Sign in / up

back to article Stop us if you've heard this: Cisco Aironet has hard-coded passwords

Cisco's discovered that its Mobility Express Software, shipped with Aironet 1830 Series and 1850 Series access points, has a hard-coded admin-level SSH password. The default credentials open affected devices to remote exploitation if an attacker has “layer 3 connectivity to an affected device”. The bug is in access points …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Brian Miller

    They will never learn.

    There's a site called News of the Weird. Well, they have a section of weird stories that come up every so often, which are weird, but frequently enough that they no longer make the cut for being weird.

    Hard-coded passwords. Default credentials that have been in use since 1970. No passwords. And the programming blunders.

    Really, some of these simply should be firing offenses.

    8 0 Reply
    1. Ole Juul
      Reply Icon

      Re: They will never learn.

      "Really, some of these simply should be firing offenses."

      They would be if they were working for a security business. I'm not sure what business Cisco thinks they're in.

      4 0 Reply
      1. Adrian Bridgett
        Reply Icon

        Re: They will never learn.

        We should stop calling these bugs - they are deliberate security holes. It's rarely "oops, we left that there" it's "oh, this will make our life easier".

        5 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: They will never learn.

      Cisco keeps laying off teams and moving the work to entirely new teams with no experience on the code base. Old lessons learned the hard way keep getting forgotten as a result. New teams don't even know/care about the design, process, engineering/QA docs stored for ISO 9001 compliance, and proceed to violate process and start breaking the product. This happened to a couple of my old projects. On one of them, got contacted by the new manager trying to figure out why the new team was f'ing up so badly. Asked him if they were following the docs for that project (docs that had passed an ISO audit with no findings no less), he went "what docs?" Ugh, REALLY?

      With that said, NOTHING excuses something as stupid as a hardcoded anything in code, especially around user id's. Its got to be either a new hire, an intern (that haven't been through yearly Cisco security training), an engineer waiting to get laid off that no longer gives a rats, OR an intentional backdoor. I'd also list it as a failure in the design and code review processes which also should have caught this.

      0 0 Reply
  2. ilmari

    I wonder if it's a bit like how caterpillar has the same key for all vehicles, so that you don't have to spend time on finding the right one.

    2 0 Reply
  3. Potemkine Silver badge

    Conspirationnist Theory

    I know that we shouldn't attribute to malice that which is adequately explained by stupidity, but to this point, one has to wonder...

    1 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    This is...

    Probably why Microsoft released the Surface 3 as a hotfix to force people using aironet devices to move to something less shit.

    0 2 Reply
  5. reub

    And this one too:

    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-aironet

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like