm shut down some remote diagnostics pathways following scrutiny. 

Root passwords were reset shortly afterward. Access without authentication saw restrictions applied. Instead of using one password for every machine, new measures shifted toward unique credentials per device. Despite pledges of improved audit mechanisms and stricter controls on remote diagnostics, concerns lingered. Backdoor-style access by manufacturers allegedly persists in the equipment, skeptics noted - undermining claims of real change. Hidden backdoors and minimal built-in safeguards in smart gadgets are drawing sharper scrutiny, according to researchers. 

With households increasingly using AI-powered tools, robotic aids, or connected sensors, vulnerabilities multiply. Instead of isolated digital leaks, failures might now trigger real-world harm - door locks failing, cameras hijacked, entire home networks invaded. Security flaws once seen as minor glitches may now enable intrusions beyond data theft. 

When manufacturers skip strong defaults, everyday convenience turns into risk points across neighborhoods. Because these devices interact physically with environments, weaknesses aren’t just virtual - they can reach into living rooms, garages, even children's bedrooms. So while automation spreads rapidly, oversight lags behind, leaving gaps attackers can exploit.
Read more »
Technology
Active Directory security AI password attacks generative AI cybersecurity PassGAN password cracking AI Technology

How Generative AI Is Accelerating Password Attacks on Active Directory

 

Active Directory remains the backbone of identity management for most organizations, which is why it continues to be a prime target for cyberattacks. What has shifted is not the focus on Active Directory itself, but the speed and efficiency with which attackers can now compromise it.

The rise of generative AI has dramatically reduced the cost and complexity of password-based attacks. Tasks that once demanded advanced expertise and substantial computing resources can now be executed far more easily and at scale.

Tools such as PassGAN mark a significant evolution in password-cracking techniques. Instead of relying on static wordlists or random brute-force attempts, these systems use adversarial learning to understand how people actually create passwords. With every iteration, the model refines its predictions based on real-world behavior.

The impact is concerning. Research indicates that PassGAN can crack 51% of commonly used passwords in under one minute and 81% within a month. The pace at which these models improve only increases the risk.

When trained using organization-specific breach data, public social media activity, or information from company websites, AI models can produce highly targeted password guesses that closely mirror employee habits.

How generative AI is reshaping password attack methods

Earlier password attacks followed predictable workflows. Attackers relied on dictionary lists, applied rule-based tweaks—such as replacing letters with symbols or appending numbers—and waited for successful matches. This approach was slow and computationally expensive.
  • Pattern recognition at scale: Machine learning systems identify nuanced behaviors in password creation, including keyboard habits, substitutions, and the use of personal references. Instead of wasting resources on random guesses, attackers concentrate computing power on the most statistically likely passwords.
  • Smart credential variation: When leaked credentials are obtained from external breaches, AI can generate environment-specific variations. If “Summer2024!” worked elsewhere, the model can intelligently test related versions such as “Winter2025!” or “Spring2025!” rather than guessing blindly.
  • Automated intelligence gathering: Large language models can rapidly process publicly available data—press releases, LinkedIn profiles, product names—and weave that context into phishing campaigns and password spray attacks. What once took hours of manual research can now be completed in minutes.
  • Reduced technical barriers: Pre-trained AI models and accessible cloud infrastructure mean attackers no longer need specialized skills or costly hardware. The increased availability of high-performance consumer GPUs has unintentionally strengthened attackers’ capabilities, especially when organizations rent out unused GPU capacity.
Today, for roughly $5 per hour, attackers can rent eight RTX 5090 GPUs capable of cracking bcrypt hashes about 65% faster than previous generations.

Even when strong hashing algorithms and elevated cost factors are used, the sheer volume of password guesses now possible far exceeds what was realistic just a few years ago. Combined with AI-generated, high-probability guesses, the time needed to break weak or moderately strong passwords has dropped significantly.

Why traditional password policies are no longer enough

Many Active Directory password rules were designed before AI-driven threats became mainstream. Common complexity requirements—uppercase letters, lowercase letters, numbers, and symbols—often result in predictable structures that AI models are well-equipped to exploit.

"Password123!" meets complexity rules but follows a pattern that generative models can instantly recognize.

Similarly, enforced 90-day password rotations have lost much of their defensive value. Users frequently make minor, predictable changes such as adjusting numbers or referencing seasons. AI systems trained on breach data can anticipate these habits and test them during credential stuffing attacks.

While basic multi-factor authentication (MFA) adds protection, it does not eliminate the risks posed by compromised passwords. If attackers bypass MFA through tactics like social engineering, session hijacking, or MFA fatigue, access to Active Directory may still be possible.

Defending Active Directory against AI-assisted attacks

Countering AI-enhanced threats requires moving beyond compliance-driven controls and focusing on how passwords fail in real-world attacks. Password length is often more effective than complexity alone.

AI models struggle more with long, random passphrases than with short, symbol-heavy strings. An 18-character passphrase built from unrelated words presents a much stronger defense than an 8-character complex password.

Equally critical is visibility into whether employee passwords have already appeared in breach datasets. If a password exists in an attacker’s training data, hashing strength becomes irrelevant—the attacker simply uses the known credential.

Specops Password Policy and Breached Password Protection help organizations defend against over 4 billion known unique compromised passwords, including those that technically meet complexity rules but have already been stolen by malware.

The solution updates daily using real-world attack intelligence, ensuring protection against newly exposed credentials. Custom dictionaries that block company-specific terminology—such as product names, internal jargon, and brand references—further reduce the effectiveness of AI-driven reconnaissance.

When combined with passphrase support and robust length requirements, these measures significantly increase resistance to AI-generated password guessing.

Before applying new controls, organizations should assess their existing exposure. Specops Password Auditor provides a free, read-only scan of Active Directory to identify weak passwords, compromised credentials, and policy gaps—without altering the environment.

This assessment helps pinpoint where AI-powered attacks are most likely to succeed.

Generative AI has fundamentally shifted the balance of effort in password attacks, giving adversaries a clear advantage.

The real question is no longer whether defenses need to be strengthened, but whether organizations will act before their credentials appear in the next breach.
Read more »
Subscribe to: Posts (Atom)