Stories
Slash Boxes
Comments

SoylentNews is people

posted by FatPhil on Thursday September 26 2019, @01:16AM   Printer-friendly
from the the-S-in-IoT-stands-for-what? dept.

Million+ IoT Radios Open to Hijack via Telnet Backdoor:

Attackers can drop malware, add the device to a botnet or send their own audio streams to compromised devices.

Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio streams to the device, listen to all station messages as well as uncover the Wi-Fi password for any network the radio is connected to.

The issue (CVE-2019-13473) exists in an always-on, undocumented Telnet service (Telnetd) that connects to Port 23 of the radio. The Telnetd service uses weak passwords with hardcoded credentials, which can be cracked using simple brute-forcing tactics. From there, an attacker can gain unauthorized access to the radio and its OS.

In testing, researchers said that the password compromise took only about 10 minutes using an automated "ncrack" script – perhaps because the hardcoded password was simply, "password."[sic - I suspect the '.' wasn't part of it, -- Ed.]

After logging onto the device, researchers were able to access the "etc" path with root privileges to request various file contents, including the full system password shadow file, the group password shadow file, the USB password and the httpd service password containing the "wifi cfg" file with unencrypted information on the wireless LAN key.

"By now we had a full access to the file system with httpd, Telnet and we could as well activate the file transfer protocol," according to an advisory from the Vulnerability Lab on Monday. "Then we watched through the local paths and one was called "UIData". In the UIData path are all the local files (binaries, xml, pictures, texts and other contents) located which are available to process the Web GUI (Port 80 & 8080). For testing we edited some of the folders, created files and modified paths to see about what we are able to change in the native source of the application. Finally we [were] able to edit and access everything on the box and had the ability to fully compromise the smart web radio device."

Adding insult to injury, the researchers also found there to be a second vulnerability (CVE-2019-13474) in the AirMusic client onboard the device, which allows unauthenticated command-execution. [...]

Sounds almost as secure as my NAS - anyone want a go, it's here.

Previously:
P2P Weakness Exposes Millions of IoT Devices


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday September 26 2019, @11:59AM (1 child)

    by Anonymous Coward on Thursday September 26 2019, @11:59AM (#899055)

    Using telnet, are they out of their minds? Weak passwords with hardcoded credentials, nowadays should be used securely over vulnerable sshd implementation.

  • (Score: 2) by DannyB on Thursday September 26 2019, @03:13PM

    by DannyB (5839) Subscriber Badge on Thursday September 26 2019, @03:13PM (#899147) Journal

    If you can't understand how to set up sshd, then at least run telnet on a non standard port so that nobody would ever be able to find it.

    (note I did NOT use any <no-sarcasm> tags.)

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.