SoylentNews is people
SoylentNews
from the the-S-in-IoT-stands-for-what? dept.
Million+ IoT Radios Open to Hijack via Telnet Backdoor:
Attackers can drop malware, add the device to a botnet or send their own audio streams to compromised devices.
Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio streams to the device, listen to all station messages as well as uncover the Wi-Fi password for any network the radio is connected to.
The issue (CVE-2019-13473) exists in an always-on, undocumented Telnet service (Telnetd) that connects to Port 23 of the radio. The Telnetd service uses weak passwords with hardcoded credentials, which can be cracked using simple brute-forcing tactics. From there, an attacker can gain unauthorized access to the radio and its OS.
In testing, researchers said that the password compromise took only about 10 minutes using an automated "ncrack" script – perhaps because the hardcoded password was simply, "password."[sic - I suspect the '.' wasn't part of it, -- Ed.]
After logging onto the device, researchers were able to access the "etc" path with root privileges to request various file contents, including the full system password shadow file, the group password shadow file, the USB password and the httpd service password containing the "wifi cfg" file with unencrypted information on the wireless LAN key.
"By now we had a full access to the file system with httpd, Telnet and we could as well activate the file transfer protocol," according to an advisory from the Vulnerability Lab on Monday. "Then we watched through the local paths and one was called "UIData". In the UIData path are all the local files (binaries, xml, pictures, texts and other contents) located which are available to process the Web GUI (Port 80 & 8080). For testing we edited some of the folders, created files and modified paths to see about what we are able to change in the native source of the application. Finally we [were] able to edit and access everything on the box and had the ability to fully compromise the smart web radio device."
Adding insult to injury, the researchers also found there to be a second vulnerability (CVE-2019-13474) in the AirMusic client onboard the device, which allows unauthenticated command-execution. [...]
Sounds almost as secure as my NAS - anyone want a go, it's here.
Previously:
P2P Weakness Exposes Millions of IoT Devices
(Score: 1, Informative) by Anonymous Coward on Thursday September 26 2019, @05:06AM (7 children)
"sic" just indicates that the passage is as written. It isn't particular to grammar.
(Score: 2) by JNCF on Thursday September 26 2019, @12:11PM (6 children)
I was googling for a direct AP Stylebook quote that I believed would contradict you, but according to their twitter they've dropped "sic" altogether.
https://twitter.com/apstylebook/status/1124320764054863873?lang=en [twitter.com]
(Score: 0) by Anonymous Coward on Thursday September 26 2019, @03:41PM (5 children)
What's with the AP stylebook trolling? This site isn't for general consumption and shouldn't be held to standards that would compromise its purpose.
(Score: 2) by JNCF on Thursday September 26 2019, @03:55PM (4 children)
The AP Stylebook is pretty much a standard styleguide for American journalism; it's known as "the journalist's bible" in the States. While I don't like it when this site phrases things in American-centric ways, such as saying "our government" instead of "the US government" in a summary, the spelling and grammar decisions make it very obviously American in style. I think it would be fine for this site to have a custom styleguide that deviates from the norm, but in lieu of that document existing the AP Stylebook is the most obvious reference document to go to when discussing formatting decisions made by journalists writing in an American style.
(Score: 1, Insightful) by Anonymous Coward on Thursday September 26 2019, @04:18PM
When writing a reference/textbook, our publisher (c.1990) told us to use the "Chicago Manual of Style". Bought a copy and scanned through enough of it to get a feel for what was in there. The book is very well organized and it became a great reference, helping me convert my "engineers-writing-style" into something more consistent (and possibly more coherent also!)
Then we submitted our book draft to the publisher...and their editor started to make changes that went against the Chicago Manual. Nothing against our editor, she was great, had been on a physics PhD track before she had to quit and get a job. This was about the local style guide in use by the publisher, which they hadn't bothered to tell us about.
(Score: 1, Interesting) by Anonymous Coward on Thursday September 26 2019, @07:58PM (2 children)
I maintain that no such reference need be made or adhered to for such a small population, barring consistent issues with confusing news posts. I maintain that it's right to make clarifying edits even when the AP styleguide, or any other, would prefer to preserve confusion. I claim that it is very much inappropriate to use a mass-media style guide to present material to a small and ostensibly technical audience. And I refute that it is obvious, to the majority of the population here, to use the AP styleguide as a basis for such an audience.
(Score: 2) by JNCF on Thursday September 26 2019, @11:21PM (1 child)
I never contended that a clarifying edit shouldn't be made, I was just pedanting about the "sic" part of it in particular. I tried to be clear about that in my original post. Also, I think a paraphrasing of the confusing text that placed "password" in the middle of the sentence instead of at the end would have elegantly solved the problem without the need for a clarifying edit. I think that's what the AP would currently recommend, if I'm interpretting that tweet correctly (the last AP Stylebook I've read is about a decade out of date, how).
I wouldn't claim such a thing, but I also doubt that it's obvious to the readers Wired that the AP Stylebook should be the basis of editing decisions. Wired still uses it, because it's obvious to the authors that consistent editing choices across publications is desirable. Should less awareness of knowledge specific to the domain of journalism be expected of volunteer editors than paid journalists? Certainly. I'm just being pedantic (which isn't to say I'm wrong).
(Score: 0) by Anonymous Coward on Thursday October 03 2019, @03:39PM
You did notice that this story is taken, not from Wired, but from Threatpost, right? ;)