Default configurations may contain numerous security vulnerabilities. For your network security, here are 6 products and services that need careful examination.

When it comes to devices connected to corporate networks, “out of the box” seems like an enticing promise, but little do we know, it is also where the danger lies. Imagine devices being able to handle all network protocols and handshakes without manual intervention; this seems very convenient and efficient. However, when people are immersed in the convenience of “out of the box” and forget to change some well-known default settings, this convenience can quickly turn into a fatal vulnerability.

When dangerous default settings are mentioned, most people immediately think of admin usernames and passwords. Undoubtedly, if these default credentials on devices are not changed during the initial configuration (almost every vendor advises you to change default settings), they are likely to evolve into significant security vulnerabilities. A few years ago, the notorious Mirai botnet brought down thousands of devices targeting Dyn (a network company providing domain name services for major websites), causing widespread network paralysis by preventing Dyn from properly resolving domain names. The simple reason Mirai was able to cause such extensive damage was that it exploited the devices’ default simple passwords.

However, aside from admin accounts and passwords, there are other configuration items that also pose serious security risks.

In countless incidents, we found that the default configurations of cloud services or applications can also expose infrastructure and data to attack threats. For example, the loss of 190,000 keys and tokens from Docker Hub was the result of attackers exploiting weak security configurations for key and token storage in cloud environments.

Before detailing some default configurations that security professionals should pay attention to, we must unequivocally state that default usernames or passwords should never persist during initial setup sessions. In an ideal world, as long as configuration scripts allow, every person setting up services, applications, or hardware devices would change admin usernames and passwords. Therefore, I can argue that if default configuration vulnerabilities still occur afterward, it indicates that there was a problem in the process.

That said, human error—and the processes created by humans—will always be subject to mistakes. To prevent such personnel or process failures in your organization, look for the following 6 products and services during network scans. Remember, if you can find them, highly skilled hackers with a “curiosity” will easily discover them through Shodan and carry out attacks.

1. Cisco Configuration Professional

Cisco Configuration Professional (Cisco CP) is a GUI-based device management tool for Cisco access routers. This tool simplifies the configuration of routers, firewalls, IPS, VPN, unified communications, WAN, and LAN through a user-friendly GUI wizard, making it easier for network administrators and channel partners to deploy routers. Additionally, it offers one-click router locking and innovative voice and security audit functions to check router configurations and suggest changes. It can also monitor the router’s status and diagnose WAN and VPN connection issues.

Cisco CP devices come with default settings, but most users of this program have already changed the default “cisco/cisco” username and password to names that comply with their organizational policies. If this step is overlooked, it is very likely to lead to serious issues in the future. As an extremely powerful program, it can also be exploited by attackers to carry out malicious attacks.

The most dangerous scenario involving this program is leaving the default configuration on admin systems (or other systems with administrative privileges) without setting new, secure credentials.

2. Cable Modem (CM)

Today, employees’ home networks have become part of the corporate network as soon as they bring work home at night. Whether they are working on company-provided computers or their own home systems, this is the case. Regardless of the specific method, the door to corporate data has been opened beyond the organization’s control.

The vast majority of employees obtain Internet service from their cable TV providers. However, for many of these employees, the cable modem (CM) remains stored in the closet (or on top of the cable receiver) with default admin credentials until one unfortunate day it is struck by lightning.

The cable modem (CM) is a user-end device that provides two-way IP data transmission over hybrid fiber/coaxial (HFC) networks. Typically, cable modems use “admin/admin” or even “admin/” as their default username/password pair. Even if this username/password pair is not used, cable modems tend to use easily guessable or vague default credentials. Companies should urge employees to change their passwords immediately, and network security personnel should be ready to assist them in making this change.

3. Raspberry Pi

The Raspberry Pi is a credit card-sized, Linux-based single-board computer designed for computer programming education for students, equipped with all the basic functions of a PC. Simply connect it to a TV and keyboard to perform various functions such as spreadsheets, word processing, gaming, and playing high-definition videos.

The Raspberry Pi is not sold as an enterprise computing platform, and indeed, it is not such a platform. However, more and more institutions and corporate networks find themselves hosting these small single-board computers, as many employees introduce them into the corporate network for various purposes. With the introduction of these devices, security vulnerabilities arise, including significant vulnerabilities based on default passwords.

Many people believe that two things can protect the Raspberry Pi from attacks. First, its primary operating system is a variant of Linux; second, its users are often knowledgeable enthusiasts. Unfortunately, the harsh reality is that once an admin-level user retains the default “pi/raspberry” credentials, neither of these methods provides any protection.

Once a Raspberry Pi exposed to the Internet is discovered, default credentials and a simple “sudo” can open the single-board computer to root level, serving as a powerful pivot point for invading other parts of the network. For Raspberry Pi users, simply adding another account for management purposes is far from sufficient; default credentials must be changed before connecting the system to any network.

4. MySQL

Default credentials are not limited to hardware devices. Software and applications should also change default credentials. One of the most serious cases is MySQL, which is completely defaulted to no password.

MySQL is commonly used as a backend tool for web applications in small and medium-sized enterprises and is utilized by embedded and network devices. Its wide application is mainly due to its many advantages, including a large feature set and the label of being “free.” However, if basic security issues are not addressed during the configuration process, the overall deployment costs can skyrocket.

A simple Shodan search can reveal how many MySQL instances exist in your organization. Enterprises should immediately scan each MySQL instance to obtain and promptly change these credentials.

5. SNMP Default Community String

SNMP (Simple Network Management Protocol) is a communication protocol between Network Management Systems (NMS) and agents. It defines a unified standard for managing devices in a network environment, including management frameworks, common languages, security, and access control mechanisms. If SNMP is a one-way data path, bad default behavior can help attackers conduct reconnaissance, and unfortunately, this is indeed the case. For security teams, unfortunately, the destructive capabilities of SNMP are far from limited.

In the first two versions of SNMP (of which there are three), the only authentication attempt is made through a device known as the “community string.” As a simple text string, the community string is sufficient to gain read or read/write access to network devices. To make operations easier, thousands of devices use default community strings such as “public,” “private,” or “write,” and these default strings are never changed.

If an attacker gains read/write access via SNMP, they can not only understand the exact configurations of routers, switches, and other network devices but also change those configurations at will.

Although the latest version of SNMP provides stronger username/password authentication, there are still millions of network devices installed with earlier versions of SNMP. Investigating network devices and their SNMP community strings should be an essential part of corporate network preparation plans.

6. Any IoT Device

If your network includes IoT devices installed before July 1 of this year, we can reasonably make two assumptions about them. First, they have usernames and passwords set by the vendor, and these username/password pairs should be of a well-known type; second, changing the username and password is somewhere between difficult and impossible.

Of course, there are exceptions to both assumptions, but these are the assumptions for the vast majority of IoT devices. Moreover, since the second assumption arises from your inability to change the first assumption, external protection is your only security option.

In fact, external protection roughly follows three steps: first, you should survey the network to understand how many such (installed before July 1 of this year) IoT devices exist in your computing team; then, you should try to identify the default credentials for each device. Even if we may not be able to do anything, understanding the login strings can help security analysts understand the purpose of many attack probes.

Finally, you should whitelist the legitimate ports and target addresses of the devices. Note that many IoT devices use temporary port assignments across a fairly broad range. Nevertheless, understanding the characteristics of “real” traffic will help you promptly notice probing and takeover attempts aimed at your IoT devices.

Legislation in Progress

In 2018, California’s new law mandated that every new device built in the state, from routers to smart home technologies, must have “reasonable” security features out of the box, specifically requiring each device to have a “uniquely pre-programmed” password. It also requires any new device to “include a security feature that requires users to generate a new authentication method before granting access to the device for the first time,” forcing users to change their unique password to a new one upon first use.

This new law can be said to be a small step toward ensuring network security, but it does not address the broader security issues. Addressing such problems requires a collaborative effort from vendors, enterprises, users, governments, and more. As ordinary users, what we can do is enhance security awareness and change those long-standing default configurations as soon as possible. Let’s take action!

References and Sources: https://www.darkreading.com/edge/theedge/6-dangerous-defaults-attackers-love-(and-you-should-know)/b/d-id/1338571?page_number=7