Just five username and password combos can get you access to 10 per cent of IoT devices

And 15 per cent of devices have never been changed from their default values

Just five of the most popular username and password combinations are enough to get administrative access to one out of every 10 devices, according to research by cyber security company Positive Technologies.

Furthermore, the London-based company suggested that passwords for approximately 15 out of 100 devices have never been changed from their default values.

Therefore, the default and most popular pairings go hand-in-hand. They are:

- admin:admin

-admin: 0000

- user:user

- root: 12345

- support:support

This means that millions of devices - from DVRs to IP cameras are extremely vulnerable, and malware coders that want to build botnets can use a list of default passwords to easily gain access to these devices and add them to a botnet of IoT equipment which can then be used as a distributed-denial-of-service (DDoS) weapon on a particular network.

This is how the Mirai botnet began; IoT devices had been infected by attacks on Telnet ports 23 or 2323 using a list of 62 standard passwords. After connecting to the network, each infected device started scanning for randomly generated IP addresses.

What followed were huge DDoS attacks on journalist Brian Krebs, DynDNS, Liberia, Deutsche Telekom and a US college. The botnet reportedly encompassed 380,000 devices simultaneously and the key issue here was that there was no requirement for non-factory set passwords on these devices.

Other IoT malware campaigns use similar tactics to Mirai - adding other username and password pairs onto the list to improve its chances to expanding the botnet.

However, even once they gain access, the botnet code is not stored in long-term memory and therefore doesn't survive a restart of the infected device. This could change in the months to come, as security specialists at Pen Test Partners said they have discovered a new vulnerability that could enable the Mirai IoT worm and other IoT malware to survive between device reboots - creating what would be a far more resilient or even permanent IoT botnet.