Backdoors, and clear text, and default credentials, oh my!

For years I’ve been warning people about insecure devices being added to their home networks.  It’s clear that the vendors haven’t really been listening because there are still consumer grade (and some enterprise grade) network devices that use clear text passwords, default credentials, and backdoor accounts.  Remember the movie War Games from 1983?  Joshua was a backdoor account.  Even IMDB knows that Falken left a backdoor!

So we cleared up the backdoors and default accounts waaaaayyyyy back in 1984 right?  Nope.

The FTC filed charges yesterday (5 Jan 2017) against D-link for inadequate security in its products.  Guess what the insecurity was (I’ll wait, guess)…

Yep, D-link use “’hard-coded’” login credentials integrated into D-Link camera software — such as the username “’guest’” and the password “’guest’” — that could allow unauthorized access to the cameras’ live feed . . .  [and] . . . leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.”

Read that again.  D-link hard-coded login credentials into the devices (that means that the consumer couldn’t change the password if they tried!).

It’s 2017 people, we have to do better than hard-coded credentials and clear text password.  We are putting these devices in our homes.  Having random strangers watching you probably isn’t a settling thought to most.

But hey, no one will find my IP enabled camera right?  Wrong:  Shodan has a large database of webcams that are open to the Internet.  Webcams are always on Shodan’s top searched list, so a lot of people are very interested in watching strangers.

 

One thought on “Backdoors, and clear text, and default credentials, oh my!

  1. Pingback: We have to do better: Pacemaker security | JurisHacker

Comments are closed.