Hard-Coded & Default Passwords: Gateway for Massive Attacks
According to an analyst at CERT/CC’s Vulnerability Notes Database, certain Netgear switches contain hard-coded passwords that can allow a remote attacker to authenticate to the web server running on the device. This vulnerability affects the firmware version 126.96.36.199 of Netgear GS105PE Prosafe Plus Switch. After authenticating with the pre-configured username ntgruser and password debugpassword, an attacker could:
- Modify the serial number and MAC address of the product
- Manually set memory to a certain value and extract that value from it
- Upload new firmware
With hard-coded passwords, a default admin account is created, along with a password that’s hard-coded into the product. This password can’t be changed or disabled by administrators without manually modifying the program or patching the software, as CWE (Common Weakness Enumeration) reports. If all installations of the software have the same hard-coded password, this can enable massive attacks to take place.
The obvious problem with a hard-coded/default password is that if the password is ever discovered or published, then anyone can access the product. Internet-published default or hard-coded passwords is a common occurrence; if you ever search for old ATM operator mode credentials, you can easily find lengthy lists within the top search engine results.
Hard-Coded Passwords & ATMs
Not too long ago, that was exactly how two 14-year-olds hacked a Bank of Montreal’s ATM - by easily finding an old ATM operating manual online with step-by-step instructions on how to get to the machine’s operator mode menu. They guessed the default password and were given access to:
- Find out how much money was currently in the machine, how many withdrawals happened in that day, and how much it made off of surcharges
- Change the surcharge amount - they changed the amount to one cent
- Change the ATM’s greeting to whatever message they wanted - they changed it to ‘Go away. This ATM has been hacked.
Modern ATMs should have not only longer and more complex passwords, but also require two-factor authentication to thwart any remote (or local) breach attempts - as an article on ZDNet.com states, there’s really no excuse for such weak authentication other than laziness.
Hard-Coded Passwords & Medical Devices
Last year, an ICS-CERT reported a hard-coded password alert (ICS-ALERT-13-164-01) affecting medical devices that allowed access to critical settings and to the device firmware. This widespread issue affected nearly 300 medical devices across 40 different vendors, according to the alert.
Obviously, the consequences can more dire if someone chose to hack the long list of medical devices that were affected, including surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors and more.
Malware & Hard-Coded Passwords
According to Threatpost:
The security of devices such as the GS108PE switches, especially those in the networking, telecom and critical infrastructure realm, remains a large issue as there are many types of malware that seek out firmware running with default logins and passwords.
With malware constantly searching for default credentials, it’s inevitable that they will be found and exploited at some point in time.
By adding another channel of authentication, you can stop remote attacks on any login that may typically rely on the (lackluster) power of a single password. Hard-coded and default passwords aren’t ideal methods of authentication, but mitigating the risk with the use of an effective two-factor authentication solution can strengthen your security profile and cut out the risk of a breach by a remote attacker.
Find out more about password breaches in:
Passwords Aren't Enough: 76% of Breaches Exploit Stolen Credentials
Target Breach: Vendor Password Exploit
Healthcare Data Breaches Increase in 2013; Errors Traced to Admin Passwords