Slashdot Mirror
The Search Engine More Dangerous Than Google
mallyn writes "This is an article about a search engine that is designed to look for devices on the net that are not really intended to be viewed and used by the general public. Devices include pool filters, skating rink cooling system, and other goodies. 'Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. ... A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.'"
Is google dangerous? Sure, it can be used to do bad things. But that's like saying we've discovered a liquid more dangerous than water.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
L-L-Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors.
I mean, how hard is it to ship new devices with something tougher than admin and 1234?
they should at least change the account name from "admin" to "luggage"....
There are some more dangerous than this that don't put silly search limitations on their users and are geared specifically for black hat use.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Using a complex default will fool people into thinking the default is secure, and more people will fail to change it. If you're using the same default for every device, it doesn't matter what you use, it's not secure and needs to be changed.
Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.
Give me Classic Slashdot or give me death!
But that's the next big thing, haven't you heard? Giving net access to unsecured hardware is the way forward!
I mean, how hard is it to ship new devices with something tougher than admin and 1234?
We tried using "12345" as the default but that turned out to be a bad idea, too.
So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
To that end, the best option (but scarcely used on hardware interfaces) is to force someone to login as the admin before the device is functional, and during that login to force them to set a new password (with certain password rules prohibiting foolishly simple passwords). Do this, and the problem almost goes away, but the new problem of constant password recovery questions flooding tech support will commence. Most companies, sadly, choose the less secure/less pesky route of just letting it run with the default perpetually.
No default password could be secure. The only way is to force password change on first use.
You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality that is likely in those cases where the changed credentials have been lost) the company will either have to have maintained a database of the default credentials for every one of their devices they have shipped, or the end user will be SOL (which will probably result in them being very unhappy with the manufacturer).
The fact of the matter is that a lot of these devices are going to be things which are infrequently accessed, so even if you file the credentials away in a "safe, secure" location by the time you need them again you may have forgotten where that was.
The truth is that all men having power ought to be mistrusted. James Madison
That would be a bad idea.
1. A default password is a default password, and should be assumed to be public knowledge.
2. A complicated default password will accidentally trick user into thinking it is more secure than admin/1234. For example, you have already been tricked.
3. If the device is reset to factory default, the password won't be easily remembered, so a device may be stranded in a default or even unusable state until the owner can find the password via documentation, help-desk, or internet database of default passwords.
A partial fix that is sometimes used, is to give each individual device a separate password, and include this password inside the packaging or attached via sticker. This is somewhat more secure but can lead to problems itself. The user may keep the password, and the password may not be truly unique, or may be guessable. If the password is damaged/lost, the device may be rendered unusable if reset to its default state.
For network devices, what about some compromise that combined some part of the serial number and last 3 bytes of the MAC address? Most devices have the serial number machine readable and presumably the MAC address is as well.
This would make guessing far more complicated, especially if there was some effort made in production to "randomize" serial number and MAC address relationships so they didn't march in linear lockstep.
These values should be easily found on the equipment if there was any question as to what they were, and the ROM could be configured in such a way that any "factory reset" would use this combination automatically.
This wouldn't be perfect security -- brute forcing attacks would probably be less hard as the MAC and S/N space would be known, but with a non-linear association between serial numbers and MACs it might still be time-consuming -- a 12 character password of even known value ranges but semi-random relationships would still be time-consuming.
than Shodan
If resetting the device requires physical access. then just engrave the default password on the case like you do the serial number and other vital details. That way, when you reset the box, the details to log in are there on the case.
If you manufacture it right, the reset button will be above the details of that device (serial number MAC address, etc) and the technician need only to look further down for the password.
No cards to lose, even if it's dirty it's still readable, no sticker to fall off, etc.
You need to sign up and register if you actually want to use it.
Which technically will hold you liable for anything you search for, smart - and yet useless.
Services doesn't work, constantly fails, down for maintenance etc...
shoddy'an...
What this world is coming to - is for you and me to decide.
Don't need any nefarious remote flushing going on.
1 2 3 4 is no less secure than 4 t & q, mathematically speaking.
Only in the naive combinations case, when we discard the priors.
In other words, the probablility of 1234 being the password is not just 1/num_possible_combinations, but also the probability of 1234 being the default chapter AND the default password not having been changed.
Even scarier is that if you follow one of the Shodan search results and login with admin:1234, you might end up in federal prison.
Fine with a "real" computer, not really doable with a router. I don't even want to know how many of them are used without ever anyone having connected to them.
And no, setting them up in a way that they don't "just work" out of the box is not really a solution either. Then the box is "too complicated" and people stop buying them in favor of a competitor's product, try to get that past marketing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I will pay u a dime for every system that currently has 4t&q for password, if u pay me a penny for those with 1234 password. Deal?
I prefer the "u" in honour as it seems to be missing these days.
And two: if there really are so many unprotected, highly critical, easily discovered devices why is e-havoc not common place?
Well, there's lots of unprotected, highly critical, easily discovered people and places in the US, but real-world havoc is also relatively uncommon. Probably for the same reasons--most people aren't evil, and there are harsh consequences for those who are.
This is not at all surprising. We contracted a major premises security company to build out the entry-access systems in our company's new buildings a few years ago. Just to be clear, these control the locks to every door into all of the buildings as well as higher security areas within the buildings. The installers insisted that the control boxes for every building needed to have fixed public IP addresses and could not be behind a firewall in order to work. With little understanding of what they were actually asking, they would only enable service if we provided exactly that to them. Do I even need to mention that they left all of these control units running with default username and password?
Needless to say, once functioning service had been established, I immediately moved everything behind a firewall with no forwarding whatsoever to the NAT private address range. Of course, everything works just fine. I later double-checked the installation guide, which allowed for even wider flexibility in installation, with no real network restrictions of the sort that the installers demanded. I'm sure, however, that if they had ever consulted that document, they would not have understood anything about the network installation instructions.
A big part of the problem with things like this is that the systems are installed by people with next to no real network knowledge. They see their job as alarm, plumbing, cabling, construction, or whatever. So when they get to the networked component, they install it in the simplest, most straightforward manner that has been prescribed by someone only slightly more knowledgeable than they are. They are instructions designed to work in every situation for the dimmest of installers, making it possible to complete the contract as possible, even when the client has no one with network knowledge available. The installers, not understanding networks, see them as impenetrably cryptic and therefore secure from intrusion. In most situations there is no one whose job it is to assess security of these connected devices at the completion of the contract, much less tell the customer that they've left them with a risk.
Sadly, the only real advice for these situations is to make companies (the client companies, I mean, not the vendors) understand that they need to be responsible for their own security. If they don't have the necessary expertise on staff, then they absolutely *need* to hire someone - no, not the damn Geek Squad - to check that any network connected device is secure. If they don't then they own the resultant problems. I suppose, in the long run, that insurance companies will require some sort of compliance if potential risk is to be insured.
Instead of making the manufacturers print a unique card for each device, how about people change their credentials and print their own cards?.
That happens to be the way it's done already. Ask Shodan how well it's working out.
Believe it or not, we live in a world in which interesting stories often take more than twenty-four hours to play out, and are still worth discussing some time after the CNN blurb appears.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Too expensive in lost sales.
"I want to return this device. I plugged it in and it doesn't work"
1984 was not supposed to be an instruction manual.
mathematically speaking, they're incomparable until you define a probability space.
"They were pure niggers." – Noam Chomsky
He states, and I quote:
no laughing matter.
And you go ahead and mod him "Funny"
They could keep "admin" but print a unique password on the router.
Admin and Root are so commonly used across so many different hardware platforms and software applications that it's best to default to something else and immediately treat any login attempt by either as a hostile intrusion attempt.
But as for why hardware ships with such easy defaults, it's because it's a default and as such, you should assume that damn near anybody on the planet who wants it, will get it eventually. So unless you're going to ship a different login/pw with every last unit, there's not really much of a point. And doing that is a sheer nightmare from a technical support perspective, and frankly isn't worth doing unless you have a very limited list of customers.
It's better to go with an easy default and some kind of mechanism that will constantly bother the user until it gets changed.
I have a new netgear router, the username and password was printed on the bottom along with the serial number (which I assume is unique). If they can do this, then making a random default password of 2 or 3 words concatenated together (as is the case with the netgear password) can't be too hard.
In the case of a truly lost password, like the serial number sticker was damaged or stupidly removed for "safekeeping", then you could always re-flash the firmware with an update, last I remember you only need physical access to the emergency reset pinhole on the device (after all, sometimes the device is unwilling to let you logon even if you do know the password - I've had this happen to me after a power blackout)
Besides, you think the companies won't be happy with a policy of "we're sorry, but you need to purchase another one, here's a link to our online store".
Since the start of internet is pretty common to see in logs hosts that do ip scanning. Having in the open one that shows to the public the kind of information that gets most of them since the beginning just put into the light how vulnerable are the guys without a clue. The good guys that have a clue had a firewall since the start, and the bad guys with a clue had that database compiled from long ago.
So, its responsibility of the people that have devices on public ip addresses to block/filter/password them, and maybe to the cluelest government that is pushing a cyberwar since last decade to warn, educate, and assist on fixing their citizens on not be so trivially vulnerable. And, of course, thank, not punish, the people behind Shodan for this warning.
Some companies do this.
I was pleasantly surprised to see a Century Link DSL modem/wifi router come preconfigured with a WPA2, and a random passwords. Both the admin password and the WPA2 password were printed on the sticker on the bottom.
If Century Link can do it, anyone should be able to.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
That would require the consumer to spend more than $9.95 on the router, and we can't have that. This is ENTIRELY the consumers fault.
This is Kevin Flynn, can somebody please run the TROFF subroutine on the particle accelerator in lab EC4328 on the fourth floor ? That'd be a big help. thx
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
...slashdot used to be a site that got tech news before it broke in the mainstream outlets.
You mean, like this?
“He’s not deformed, he’s just drunk!”
It's the inept and stupid implementers of these systems that are dangerous, not the search engine
Christ in a chicken basket, shut up already.
All the companies using non-trivial "default" passwords use unique passwords anyway.
It's actually, from my limited, anecdotal experience, pretty effective. The people that don't know to change the password are the same ones that just look up the password on the bottom of the router -- the one or two times (ever) they need it. For the cost of a single sticker, you can force them to (once) use an arbitrarily secure password.
No, the point is that the whole thread was about "mathematically speaking". You are making a choice of character sets which is in no way mathematically founded. For mathematics, there's no significant difference between, e.g., the sets {'0','1','2','3','4','5','6','7','8','9'} and {'1','8','t','q'.'&','%',':','X'}
The minimum set which contains all characters of the password "1234" is {'1', '2', '3', '4'}, and the minimal set which contains all the characters of the password "t4q&" is {'4', 't', 'q', '&'}. Both have the same number of characters, namely 4, in in their respective set therefore each of the passwords has the probability 1/4^4 = 1/256.
The minimum set which contains the letters of both passwords is {'1', '2', '3', '4', 't', 'q', '&'}. In that set, both passwords have the same probability 1/7^4=1/2401.
Of course when evaluating the security of passwords in the real world, we don't just use mathematics, but also the non-mathematical knowledge that we, as humans, denote special significance to certain sets of characters, like the digits, the lowercase characters, and the uppercase characters, and that the hackers know that and therefore tailor their search for those sets. Therefore we define the special sets
Digits, LowercaseLetters, UppercaseLetters and SpecialCharacters (i.e. all others). Then we take as base set to approximate(!) the security of a password the union of all the sets that intersects with the set of characters in the password.
For "1234" all characters lie in Digits, therefore we get a security of 1/10^4. For "4t&q", the letters are in the sets Digits, LowercaseLetters and SpecialCharacters, therefore (assuming ASCII printable characters as base) we get a security of 1/69^4. (Note that your calculation is still wrong in that case because you assumed a strict rule of which positions contain letters, digits and special characters, which is unrealistic in practice, and also you didn't split between lowercase and uppercase characters.)
Note that even this is just an approximation of the real security, as it assigns "1234" the same security as "3945", and "password" the same security as "hyjtmxsk". In reality, of course "1234" is less secure than "3945", and "password" is vastly less secure than "hyjtmxsk". But the point is, that you need non-mathematical knowledge for those considerations. Mathematically speaking, there's really no difference between "1234" and "4t&q".
The Tao of math: The numbers you can count are not the real numbers.