A SECURITY RESEARCHER has warned that the use of 'default' passwords on networking equipment leaves companies open to hacker exploitation, including eavesdropping and the calling of premium rate numbers. AKA, big problems.
Researcher Paul Moore said in a blog post that he was checking out a network that comprised kit from Cisco, Snom and Ubiquiti.
"A few weeks ago, I was asked to observe an installation of several wireless access points and VoIP phones, with a view to making recommendations on how best to improve security while maintaining ease of deployment," he said.
"It didn't take long for several trends to appear, chief among which was the use of [default log-ins]. A default configuration is only intended to restore a device to a ‘default' state, such that a competent installer can configure it to meet the client's needs.
"I've reset a Snom 320 VoIP phone (running 126.96.36.199 firmware) back to factory default settings. Even before we begin, there's a serious problem: there's no authentication whatsoever."
Moore added that default passwords are designed to be used at installation, and then burned.
This is not unique to Snom, but the firm takes the kicking. "To their credit, some manufacturers provide a default set of credentials ... even if they're usually 'admin/admin', thus equally insecure," said Moore.
"Snom, however, opted to place a tiny ‘HTTP password not set' warning at the top of the configuration screen. That'd be fine if it forced you to set a password during the set-up process, but it doesn't."
This causes problems, in case you haven't worked that out yet. Moore reckons in the Snom case that a VoIP user would have to set only a virtual foot on a website to get a dose of infection from a hacker. There is a video and everything. It makes for uncomfortable viewing, particularly if you have password malaise already.
"If we look beyond the IP telephony sector to the industry as a whole, many companies ship devices which have no ‘default' security ... or permit the use of weak credentials which provide nothing more than a false sense of security. It has to stop," said Moore.
"Vendors: if you must supply devices with ‘default' credentials, disable all other functionality until a suitably secure password is set to replace it."
The nut of Moore's advice is to take precautions with your own security and not assume that others have done it for you. µ
Welcome to the dystopia Black Mirror warned us about
Microsoft in 'more helpful' shock
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers