IETF Logo Mail Archive

Re: [Lwip] Internet Census 2012 -- Insecure embedded devices

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Thu, 21 March 2013 12:54 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CEB021F88BE for <lwip@ietfa.amsl.com>; Thu, 21 Mar 2013 05:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.682
X-Spam-Level:
X-Spam-Status: No, score=-100.682 tagged_above=-999 required=5 tests=[AWL=-0.741, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_44=0.6, J_CHICKENPOX_55=0.6, MIME_HTML_ONLY=1.457, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMjKbkkoLvBD for <lwip@ietfa.amsl.com>; Thu, 21 Mar 2013 05:54:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 31F1921F85DB for <lwip@ietf.org>; Thu, 21 Mar 2013 05:54:09 -0700 (PDT)
Received: from 3capp-gmx-bs01.server.lan ([172.19.170.50]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0MAAwJ-1UP1qv13sH-00BNXs; Thu, 21 Mar 2013 13:53:56 +0100
Received: from [194.251.119.196] by 3capp-gmx-bs01.server.lan with HTTP; Thu Mar 21 13:53:56 CET 2013
MIME-Version: 1.0
Message-ID: <trinity-f942c434-4029-48a5-a285-f1b5555b6fc2-1363870436165@3capp-gmx-bs01>
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: Johannes Gilger <gilger@itsec.rwth-aachen.de>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Date: Thu, 21 Mar 2013 13:53:56 +0100
Importance: normal
Sensitivity: Normal
In-Reply-To: <20130321102625.GA8504@blackbox>
References: <4E660C3F-9C78-472D-A557-70D45B1B715D@gmx.net> <009001ce25d4$783867a0$68a936e0$@chinamobile.com> <trinity-17e66bc1-04ff-4b6e-be35-fc5dfc3577da-1363860458006@3capp-gmx-bs01>, <20130321102625.GA8504@blackbox>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:NPXb8Q+PAnkmN3LAji+ED1zdvf55+gdmQ/+3ycbB1ax abqE4DWHpkm6mmoK6U56HeJQgTrW2d374ksRs1/qlt1kuEuH2Z ouZZTvZw0sxKDNEZhugat4fDEiEfde5ZytvYOiIJMcSJ8ILxFG fs0JR4/PC3pBjnT0ohw089QlcHuFdK5qWAE+cB0AzJnlP6Q5rn coBCUyCAvSph6ffR44W2Q2vN9xb/yvPhAfw3cKTVFl1j0DeUdW 5+8oHJ4lcOUuXxWqUkzBU2JiZxa4fziURbUZhYqSdoB0NXenbc +WCyS4=
Cc: lwip@ietf.org
Subject: Re: [Lwip] Internet Census 2012 -- Insecure embedded devices
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Lightweight IP stack <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lwip>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2013 12:54:10 -0000


The Raspberry Pi was just a more modern example. The same pattern does, however, apply.

"
So Raspberry Pi ships with a) sshd on b) root login on sshd on c) the same default password on every Pi - doh! Do not plug in your pi to a net before changing at least one of the above, or you will, like a famous professor in the [Cambridge] computer lab last week, get hacked, and deserve to be:)
"


These embedded devices stick around for a long time without anyone paying attention to them. In addition, my fear is that many of these devices will never be updated. To quote a paragraph from a workshop report (http://tools.ietf.org/html/draft-gilger-smart-object-security-workshop-01#section-4):
"
Designing a software update mechanism into the system is crucial to ensure that both functionality can be enhanced and that potential vulnerabilities can be fixed. Functionality as well as security will need to remain unchanged for several years. Also the importance of security threats changes over time.
"

Ciao
Hannes

Gesendet: Donnerstag, 21. März 2013 um 11:26 Uhr
Von: "Johannes Gilger" <gilger@itsec.rwth-aachen.de>
An: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net>
Cc: "Cao Zhen (CZ)" <caozhen@chinamobile.com>, lwip@ietf.org
Betreff: Re: [Lwip] Internet Census 2012 -- Insecure embedded devices
The author only uses telnet logins to try to connect to the devices. I
don't know any current OS which enables telnet by default, much less
with root:root or admin:admin, not even the Raspberry Pi. So the set of
possible devices is already relatively small. Furthermore the author
developed and cross-compiled his bot-binary for OpenWRT platforms.

Regards,
Jojo

--
Dipl.-Inform. Johannes Gilger
Research Group IT-Security
RWTH Aachen University
Mies-van-der-Rohe-Straße 15
52074 Aachen

Office: 211
Phone: +49 241 80 20781

http://itsec.rwth-aachen.de" target="_blank" rel="nofollow">http://itsec.rwth-aachen.de


v2.23.0 | Report a Bug | By Email