353,436 Exposed ZTE Devices Found In Net Census

mask.of.sanity writes "Hundreds of thousands of internet-accessible devices manufactured Chinese telco ZTE have been found with default or hardcoded usernames and passwords. The devices were discovered in analysis of the huge dataset from the Internet Census run this year. ZTE topped the charts, accounting for 28 percent of all affected devices worldwide. Only one manufacturer has responded to the researcher's bid to supply the data in efforts to stop production of insecure devices."

Hmmm

[cold+fjord]

I seem to recall a story or two about concerns regarding vulnerable Chinese telecom devices before. Didn't many people think it was nonsense?

Re:Hmmm

[SQLGuru]

The concerns of the earlier articles were about back-doors. Default credentials is basically every device is enabled with admin/1234 and the users aren't educated (or forced) to change them. It's like how briefcases are initially set to all zeros and it's up to you to change the combination. The manufacturers either need to make the default credentials differ for each device or provide a LOT of education.

Re:By

[EvilSS]

So the devices didn't manufacture a Chinese telco named ZTE? That makes this a much more boring story. Guess I have to put my "Rise of the Machines" supplies back in the closet now.

Re:heh

Who wants to bet that chinese intelligence was involved in this?

And we're supposed to trust US products don't have settings demanded by the NSA?

Sorry America, but you're just as un-trustworthy these days, and your corporations are just an arm of your government for spying -- and your government is just an arm of your corporations for foreign policy

A nice little incestuous feedback loop.

Re:heh

[Idimmu+Xul]

The default root password for every DRAC (Dell Remote Access Card) in existance is

*Drumroll*

calvin

fucking american spies

Gaoke Communications is just as bad

Gaoke MC600x WiFi routers are used all over South America and probably elsewhere.

They are installed by the telecom company and they do change the admin password. However, you don't even need a password, just go to the internet IP address of a device, the default is the web interface is visible from the Internet, and rather than logging in change the last part of the URL to wifilan.htm and it will think you are logged in as guest. The guest user can change all the WiFi settings.

They may be insecure but at least they are cheap!

Blocking 23

[Gary+Perkins]

His recommendation at the bottom is for ISP's to start blocking port 23. I certainly hope that doesn't become a "solution". Many people like to host their own servers, and these default port blocks just make life horrible. The BBS hobby scene uses 23 quite a bit and would take a hit. Blocking ports is not an answer, and in fact I'd like to see the practice banned.

Re:Blocking 23

[The-Ixian]

Agreed...somewhat. Port 23 though? really? Why would you not be using telent and not SSH to connect to any server from the outside?

My favorite bit of the article

[The-Ixian]

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did. Whenever you think "that shouldn't be on the Internet but will probably be found a few times" it's there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password."

It amazes me, still, how these things can happen. It really shouldn't, I am a contractor after all and have seen hundreds of different networks, large and small. Most with amazing security....deficiencies, usually done in the name of convenience.