HoT-TAI-0001: Password / Credential Management

Vulnerability Summary:

• CWE-521 Weak passwords: Weak passwords are typically are found in the dictionary or are otherwise easily guessable. They are often short and do not implement a combination of alphanumeric and special characters. The 25 most common password can be seen here.¹ The list includes "123456", "1q2w3e", and "password" (of course).

• OTG-IDENT-005 Weak or unenforced username policy: User account names are often highly structured (e.g. Joe Bloggs account name is jbloggs and Fred Nurks account name is fnurks) and valid account names can easily be guessed.²

• OTG-AUTHN-002 Default credentials: Nowadays web applications often make use of popular open source or commercial software that can be installed on servers with minimal configuration or customization by the server administrator. Moreover, a lot of hardware appliances (i.e. network routers and database servers) offer web-based configuration or administrative interfaces. Often these applications, once installed, are not properly configured and the default credentials provided for initial authentication and configuration are never changed. These default credentials are well known by penetration testers and, unfortunately, also by malicious attackers, who can use them to gain access to various types of applications.nFurthermore, in many situations, when a new account is created on an application, a default password (with some standard characteristics) is generated. If this password is predictable and the user does not change it on the first access, this can lead to an attacker gaining unauthorized access to the application.nThe root cause of this problem can be identified as:

  • Inexperienced IT personnel, who are unaware of the importance of changing default passwords on installed infrastructure components, or leave the password as default for "ease of maintenance".
  • Programmers who leave back doors to easily access and test their application and later forget to remove them.
  • Applications with built-in non-removable default accounts with a preset username and password
  • Applications that do not force the user to change the default credentials after the first log in.³

• CWE-798 Use of Hardcoded Credentials: The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the software administrator. This hole might be difficult for the system administrator to detect. Even if detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely. There are two main variations:

  • Inbound: the software contains an authentication mechanism that checks the input credentials against a hard-coded set of credentials. In the Inbound variant, a default administration account is created, and a simple password is hard-coded into the product and associated with that account. This hard-coded password is the same for each installation of the product, and it usually cannot be changed or disabled by system administrators without manually modifying the program, or otherwise patching the software. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the software will have the same password, even across different organizations, this enables massive attacks such as worms to take place.

  • Outbound: the software connects to another system or component, and it contains hard-coded credentials for connecting to that component. The Outbound variant applies to front-end systems that authenticate with a back-end service. The back-end service may require a fixed password which can be easily discovered. The programmer may simply hard-code those back-end credentials into the front-end software. Any user of that program may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple.⁴

• CWE-307 Improper Restriction of Excessive Authentication Attempts

Estimated Overall Risk Assessment:HIGH

• Technical Impacts: HIGH

  • If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question. This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.⁴

• Business Impacts: HIGH

  • Data confidentiality, integrity, and availability could be compromised. An attacker could gain control over the IoT device and could establish a foothold within your network for further actions-on-objective (e.g. further exploitation of internal network OR to utilize the IoT device as part of a botnet to launch attacks against national critical infrastructure).

• Detectability: EASY

• Prevalence: COMMON

• Exploitability: EASY

Attack Surfaces Grouped By Layer of Cyberspace

• Physical Network Layer
  • Device Firmware
  • Administrative Interfaces
  • Device Network Services
  • Device Web Interface
  • Mobile Application
• Logical Network Layer
  • Cloud Web Interface

Known Intrusion / Exploit / Attack Cases and Threats

• Mirai Botnet
  • Description: Dictionary / Bruteforce password attacks against services/interfaces such as Telnet. Utilized as part of Botnet for DDoS; Target: Mostly IP Cameras ⁵
• Brickerbot
  • Description: Dictionary / Bruteforce password attacks against services/interfaces such as Telnet. Access is followed by DoS detailed in HoT-TAI-004. Target: IoT devices running the BusyBox toolkit⁶
• Hajime
  • Description: Dictionary / Bruteforce password attacks against Telnet; Supposedly used to block Mirai by blocking access to ports 23, 7547, 5555, and 5358; propagates P2P rather than centralized C2 like Mirai; Target: non-specific IoT⁷

• Linux/IRCTelnet (new Aidra)

  • Description: Dictionary / Bruteforce password attacks against Telnet; Combines Kaiten/Tsunami IRC protocol use, Bashlite's telnet scanner and injection code, Aidra botnet source code, and Mirai's credential list. Subsequent bot is utilized as part of a botnet for UDP / TCP flooding and a host of other attacks using both IPv4 and IPv6.Target: non-specific IoT⁸

• MrBlack

  • Description: Dictionary / Bruteforce password attacks against HTTP and SSH logins; Subsequent bot is utilized as part of a botnet for various DDoS attacks.Target: SOHO routers (e.g. Ubiquiti)⁹

• Linux/Moose

  • Description:Dictionary / Bruteforce password attacks against Telnet; Subsequent bot is utilized as part of a botnet for eavesdropping on unencrypted traffic in order to steal HTTP cookies on social media sites and perform click-fraud. Also capable of DNS hijacking to kill competing botnets that are consuming the device's resources.Target: Linux-based consumer routers, including those issued to consumers by ISPs, as well as other devices running on the MIPS and ARM architectures¹⁰

• Aidra Botnet

  • Description: Dictionary / Bruteforce password attacks against Telnet; Subsequent bot is utilized as part of a botnet for scanning for additional vulnerable devices to infect and performing DDoS attacks; also listens for additional device commands from IRC C2 server. Target: ARM-based devices running Linux (home internet routers, internet-connected televisions, cable set-top boxes, DVRs, VoIP devices, IP cameras, and media centers), but it can also be compiled for MIPS, MIPSel, PPC, x86/x86-64, and SuperH architectures. A modified version was discovered to be using its hosts processing power to mine bitcoins.¹¹

• Carna Botnet

  • Description: Dictionary / Bruteforce password attacks against Telnet; Subsequent bot was utilized as part of a botnet for scanning the internet as part of the "Internet Census of 2012". Target: Any IoT device.¹²

• Linux.Wifatch

  • Description: Dictionary / Bruteforce password attacks against Telnet; Linux.Wifatch removes other malware and disables telnet access, replacing it with the message "Telnet has been closed to avoid further infection of this device. Please disable telnet, change telnet passwords, and/or update the firmware." Target: Any IoT device.¹³

• Remaiten Botnet

  • Description: Dictionary / Bruteforce password attacks against Telnet; Remaiten combines the features of the Tsunami and LizardStresser. Subsequent bot is utilized as part of a botnet for scanning for additional vulnerable devices to infect and performing DDoS attacks. Target: Linux embedded system (e.g. routers, gateways, and wireless access points).

• Identify, Detect, Protect, Respond, and Recover (NIST FICIC)

This vulnerability page (and some information contained in the associated attack page) address the following:

• IDENTIFY-RISK ASSESSMENT (ID.RA)

  • ID.RA-1: Asset vulnerabilities are identified and documented
    • See "Analysis Tools and Training" below.
  • ID.RA-2: Cyber threat intelligence and vulnerability information is received from information sharing forums and sources
  • ID.RA-3: Threats, both internal and external are identified and documented
  • ID.RA-4: Potential business impacts and likelihoods are identified
  • ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
  • IS.RA-6: Risk responses are identified and prioritized

• PROTECT-Identity Management, Authentication, and Access Control (PR.AC)

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
  • PR.AC-3: Remote access is managed
  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

• PROTECT-Information Protection Processes and Procedures (PR.IP)

  • PR.IP-12: A vulnerability management plan is developed and implemented

• DETECT-Anomalies and Events (DE.AE)

  • DE.AE-2: Detected events are analyzed to understand attack targets and methods

• DETECT-Security Continuous Monitoring (DE.CM)

  • DE.CM-1: The network is monitored to detect potential cybersecurity events

Analysis Tools and Training

• IDENTIFY:

  • Online Attacks (Device Network Services and Administrative, Web, Cloud, and Mobile Interfaces / Applications)
    • Using Burp Suite to test passwords on Web Interfaces
    • Using Hydra to test passwords on Administrative, Web, Cloud, Mobile Interfaces / Applications and Device Network Services (e.g. Telnet).
      • At a minimum use Mirai's default username and password list: https://ghostbin.com/paste/ftd8s

  • Offline Attacks

    • Firmware analysis to identify hardcoded passwords.

      • Pentester Academy Offensive IoT Exploitation Course: Firmware Analysis - Identifying Hardcoded Secrets

    

    • Pentester Academy Offensive IoT Exploitation Course: Conventional Attack Vectors - Password Cracking

• PROTECT:

  • If the credentials are NOT hardcoded:
    • Change the usernames to something more difficult to enumerate.
    • Change the password:
      • Enforce password complecity requirements (e.g. a combination of at least (2) upper case letters, (2) lower case letters, (2) numbers, and (2) symbols).
      • Enforce password length requirements (e.g. a minimum of 14 characters).
  • If credentials ARE hardcoded:
    • Contact the vendor to see if there is a firmware update available to fix the issue.
    • If the issue cannot be remediated by the vendor:
      • Consider replacing the device with something that does not utilize hardcoded password.
      • If you must continue to use the device, consider creating IDS signature that look for the use of the hardcoded credentials from suspicious IP addresses OR if ever utilized by any IP address.
  • Additionally, defense-in-depth measures, such as firewalls and router ACLs, should be employed to prevent public exposure of the IoT device. Exposed IoT devices can be identified using Shodan.

• DETECT:

  • Consider creating IDS signatures that detect/alert security personnel that hardcoded credentials or default credentials associated with the IoT device are being utilized, especially if this is from outside of your internal network. Additionally, signatures should be created to alert on scanning of services such as Telnet, SSH, and HTTP.

Associated CVEs / Manufacturers / Devices

Use this link to identify the latest credentials management vulnerabilities. This search query is not specific to the IoT.

Use this link to identify the latest hardcoded credential vulnerabilities. This search query is not specific to the IoT.

References

1. http://www.telegraph.co.uk/technology/2017/01/16/worlds-common-passwords-revealed-using/
2. https://www.owasp.org/index.php/Testing_for_Weak_or_unenforced_username_policy_(OTG-IDENT-005\
3. https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002\
4. http://cwe.mitre.org/data/definitions/798.html

5. https://krebsonsecurity.com/tag/mirai-botnet/

6. https://www.theregister.co.uk/2017/04/08/brickerbot_malware_kills_iot_devices/

7. https://www.theregister.co.uk/2017/04/27/hajime_iot_botnet/

8. http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html

9. https://www.cyber.nj.gov/threat-profiles/botnet-variants/mrblack

10. https://www.cyber.nj.gov/threat-profiles/botnet-variants/linux-moose

11. https://www.cyber.nj.gov/threat-profiles/botnet-variants/aidra-botnet

12. https://www.theregister.co.uk/2013/03/19/carna_botnet_ipv4_internet_map/

13. https://en.wikipedia.org/wiki/Linux.Wifatch

14. https://en.wikipedia.org/wiki/Remaiten