US CERT: Default passwords make IT systems easy pickings for hackers
A new government alert warns computer and mobile device users about the risks of continuing to use default passwords. The warning by the U.S. Computer Emergency Readiness Team notes that hackers can easily attack connected systems such as embedded systems, devices and appliances, through their often publically available factory default passwords.
Intended for initial testing, installation and configuration, default passwords are supposed to be changed before a system is put into a production environment. The danger of unchanged default passwords is that they can allow attackers to access a range of systems within a vendor's particular product line.
Passwords can be found in compiled product documentation lists on the Internet. US-CERT also notes that hackers can also identify exposed systems using search engines such as Shodan, making it feasible to scan the entire IPv4 Internet. Default passwords allow attackers to log into a system, usually with root or administrative privileges.
Some examples of incidents involving unchanged passwords include:
- Internet Census 2012 Carna Botnet distributed scanning.
- Fake Emergency Alert System warnings about zombies.
- Stuxnet and Siemens SIMATIC WinCC software.
- Kaiten malware and older versions of Microsoft SQL Server.
- Secure Shell (SSH) access to jailbroken Apple iPhones.
- Cisco router default Telnet and enable passwords.
- Simple Network Management Protocol (SNMP) community strings.
To counter the threat, US-CERT recommends users to change default passwords as soon as possible before deploying a system on the Internet. Besides using sufficiently strong and unique passwords, the alert notes that vendors should design systems with unique default passwords. These passwords may be based on an inherent characteristic of the system, such as a media access control address and the passwords may even be physically printed on the system.
The alert also suggests using alternative authentication mechanisms such as Kerberos, x.509 certificates, public keys, or multi-factor authentication. However, it cautions that embedded systems may not support these authentication approaches or their associated infrastructure. Vendors can design systems in such a way that they automatically require a password change the first time the default is used, explaining that recent versions of DD-WRT wireless firmware use this technique.
Additional security steps users can take include restricting network access and identifying affected products. To restrict network access, US-CERT recommends only allowing network access to required network services. "Unless absolutely necessary do not deploy systems that can be directly accessed from the Internet," the report cautioned.
If remote access is needed, users should consider using virtual private networks, secure shell protocol, or other secure access methods. Additionally, vendors can design systems to only allow default or recovery password use on local interfaces, such as a serial console, or when the system is in maintenance mode and only accessible from a local network, the report said.
Identifying software and systems likely to use default passwords is also a key security step. A vulnerability scanner such as Metasploit and OpenVAS can help users identify systems and services using default passwords on their networks. The warning issued a list of software, systems and services commonly using default passwords:
- Routers, access points, switches, firewalls and other network equipment;
- web applications
- industrial control systems;
- other embedded systems and devices;
- remote terminal interfaces such as Telnet and SSH;
- administrative web interfaces.
Henry Kenyon is a freelance reporter.
- read the US-CERT alert.