Backdoors
My home internet runs on mobile technology - LTE. After knocking on many wired Internet providers' doors, we gave up and brought an LTE router. The upgrade was instant, from 2Mbps DSL line to ~35Mbps LTE. That has been working fine, but looking for improvements (mainly in the stability of signal strength) I decided to experiment upgrading the setup. There is the interesting Huawei B2368-66 device that has the entire LTE radio (including a SIM card) in an outdoor package that connects over a PoE-enabled CAT-5 cable. It looks professional and works as intended.
Only when setting it up I realized I was given the "user" password, which the device prompted me to change (good practice - of course!), while I anticipated there was also an "admin" password. After contacting the carrier, they told me they would not give the "admin" password, as this would break the security they have in place.
Fair enough. Search is your friend. It took me about 15 seconds, using the phrases "Huawei" + "B2368" +"admin" +"Password" to find one. And guess what....
The password is static, one for all routers that are in the field.
And of course if you know it, you can log in as the "admin" and the device will prompt you to change it/ (good practice - of course!). But the problem is that most users would not do that (they are not aware and they simply don't need that).
So probably 90-something percent of the devices deployed can be accessed using the default, static admin password. Considering the current year is 2019, this is un-f-believable!!!
Static passwords will be illegal in California, starting next year. Modern systems (like Bluetooth mesh) are designed to enforce random keys with high entropy and no static parts in security whatsoever. It seems though, the vendors and service providers would not do anything here on their own, unless forced by standards or legal regulations. Reality is soo far off what everybody is talking...
Comments
Post a Comment