This Week in Security: Holy SSH*T: Why You Should Change Default Credentials On All Your ‘Things’

This will be the first of two fun “Dark Web” bits for this week’s blog. And… it’s a doozie.

We are, hopefully by now, all aware of the various security issues that the myriad of internet of things (IoT) devices present. Not the least of which is the exposure of them via default credentials (unchanged from factory default… which are widely known and publicized)… or they are changed but to painfully easy-to-guess combos (Hello:hello, router:router, etc.).

The site we’re going to be looking at today has been up since approximately January 5th, 2018. It’s not the first of it’s kind, but this particular one is continually updated and represents devices all around the globe of all types and varieties. The credentials are still valid, and the site is (as of this writing) still up.

Figure 1

This site is hosting TXT files containing device addresses, creds, location (country) along with a “speed” rating (1-10). While the site is aimed at using these credentials via SSH, for most of these devices, HTTP is open and responding to the same default credentials as well.

Figure 2

The devices (manufacturer and model) vary widely. If you can think of a router/AP/VoIP Gateway/Repeater/etc., then they are represented on these lists.

A quick scan of one list shows the following devices represented (this is just a random sample, there are many many more)

  • Silver Peak Appliance Management Console
  • TP-Link EAP120 (AP)
  • TP‑LINK Archer C5400 Routers
  • TP‑LINK Archer C5400 Routers
  • TP‑LINK Archer C5400 Routers
  • TP‑LINK Archer C5400 Routers
  • TP‑LINK Archer C5400 Routers
  • TP‑LINK Archer C5400 Routers
  • TP‑LINK Archer C5400 Routers
  • TP-Link (Range Extenders) – various models
  • Trendnet N300 PoE Access Point (TEW-755AP)
  • ZyXEL FSG1100HN Fiber Gateways
  • ZyXEL FMG3025-D10A Fiber VoIP IADs
  • ZyXEL AMG1312-T10B Wireless N ADSL2+ Gateways
  • Huawei EchoLife ONT (Optical Network Terminals) – (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog