IEEE Technology and Society Magazine - June 2015 - 41

he default password problem (an "admin" account having the password
"admin," or a system with no password on certain default accounts),
has been around as long as computer systems have been sold and
shipped to unsuspecting new owners. This problem was mentioned on Usenet as early as
1994, regarding Silicon Graphic Irix (SGI) workstations
and reported to SGI (who did nothing to fix the problem
until years later, after the Computer Emergency Response Team Coordination Center (CERT/CC) released
a security advisory about the problem [1]). As the Internet became widely used, the problem extended to generally weak or trivially guessable passwords, including
both the published default passwords, and commonly
chosen simple passwords like "12345," "password," or
"opensesame." Users choose weak passwords, ignoring
or despite nearly two decades of knowledge indicating
how problematic weak passwords are in terms of security. Corporations and software developers continue to release Internet-accessible systems with weak passwords.
Manufacturers who knowingly create commercial products designed to be accessible from the Internet and that
have default passwords, give consumers responsibility for
security, despite the fact that a percentage of these users
will not be able to secure their devices. Millions of home
users with Internet services are not sufficiently aware of
computer security vulnerabilities, how malicious actors
target weaknesses like default passwords, and may not
even be aware that their DSL router is accessible from
the Internet and that it has any password, let alone know
that they should change the default password to something secure. Dittrich and Himma refer to these users
as operating at the Unaware level of response capacity [2]. Even if the manufacturer puts warnings in their
user documents, these users are incapable of protecting
themselves. There is no incentive in terms of regulatory
requirement or legal liability for either users or device
manufacturers to do make any changes in this situation.
To a large degree, device manufacturers do not want the
situation to change. The current circumstances minimize
engineering and support expenses by externalizing the
cost of properly securing these devices.
Over the years, malware authors have successfully
exploited the vulnerability of weak default or common
passwords. For example, the Agobot/Phatbot distributed attack tool in 2004 had dictionary attacks with over
100 of the most common passwords for both file shares
and MySQL server administrator accounts. Conficker.B
in 2008 used a long list of passwords to attempt to connect to local ADMIN$ file shares [3]. Both of these were
very successful at compromising hundreds of thousands of systems worldwide.
june 2015

∕

Computer security researchers rediscovered the
default password problem, this time associated with commodity network devices, and warned the public in 2006
[4] and 2007 [5]. When these devices were only accessible from their local area network (LAN), it was easy for the
manufacturers to minimize the problem, arguing the risk
stayed within the local network (i.e., an "insider threat"
situation). But in 2009, new features designed for easier
remote access meant these devices could be exploited
from anywhere in the world. The weak password problem
became an external issue. However, the incentive structure did not change and neither did the practice of using
simple publicly known default passwords. Commodity network devices began to be widely attacked.
One of the first remotely controlled distributed intruder
attack tools (naïvely called "botnets") focusing on network
devices was psyb0t in 2009 [6]. psyb0t attacked Linuxbased cable modems and DSL routers that Linksys and
Netgear manufactured. It was first seen attacking home
users in Australia, affecting over 45 variants of these
devices. Using a brute-force password guessing algorithm
that focused first on the manufacturer-delivered defaults,
psyb0t successfully penetrated over 80 000 devices [7].
Just a few months later, in February 2010, researchers in the Czech Republic disclosed their discovery of
a botnet they called the "Chuck Norris botnet" infecting
commodity network devices manufactured by D-Link
that still had the original manufacturer's default password in use [8].
In January 2012, Federico Fazzi released [9] an IRCbased bot named "lightaidra 0x2012" [10]. The README
file describes lightaidra as, "a mass-tool commanded
by irc that allows scanning and exploiting routers for
make BOTNET (in rx-bot style), in addition to this, with
aidra you can perform some attacks with tcp flood." It
supports cross-compilation for both 32-bit and 64-bit
processors on MIPSEL, MIPS, ARM, PPC, and SH4 architecture commodity network devices.
Despite manufacturers' knowledge about the default
password problem, attackers can successfully, automatically, break into almost all commercially available home
network devices with weak or default passwords.
Security researchers began to show how to exploit
these vulnerabilities as early as February 2010. One
anonymous security researcher published a web page
including this disclaimer: "I am not showing you how
to hack, rather I am showing the people that do not
configure their routers how easy it is to gain access to
into [their] router and possibly more," then gives precise
instructions showing how to use nmap to scan for and
break into network devices with default passwords [11].
On July 28, 2010, David Fifield demonstrated to a live
audience at BlackHat 2010 how to use this same method - the nmap Scripting Engine - to find and brute-force

IEEE TEchnology and SocIETy MagazInE

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - June 2015