back to article Freaking out about fiendish IoT exploits? Maybe disable telnet, FTP and change that default password first?

While netizens and journalists worry about criminals and spies using sophisticated cyber-weapons to hijack Internet of Things devices, basic security protections are being overlooked – and pose a far greater threat. Miscreants targeting internet-connected devices, especially those found in homes and small offices, won't need …

  1. Anonymous Coward
    Anonymous Coward

    How many home users *need* the admin password anyway ?

    You'd probably improve security with no real downside if you tweaked the firmware to randomly fill the admin password on first power up and leave it like that.

    80% of boxen would go to the scrap heap having never once needed it.

    Where's my $100,000 ?

    1. DJV Silver badge

      Where's my $100,000 ?

      In that sealed IoT box whose digital lock is set with a 128-character randomly generated password that has never been disclosed.

    2. Anonymous Coward
      Anonymous Coward

      Re: How many home users *need* the admin password anyway ?

      But some company's already send their equipment with personalized WPA2 keys and access to administration with admin username and some random 12 numbers and letters password printed in the label of the product... that the user can change anytime we/ she wants.

      Is just that most company's are not yet doing these sort of thing that is the problem.

      1. MiguelC Silver badge

        Re: How many home users *need* the admin password anyway ?

        My mobile hotspot has unique (?) wi-fi ssid and password printed on a label that's glued to the inside of the battery cover (no mention of leopards, though), but the config page access is initially set to admin/admin.

        You can change all of it, but if you leave the battery run completely flat, it all defaults to those initial values. forcing me to regularly reconfigure it.

        True pain in the arse.

      2. Muscleguy

        Re: How many home users *need* the admin password anyway ?

        I was sent a new cable modem a while ago. Same as the old one but with a phone connection port on it. I set it up the same way as the old one, non broadcast presence, custom name, MAC # filtering (you have to be on to connect) etc. Which it would forget, and also not respond to the default pw, requiring a reset. I banged my head against it then rang the co helpline. The droid on the end couldn't understand why I didn't just use the default settings. So I escalated it and got a very helpful UK chap who knew what he was doing, understood my problem and just told me to keep using the old one and sorted some other stuff as well.

        The point is if the telco helpdesk staff in India do not see the point of using anything more than the default settings is it any wonder nobody does anything different?

        My wifi shows several other local cable boxes broadcasting their default presence. Shields for us. Anyone looking will go for those without bothering to find us. The pw requires you know something personal about us from a LONG time ago in a country Far Far Away.

    3. sal II

      Re: How many home users *need* the admin password anyway ?

      So how do you setup your WAN connection and at the very least DHCP scope on the LAN?

      1. David Shaw

        Re: How many home users *need* the admin password anyway ?

        So how do you setup your WAN connection and at the very least DHCP scope on the LAN

        with a second, higher quality Router that costs a bit more than the telco CPE (with its hardcoded telco backdoors, usually). The second NAT'd router is as protected/updated as possible, and the amazing pi-hole does the DNS-hole for the 25% of un-needed packets, and can optionally do the DHCP on the LAN

        fritzboxes, Apple Extremes are reasonable choices for the second layer, and you can put a pfsense appliance inbetween the routers .... I tried

        maybe others will recommend other devices, I was pleased to see that although the fruity company has stopped making their shiny routers, they did update the firmware last week (OK, two weeks ago "AirPort Base Station Firmware Update 7.9.1" of 30th May 2019)

        https://support.apple.com/en-us/HT210090

        1. Muscleguy

          Re: How many home users *need* the admin password anyway ?

          I used to do that but the airport base station's connection speed fell below that of the cable router. So it sits redundant, gathering dust. If you ever need a replacement . . .

    4. JimboSmith Silver badge

      Re: How many home users *need* the admin password anyway ?

      I was in the market for a couple of Ethernet (wifi if needed) connected cameras recently. These were for a home network so that I can view the front and back of the house. I saw a Hive camera system at a local store and enquired as to the suitability. The sales bloke asked if I had a decent broadband connection and I asked what that had to do with it? He said it had to be connected to British Gas for it to work. I said I wasn't going to do that because I didn't want images or video leaving the dedicated home network I set up for the cameras. The bloke made his case again for buying one but I said no thanks.

      So quickly he suggests Ring which I pointed out needs an internet connection too. He asked if I had thought this through as I wouldn't be able to see my home whilst away. I said that was true but then neither could anyone else. I eventually bought a couple of foscam ones that have pan and tilt. I hardwired them to a Buffalo wireless router and can see both sides of my house now.

      1. simpfeld

        Re: How many home users *need* the admin password anyway ?

        Sadly its getting very hard to buy a camera that doesn't need a cloud service to work. The best now are some cheap Chinese ones that can have it turned off.

        I bought a Tenvis HD 720 for 20 quid. It works, but you either need to use an Android app to fully configure it (which I had little luck with) or an ActiveX IE (yes really!). But once setup it can be viewed with VLC , and can have the cloud service disabled.

        My cheap web camera from 8 years ago let me configure most things and view it from Firefox. Why did they remove that and leave ActiveX!

        Sadly most people just don't care!

        Are there any cheap cloud free webcams anymore fully configurable from a modern browser? Anyone know?

    5. veti Silver badge

      Re: How many home users *need* the admin password anyway ?

      And the other 20% would go to the scrapheap having never been used, because the poor owner had no way to configure them.

      Yeah, I can see that generating some bad press.

  2. STOP_FORTH
    Joke

    admin is a silly username/password combo

    Many companies use the hackerproof tactic of using CompanyName/CompanyName but ALL IN LOWER CASE! How can this possibly fail?

    1. Mike 16

      Re: admin is a silly username/password combo

      One of my (thankfully _former_) employers used

      CompanyName/CompanyNameMMDDYYYY (Date of most recent password change)

      to finesse the "must change password frequently. And they rolled out the password change promptly on the first working day of each month.

      But I'm sure all of the 5K or so employees (from floor sweeper to CEO) knew not to share that knowledge.

      (Note: these were not router admin passwords, but the one that gave you access to virtually every computer's network shares)

  3. JimboSmith Silver badge

    I filled in a survey a couple of years ago on IOT device usage. It questioned whether I would:

    Have any connected devices in my house,

    Which devices did I think would be suitable for IOT and which wouldn't.

    What benefits did I forsee coming from IOT devices for me.

    Etc.

    The survey didn't have options for saying you didn't want any IOT devices in your life. So when asked about suitable devices I mentioned things like my sock drawer, the shower, my coat stand. It was fascinating to see that it was such a biased survey. There weren't any questions that focused on security or any even remotely negative aspects of IOT. Wish I knew who the survey was conducted for.

    1. dfsmith

      Wow... just imagine if you got a message in the morning letting you know that your IoT sock drawer had spotted a pair of socks that match (in the dark, with the light behind them).

  4. Anonymous Coward
    Anonymous Coward

    "means that just 100 companies account for around 90 per cent of all IoT devices"

    100 companies? Doesn't look a good news to me.... if you have to wait all of them start to sell more secure devices.

    Unless that's a typo.

    1. eldakka

      Re: "means that just 100 companies account for around 90 per cent of all IoT devices"

      I think that the point is, it's not like there are 10000 tinpot companies whose behaviour you have to change.

      You can communicate with 100 companies who are probably of relatively substantial size, therefore who do have in probability actual IT dev teams, as opposed to 1-man operations, whose behaviours you need to change that will cover 90% of the devices released.

      1. Anonymous Coward
        Anonymous Coward

        Re: "means that just 100 companies account for around 90 per cent of all IoT devices"

        As most of those 100 companies are in countries where there are no way to enforce proper security policies, I really doubt that being 100 or 10000 changes much - even more so if a not little part of those 100 companies can disappear and reappear with a different name in little time, and many of them sell the same products under n brands.

  5. SotarrTheWizard
    Facepalm

    Years ago. . .

    . . . a friend was holding a house-warming party, the week before Christmas. Her DSL hadn't been connected yet, **AND** this was an audience of geeks. So, out of 10 singles and couples, we had 7 laptops.

    We went searching for open access points. . . .and found 20+. Every single one either admin/admin or admin/password. And most had Win9x or XP PCs behind them, also wide open.

    So we locked down all the networks, and left a note on the desktop of all the PCs, from "Santa's Elves", with the new username and password for the wireless routers.

    Apparently, the next day, it was the talk of the neighborhood. . .

  6. Anonymous Coward
    Anonymous Coward

    Ciscos approach...

    ... is to have secret usernames and passwords hard-coded into their devices

    1. eldakka

      Re: Ciscos approach...

      ... is to have secret usernames and passwords hard-coded into their devices

      Then how does one login on initial powerup after purchase to configure it?

      I think a better system would be to enable default user accounts only for the first 10-minutes after a factory reset, then after that 10 minutes has expired, disable them. That way, you can plug it into a laptop/other computer, do the contortions to initiate a factory reset (press and hold button one while standing on one leg while simultaneously pressing the power button), then you have 10 minutes to connect to set a password, otherwise the default accounts and services are deactivated - or hey, maybe even totally power-down the device. That means you need physical access (or be on the phone to someone who has physical access) to initiate factory reset to use the 'setup' credentials, which only let you setup a new password or account to do the actual administration through.

  7. Sabot
    Stop

    This is about miscreants creating internet-connected devices.

  8. Chris G

    A large French owned chain of sheds selling home and DIY stuff had a one evening promo on IoT shit recently, I had received an email invite but forgotten about it.

    I walked into the store and listened to a Spanish sales droid for about twenty minutes, introducing locks, nesty things and all kinds of other connected rubbish, not one mention of passwords or security in the IT sense only that it was all very simple to set up and more or less plug and play.

    IoT needs regulation from yesterday, one of the regulations should be an installation system that requires security and something like 2FA for all access from minute one for all connected items whether domestic or commercial.

    Though the ultimate security would be to drop the whole 'connected world' thing .

    1. vtcodger Silver badge

      Though the ultimate security would be to drop the whole 'connected world' thing .

      Hard not to agree. But when you sit back and think about it, there are all sorts of folks that actually need one or more of those nasty little boxes for some legitimate reason or another -- security, controlling access, monitoring the livestock, checking on those with medical problems, spying on the babysitter ... whatever. And we really can't expect everyone to be a network professional. How can these things be deployed without spending hundreds of dollars/euros/pounds per unit on professional installation?

      Tis a puzzlement.

      something like 2FA

      An interesting concept, but one with VERY limited utility and quite badly implemented in many cases. In too many situations, two factor authorization translates to "Now You Have Two Problems."

    2. Anonymous Coward
      Anonymous Coward

      Exactly

      I've been looking to see if it is worth fitting an Internet-connected heating programmer. I've been reading the install instructions. Minute detail on wiring but never a peep about security. I had to say to my wife "Honey, well h'Ive decided no tado anything about putting an eco bee in our nest."

    3. Anonymous Coward
      Anonymous Coward

      I see your mistake: You should have gone to the Spanish owned DIY store and listened to the French salesdroid.

  9. RTUSER

    I'm not sure I understand most of the concern for home users and IoT. How do they connect these things to the Internet? All of my stuff is behind a firewall/router and I would have to forwards ports to the IoT devices to get to these interfaces. Regardless, my ISP only grants one IP from my cable modem so I have no choice but to use a firewall/router and therefore I would have to consciously open these ports in order for miscreants to get to my stuff.

    What am I missing here?

    1. Anonymous Coward
      Anonymous Coward

      "What am I missing here?"

      UPnP

      1. Sandtitz Silver badge
        Mushroom

        Not only that but for example DVR systems from Dahua by default open a reverse proxy through common ports (80 and 443) and all you need are the DDNS name along with login/pass to see and operate the cameras and the whole system.

        I've seen many companies deploy these in their LAN without any thought for security.

        1. RTUSER

          OK, then I guess I've been blissfully unaware of these sorts of things that are bad practice.

  10. Anonymous Coward
    Anonymous Coward

    Volunteered

    "the team collected telemetry from 83 million devices via home network scans of 16 million Avast customer volunteers, "

    That seems like a whole lot of "volunteers" there.

    And given Avast's history of trickery with "bundling" and dark patterns, ignoring opt-outs and running undocumented processes without users knowledge etc etc...

    I wonder just how many of those "volunteers" knew they had volunteered?

  11. JohnFen

    But surely

    But surely everyone is blocking incoming FTP and Telnet connections with their firewall, right? Right?

    1. the spectacularly refined chap

      Re: But surely

      Ah yes, the old 'I don't need it so no one else does either' response by people who think they know what they're talking about but have precisely zero knowledge of the real world.

      There is nothing wrong with anonymous FTP, indeed in that case it is preferable to 'secure' protocols since the security is an irrelevance and the performance hit gives no benefit. Using it for user logins and protected stuff is more questionable but as always it depends on the context.

      As for telnet I'd sooner be rid of it but I'm not for those same real world reasons. I have a 32 port console server here connected to several hosts, switches and the router. It only supports telnet and raw TCP connections. I could replace it with an SSH enabled equivalent but even a 16 port unit would mean dropping around £1500. That's a lot in the context of a home network for only a minor improvement in security when it is firewalled from the Internet and only used for initial configuration and emergency maintenance.

      1. vulture65537

        Re: But surely

        Assuming you mean read-only anonymous FTP for distributing stuff there's not a lot wrong with it.

        But it does have a disadvantage relative to HTTP. The data connection is prone to receiving connections from unexpected participants sneaking in before the intended connection.

        1. JohnFen

          Re: But surely

          "Assuming you mean read-only anonymous FTP for distributing stuff there's not a lot wrong with it."

          True, if you have it properly configured, this can be OK. There are still much better alternatives, though.

      2. JohnFen

        Re: But surely

        'I don't need it so no one else does either'

        Except this is accurate. Both FTP and Telnet present fairly serious security risks, and there are more secure substitutes readily available. Even devices that require telnet often don't need such access from the internet at large, and if they do, then it's worth the effort of setting up a relay so the telnet exposure is limited to your LAN.

    2. dfsmith

      Re: But surely

      I think everyone should leave telnet open. E.g., https://github.com/Phype/telnet-iot-honeypot or https://hackertarget.com/cowrie-honeypot-analysis-24hrs/

      1. David Shaw

        Re: But surely

        Yes, I also add a copy of Wireshark to all my friend's PC's as I'm building them, in the hope of convincing some malware that they are in a VM, being studied.

        I like to add the odd tar-pit too

  12. Wellyboot Silver badge
    WTF?

    16 million Volunteers

    I must have missed Avast asking for volunteers to undergo a home internal pen-test and share the results around. is it on page 94 of the T&Cs?

    There's a lot of old kit still out there, the average punter isn't going to replace it if it still works.

  13. This post has been deleted by its author

  14. Anonymous Coward
    Anonymous Coward

    I recently visited a friend abroad. It turned out they had not been able to use their WiFi and were using 4G because they had forgotten the password. I checked with my phone. The router name and type were part of the SSID. I searched for the manual online and found it. Use the default admin password. In.

    I knew quite a lot of people don't care and do not see it as their problem. Butt still: It is not someone else: it's you.

  15. doublelayer Silver badge

    And patching needs to happen too

    It's well and good to say that telnet and FTP should be closed and to have random default passwords or make the user set the password themselves, but these devices also need regular patching. For example, I needed console access on a friend's router to fix some things, so I logged in using the nondefault credentials my friend had available and enabled the SSH console for the LAN. Then, I attempted to connect. Small problem though, which was that my computer's SSH client failed to negotiate a connection because the only SSH protocols the router supported were considered obsolete (I'm trying to remember the specific ones, but they're slipping my mind at the moment). Maybe this is on my computer for dropping support so quickly, as little harm comes from continuing to support other protocols, but I have a feeling that, if the SSH encryption standards are so old that a client (default OSX client and then openSSH client from Ubuntu) refuse to connect, the router has other security problems too.

  16. John Smith 19 Gold badge
    Unhappy

    FFS It's not even *development*

    It's build configuration

    Do you want to include Telenet protocol support in build Y/N?

    Do you want to include FTP protocol support in build Y/N?

    So what do code monkeys do?

    This iw what happens when security is not considered as an issue. Since no one (IE no PHB) considers it an issue that's who looks after it. No one).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like