Steve Ragan of CSO Magazine has an interesting article on a statement from ICS-CERT indicating that changeable default passwords are not considered a vulnerability.
In a statement provided to a security researcher about the discovery of default passwords in Solare Datensysteme, ICS-CERT stated:
“After analyzing the installation manual, we found that though there is a default password for this device, the manual clearly tells how to change it. We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability.”
As Ragan aptly points out – this raises the question: is ICS-CERT correct? Is this the correct approach, or do statements like this create a false sense of security?
Intellectually, the ICS-CERT position is understandable – the default password is changeable, therefore should not be a vulnerability. SANS even lists changing default passwords as Critical Control #3 on the SANS Consensus Audit Guidelines – it’s not as if the problem is unknown.
The problem the industry is facing is that changeable default passwords are rarely changed, or even discovered. So, while they shouldn’t be a vulnerability, they certainly are in most organizations. Best intentions (changing passwords) don’t eliminate the threat.
So – all that being said, should known changeable default passwords be considered a vulnerability? Yes – and for one, primary overriding reason. Because cyber-attackers and malicious insiders view them as a vulnerability.
Attackers know default passwords exist, they know that they can be found through simple internet searches, and they absolutely exploit them to carry out attacks and infiltrations. If that’s not a vulnerability, I’m not sure what is.
The past couple of years have shown just how damaging a vulnerability these default passwords can be – both from a consumer and business stand point. Consider just a few of the recent breaches and attacks done through changeable default passwords:
- Baby Monitor Hacked through Default Password: An unknown hacker apparently gained access to a 2-year-old girl’s baby monitor, calling her by name and harassing her, and her parents, with insults and profanity.
- Utah Department of Health: Attackers exploited a default password on the user authentication layer of a computer server that stored Medicaid and Children’s Health Insurance Program claims data.
- Zombie Hack Blamed on Easy Passwords: Hackers exploited default passwords to gain access and broadcast a bogus warning on television networks, saying that the United States was under attack by zombies.
Of course, there’s also the infamous Conficker worm, which is still active today and is spreading across networks through default and non-complex passwords. As recently as 2011, Conficker had been responsible for infecting more than 1 million computers using this technique.
Here’s the good news – whether it’s called a vulnerability or not by ICS-CERT, businesses are absolutely becoming more aware of the default password problem. In our recent Privileged Account and Compliance Survey released in May 2013, 78 percent of all businesses said they have a defined business process in place for changing default passwords on hardware and software.
In addition, more and more people are calling for broader solutions to the default password problem. As Ragan pointed out in his CSO article, more Chief Software Architects are calling for users to be forced to remove default passwords and set a new password on the first boot up.
While this sounds easy, the problem is much larger than this. Default passwords exist on almost every network appliance, piece of software and hardware. This creates a huge problem of passwords to administer and manage – especially if the change is to a simple, repeated password. A recent survey showed that 77 percent of IT professionals use the same password for multiple applications. Password re-use on sensitive systems fails to mitigate the vulnerability, and in some cases can make the situation worse.
Both cases – not changing the default passwords and using the same passwords for different machines – emphasize the vulnerability exposed by default passwords, regardless of the vendor documentation stating how to change them.
This is also why more companies are turning to automated credential management machines, which make sure that all passwords are managed, changed, and differ from one appliance to the next.
Ultimately – it doesn’t matter what we call it. While ICS-CERT should recognize changeable default passwords as a vulnerability, it’s more important that businesses themselves recognize this vulnerability and proactively take steps at mitigating attacks targeting these passwords.