CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA13-175A: Risks of Default Passwords on the Internet

From: "US-CERT" <US-CERT () public govdelivery com>
Date: Mon, 24 Jun 2013 15:34:59 -0500
US Computer Emergency Readiness Team banner graphic

National Cyber Awareness System:

TA13-175A: Risks of Default Passwords on the Internet [ https://www.us-cert.gov/ncas/alerts/TA13-175A ] 06/24/2013 
03:11 PM EDT 
Original release date: June 24, 2013

Systems Affected

Any system using password authentication accessible from the internet may be affected. Critical infrastructure and 
other important embedded systems, appliances, and devices are of particular concern.

Overview

Attackers can easily identify and access internet-connected systems that use shared default passwords. It is imperative 
to change default manufacturer passwords and restrict network access to critical and important systems.

Description

What Are Default Passwords?

Factory default software configurations for embedded systems, devices, and appliances often include simple, publicly 
documented passwords. These systems usually do not provide a full operating system interface for user management, and 
the default passwords are typically identical (shared) among all systems from a vendor or within product lines. Default 
passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend 
changing the default password before deploying the system in a production environment.

What Is the Risk?

Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in 
product documentation and compiled lists available on the internet. It is possible to identify exposed systems using 
search engines like Shodan [ http://www.shodanhq.com/ ], and it is feasible to scan the entire IPv4 internet, as 
demonstrated by such research as


  * Shiny Old VxWorks Vulnerabilities [ 
https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities ] 
  * Security Flaws in Universal Plug and Play: Unplug, Don't Play [ 
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
 ] 
  * Serial Offenders: Widespread Flaws in Serial Port Servers [ 
https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers
 ] 
  * The Wild West [ https://speakerdeck.com/hdm/derbycon-2012-the-wild-west ] 
  * Internet Census 2012 [ http://internetcensus2012.bitbucket.org/paper.html ] 

Attempting to log in with blank, default, and common passwords is a widely used attack technique.

Impact

An attacker with knowledge of the password and network access to a system can log in, usually with root or 
administrative privileges. Further consequences depend on the type and use of the compromised system. Examples of 
incident activity involving unchanged default passwords include


  * Internet Census 2012 Carna Botnet distributed scanning 
  * Fake Emergency Alert System (EAS) warnings about zombies 
  * Stuxnet and Siemens SIMATIC WinCC software 
  * Kaiten malware and older versions of Microsoft SQL Server 
  * SSH access to jailbroken Apple iPhones 
  * Cisco router default Telnet and enable passwords 
  * SNMP community strings 

Solution

Change Default Passwords

Change default passwords as soon as possible and absolutely before deploying the system on an untrusted network such as 
the internet. Use a sufficiently strong and unique password. See US-CERT Security Tip ST04-002 [ 
http://www.us-cert.gov/ncas/tips/ST04-002 ] and "Password Security, Protection, and Management [ 
https://www.us-cert.gov/reading_room/PasswordMgmt2012.pdf ]" for more information on password security.

Use Unique Default Passwords

Vendors can design systems that use unique default passwords. Such passwords may be based on some inherent 
characteristic of the system, like a MAC address, and the password may be physically printed on the system.

Use Alternative Authentication Mechanisms

When possible, use alternative authentication mechanisms like Kerberos, x.509 certificates, public keys, or 
multi-factor authentication. Embedded systems may not support these authentication mechanisms and the associated 
infrastructure.

Force Default Password Changes

Vendors can design systems to require password changes the first time a default password is used. Recent versions of 
DD-WRT wireless router firmware operate this way.

Restrict Network Access

Restrict network access to trusted hosts and networks. Only allow internet access to required network services, and 
unless absolutely necessary, do not deploy systems that can be directly accessed from the internet. If remote access is 
required, consider using VPN, SSH, or other secure access methods and be sure to change default passwords.

Vendors can design systems to only allow default or recovery password use on local interfaces, such as a serial 
console, or when the system is in maintenance mode and only accessible from a local network.

*Identify Affected Products*

It is important to identify software and systems that are likely to use default passwords. The following list includes 
software, systems, and services that commonly use default passwords:


  * Routers, access points, switches, firewalls, and other network equipment 
  * Databases 
  * Web applications 
  * Industrial Control Systems (ICS) systems 
  * Other embedded systems and devices 
  * Remote terminal interfaces like Telnet and SSH 
  * Administrative web interfaces 

Running a vulnerability scanner on your network can identify systems and services using default passwords. Freely 
available scanners include Metasploit and OpenVAS.

References

  * Home Network Security  [ https://www.us-cert.gov/Home-Network-Security ] 
  * Choosing and Protecting Passwords  [ http://www.us-cert.gov/ncas/tips/st04-002 ] 
  * Password Security, Protection, and Management  [ https://www.us-cert.gov/reading_room/PasswordMgmt2012.pdf ] 
  * Small Office/Home Office Router Security  [ 
http://www.us-cert.gov/sites/default/files/publications/HomeRouterSecurity2011.pdf ] 
  * The Risk of Default Passwords [ http://www.sans.edu/research/security-laboratory/article/default-psswd ] 
  * SHODAN - Computer Search Engine [ http://www.shodanhq.com/ ] 
  * Shiny Old VxWorks Vulnerabilities [ 
https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities ] 
  * Security Flaws in Universal Plug and Play: Unplug, Don't Play [ 
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
 ] 
  * Serial Offenders: Widespread Flaws in Serial Port Servers [ 
https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers
 ] 
  * The Wild West [ http://speakerdeck.com/hdm/derbycon-2012-the-wild-west ] 
  * Internet Census 2012 [ http://internetcensus2012.bitbucket.org/paper.html ] 
  * Zombie hack blamed on easy passwords [ 
http://articles.chicagotribune.com/2013-02-14/business/chi-zombie-hack-blamed-on-easy-passwords-20130214_1_karole-white-ioactive-labs-passwords
 ] 
  * Secure EAS Codec s Prevent Zombie Attacks [ http://www.thebdr.net/articles/fcc/eas/EAS-Q5.pdf ] 
  * SCADA System's Hard-Coded Password Circulated Online for Years [ 
http://www.wired.com/threatlevel/2010/07/siemens-scada/ ] 
  * After Worm, Siemens Says Don't Change Passwords [ http://www.pcworld.com/article/201442/article.html ] 
  * "Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in Microsoft SQL Server [ 
http://www.cert.org/incident_notes/IN-2001-13.html ] 
  * Web Interface - DD-WRT Wiki [ http://www.dd-wrt.com/wiki/index.php/Web_Interface#Username_and_Password ] 
  * Penetration Testing Software | Metasploit [ http://www.metasploit.com/ ] 
  * Open Vulnerability Assessment System [ http://www.openvas.org/ ] 

Revision History

  * Initial release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: