353,436 Exposed ZTE Devices Found In Net Census

← Back to Stories (view on slashdot.org)

353,436 Exposed ZTE Devices Found In Net Census

Posted by timothy on Tuesday September 3, 2013 @12:43AM from the login-and-password-are-the-login-and-password dept.

mask.of.sanity writes "Hundreds of thousands of internet-accessible devices manufactured Chinese telco ZTE have been found with default or hardcoded usernames and passwords. The devices were discovered in analysis of the huge dataset from the Internet Census run this year. ZTE topped the charts, accounting for 28 percent of all affected devices worldwide. Only one manufacturer has responded to the researcher's bid to supply the data in efforts to stop production of insecure devices."

29 comments

Min score:

Reason:

Sort:

Hmmm by cold+fjord · 2013-09-03 00:48 · Score: 2

I seem to recall a story or two about concerns regarding vulnerable Chinese telecom devices before. Didn't many people think it was nonsense?

--
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
1. Re:Hmmm by SQLGuru · 2013-09-03 00:58 · Score: 2
  
  The concerns of the earlier articles were about back-doors. Default credentials is basically every device is enabled with admin/1234 and the users aren't educated (or forced) to change them. It's like how briefcases are initially set to all zeros and it's up to you to change the combination. The manufacturers either need to make the default credentials differ for each device or provide a LOT of education.
2. Re:Hmmm by cold+fjord · 2013-09-03 03:16 · Score: 1
  
  The story is about default and hard coded passwords. A secret hard coded password is a backdoor. Are all the hard coded accounts / passwords known?
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
3. Re:Hmmm by gweihir · 2013-09-03 17:22 · Score: 1
  
  Indeed. This is just plain stupidity, not maliciousness. Of course, that will not prevent the NSA and others from using them.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
By by gsslay · 2013-09-03 01:00 · Score: 1

manufactured by Chinese telco ZTE.
The original article was badly written and proof read, so naturally slashdot contains the exact same obvious error.
1. Re:By by EvilSS · 2013-09-03 01:10 · Score: 3, Funny
  
  So the devices didn't manufacture a Chinese telco named ZTE? That makes this a much more boring story. Guess I have to put my "Rise of the Machines" supplies back in the closet now.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
2. Re:By by Anonymous Coward · 2013-09-03 01:53 · Score: 1
  
  The original article was badly written and proof read, so naturally slashdot contains the exact same obvious error.
  And the same error will likely not be fixed when they repost it again tomorrow.
Foreseeable? by __aaltlg1547 · 2013-09-03 01:07 · Score: 1

Given how many internet devices are manufactured in China, wasn't it pretty foreseeable that the majority of devices with X were going to be found to have been manufactured in China?
heh by shentino · 2013-09-03 01:08 · Score: 1

Who wants to bet that chinese intelligence was involved in this?
1. Re:heh by Anonymous Coward · 2013-09-03 01:14 · Score: 5, Insightful
  
  Who wants to bet that chinese intelligence was involved in this?
  And we're supposed to trust US products don't have settings demanded by the NSA?
  Sorry America, but you're just as un-trustworthy these days, and your corporations are just an arm of your government for spying -- and your government is just an arm of your corporations for foreign policy
  A nice little incestuous feedback loop.
2. Re:heh by Idimmu+Xul · 2013-09-03 01:20 · Score: 3, Insightful
  
  The default root password for every DRAC (Dell Remote Access Card) in existance is
  *Drumroll*
  calvin
  fucking american spies
  
  --
  The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
3. Re:heh by Anonymous Coward · 2013-09-03 02:34 · Score: 0
  
  Security is always a trade-off. There's a big difference in having a default password on a device that's not enabled by default, and normally isn't internet exposed, vs. a device that by default gets a real internet IP at all times. Not clear from the article also is if it's just default passwords, or unchangeable back-door passwords. Defaults aren't necessarily bad -- they're at least better than having NO password by default...
4. Re:heh by Anonymous Coward · 2013-09-03 04:42 · Score: 0
  
  Never attribute to malice that which is adequately explained by stupidity.
5. Re:heh by godel_56 · 2013-09-03 08:32 · Score: 1
  
  Never attribute to malice that which is adequately explained by stupidity.
  Never attribute to stupidity that which is adequately explained by malice, when the people involved have prior form, and have close associations with the Chinese military.
  To quote cold fjord above, "The story is about default and hard coded passwords". What valid reason is there to put those in (presumably) commercial modems and routers?
6. Re:heh by Anonymous Coward · 2013-09-07 15:54 · Score: 0
  
  Fuck off.
  All malice is stupid. All stupidity becomes malicious when reaching a sufficiently large quantity.
  Idiomatic expressions are thus both stupid and malicious.
  Ideologies are thus all both stupid and malicious.
  Principles are thus both stupid and malicious.
  Humanity is stupid and malicious.
  Human happiness is the ability to choose to avoid other people.
  Or at least tell them to fuck off :)
Cant we put that moble CPU to good use? by Anonymous Coward · 2013-09-03 01:21 · Score: 1

Is there any chance I could lease this phone botnet and get some one to write an algorithm that could help discover new ways to help viagra medication become even more effective? imagine 1 million CPUs working together helping the progress of boner pill technology.
Its pretty clear this was the true intention of why China has so many backdoor phones out there, sheesh.
1. Re:Cant we put that moble CPU to good use? by Gold__Plated · 2013-09-03 01:28 · Score: 1
  
  Too late, its already in progress!
Gaoke Communications is just as bad by Anonymous Coward · 2013-09-03 01:26 · Score: 3, Interesting

Gaoke MC600x WiFi routers are used all over South America and probably elsewhere.
They are installed by the telecom company and they do change the admin password. However, you don't even need a password, just go to the internet IP address of a device, the default is the web interface is visible from the Internet, and rather than logging in change the last part of the URL to wifilan.htm and it will think you are logged in as guest. The guest user can change all the WiFi settings.
They may be insecure but at least they are cheap!
Blocking 23 by Gary+Perkins · 2013-09-03 02:11 · Score: 3, Informative

His recommendation at the bottom is for ISP's to start blocking port 23. I certainly hope that doesn't become a "solution". Many people like to host their own servers, and these default port blocks just make life horrible. The BBS hobby scene uses 23 quite a bit and would take a hit. Blocking ports is not an answer, and in fact I'd like to see the practice banned.
1. Re:Blocking 23 by The-Ixian · 2013-09-03 02:30 · Score: 2
  
  Agreed...somewhat. Port 23 though? really? Why would you not be using telent and not SSH to connect to any server from the outside?
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:Blocking 23 by Anonymous Coward · 2013-09-03 03:10 · Score: 0
  
  From the parent post: The BBS hobby scene uses 23 quite a bit and would take a hit.
  Also muds/mush/moo servers, etc. I mean, yeah, it's old stuff, but fuck man; some people spent a lot of time on those lawns...
  Lastly, some of these games have custom programs that were made as a hobby and then had the source code lost, I offer Megamud as an example.
3. Re:Blocking 23 by Anonymous Coward · 2013-09-03 03:44 · Score: 0
  
  Tell them to use an alternate port. Most current hobby BBS' already do to stop 'rings' from mass scanners.
4. Re:Blocking 23 by Gary+Perkins · 2013-09-03 07:17 · Score: 1
  
  There are rather effective ways to blacklist IP's that abuse ports. I think there's even a list out there. However, I've been running a BBS server for several years now, and I've rarely felt the need to do anything about any hammering on my ports. The one time I actually had to block anyone with IP rules was no matter what I did, I couldn't get Google to stop crawling FTP day and night. But other than that, I'll occasionally get one or two connects at a time sporadically thoughout the day from all over the world... not only on 23, but 22, 21, 80, you name it. As a parent poster commented, many older services still use 23, and blocking that port at the ISP level would put the hurt on end users to connect. I can certainly think of a few ways around it on older software, but it's nothing the casual end user would want to go through just to use a piece of software. If they're going to block more ports, they need to set up some flags for special businesses or industries. For instance, critical infrastructure businesses could have 23 blocked by default... but as a home user, I expect to pay for the full use of my Internet, not a crippled one. It boggles my mind that there are so many ISP's out there blocking 25; I'm fortunate to have an ISP that does not do that, and I'm able to receive my own email. I think everyone should be able to have that choice.
My favorite bit of the article by The-Ixian · 2013-09-03 02:28 · Score: 2

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did. Whenever you think "that shouldn't be on the Internet but will probably be found a few times" it's there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password."
It amazes me, still, how these things can happen. It really shouldn't, I am a contractor after all and have seen hundreds of different networks, large and small. Most with amazing security....deficiencies, usually done in the name of convenience.

--
My eyes reflect the stars and a smile lights up my face.
Summary of all comments by Anonymous Coward · 2013-09-03 03:55 · Score: 0

Slashdot: News for Pedantic Bitches
Well, surprise! Surprise! Surprise!! by gestalt_n_pepper · 2013-09-03 04:37 · Score: 1

The Chinese exploited a brain-dead obvious attack vector. Nobody checked. Nobody looked. Nobody cared. The empire rots from within.

--
Please do not read this sig. Thank you.
scoop by porjo · 2013-09-03 06:26 · Score: 1

From TA:
"Shukla (the report author) was given exclusive access by the anonymous author to the sensitive data collected in the project (using an illegal botnet to scan the target devices)."
Sounds just a little too convenient to me
Windows 7 Product key by Anonymous Coward · 2013-09-03 19:46 · Score: 0

windows 7 key codes , win 7 key , windows 7 ultimate product key sale , microsoft office 2010 free download full version with product key for windows 7 , windows product key buy , windows 7 run key , windows 7 home premium product key sale , bE-QFnU^
buy windows 7 product key by Anonymous Coward · 2013-09-03 20:39 · Score: 0

free windows activation key for windows 7 professional , windows 7 product key , bulk purchase windows 7 license , product key for microsoft office project standard 2007 , how to get a genuine copy of windows 7 for free , windows 7 product key sale , free microsoft outlook 2010 product key , kFN8+5jW
windows 7 product key sale
windows 7 ultimate key
buy windows 7 product key
windows 7 activation key sale
windows 7 professional product key sale
windows 7 home premium product key sale
windows 7 ultimate product key sale
windows 7 product key