Hardcoded Credentials: Why So Hard to Prevent?

About a year ago, attackers managed to tap into thousands of IoT devices to create a botnet infected with Mirai malware and wreak havoc on some major websites. This Mirai botnet, made up of 100,000 IoT devices from DVRs to security cameras, unleashed a massive DDoS attack on DNS provider Dyn, which brought down dozens of websites, including Twitter, Spotify, Netflix and The New York Times. 

The word “sophisticated” has been used a lot to describe the Mirai botnet, but the reality is that it was decidedly unsophisticated, and not hard to prevent. The attackers simply took advantage of hardcoded default passwords in IoT devices. Far from a complicated endeavor, finding these passwords is trivial once the firmware of these devices is analyzed.

And just a couple months ago, we saw another major vulnerability announcement related to hardcoded credentials. Five security flaws were found in Arris routers, which are used by AT&T customers and other Internet providers. Joseph Hutchin, who first noted the defects, referred to some of them as “the result of pure carelessness.”

The most serious of the five flaws contains hardcoded credentials that afford anyone access to the cshell service on the modem.

Hutchins said cshell is capable of viewing or changing the Wi-Fi SSID or password, modifying network configurations, reflashing firmware from a file served from the Internet, or controlling a kernel module that injects ads into unencrypted traffic.

Ultimately, these compromised gateways could be corralled into a botnet, similar to that used by the Mirai malware.

How to prevent

We talk frequently about how there is no “application security silver bullet.” And hardcoded credentials are a perfect case in point. Static analysis is uniquely suited to finding these vulnerabilities, while dynamic analysis cannot detect them. This example reinforces the point that effective application security requires a variety of testing methodologies across the application lifecycle; relying on a single testing type would leave vulnerabilities exposed and your organization at risk. For example, if you only conduced pen testing or dynamic analysis, you would likely not uncover issues with hardcoded credentials.

And this is a widespread issue. In fact, it’s one of the more common vulnerabilities our static analysis uncovers. This year, we found credentials management issues in 42 percent of the applications we scanned. And that number has been steadily increasing over the past six years. In 2011, we found this issue in 27 percent of apps.

Hardcoded credentials give cyberattackers an easy way in, but it’s also easy to protect against exploitation of these passwords:

• Force users to change the password if they want to enable remote access.
• Don't embed passwords in your firmware.

It's a trivial fix, for a very big problem. A botnet attack has the potential to cause significant damage. Bringing down Netflix is one thing, but what if it were directed at all the connected traffic lights in a city?

It’s time to focus on prevention. Learn more about our static analysis.