What do some webcams, CCTV cameras, video-conferencing cameras, control devices, printers and Internet-of-Things devices connected to CERN networks have in common? They are gaping wide open – in a digital sense: they have no access protection configured and either their password protection is disabled or they are still using the default password set up by the vendor. So, while users might think they are protected, the devices are freely open to people with malicious intent.
A recent survey conducted by a computer security student looked for webpages hosted on devices belonging to the so-called “Internet of Things”. These are devices that do not necessarily look like computers, laptops or smartphones, but have similar functionalities at their core. They run some kind of Windows or Linux operating system, can send e-mails, have a wireless adapter and can be configured and accessed through an integrated web server. All you need to know is the IP address of the device and the corresponding password to sign in. But this is the crux of the problem. Such devices usually come with a default account (e.g. “admin”) and a default password (e.g. “admin”, “user”, “12345”), which the device owner is not necessarily obliged to change on first use … to the advantage of an attacker. Given that these are vendor-default passwords, once you know the model and make, you can look them up on a multitude of different websites…
What is the risk? Think of webcams used at home or in conference rooms, for CCTV monitoring or access control: with the default password, anyone can see what they display. Privacy is gone. Similarly, people with malicious intent can enable the embedded microphone and listen to your discussions. Confidential meetings go public… Default passwords for routers will expose all your network traffic to a third-party attacker, i.e. the webpages you are accessing, including any content if you do not use encrypted communication channels such as SSH, RDP, VPN or HTTPS. Worse, your home router is able to connect to all your devices at home (this is its core purpose) and the attacker can therefore probe them all for vulnerabilities in order to widen the attack. Or think of devices controlling some industrial processes, drilling machines, solar panels, coffee machines, etc. Being able to freely configure their settings might render your machine or product useless. Who would accept a plain black coffee if they’d ordered ristretto?
So, next time you install a brand new device on your network at home or here at CERN, remember to change its default password. The same holds for any other device you inherit and start using: make sure that the configured password is known by you and only you. Select a good, strong password. Make it complex by using letters, symbols and numbers. Do not use it anywhere else. Keep it to yourself. And if your creativity fails, here are some hints:
- Choose a line or two from a song or poem and use the first letter of each word. For example, "In Xanadu did Kubla Khan a stately pleasure dome decree!" becomes "IXdKKaspdd!"
- Use a long passphrase, such as the sentence "InXanaduDidKublaKahnAStately PleasureDomeDecree!" itself, or mathematical formulae, such as "sin^2(x)+cos^2(x)=1"
- Alternate between one consonant and one or two vowels with mixed upper/lower case. This produces nonsense words that are usually pronounceable, and thus easily remembered. For example: "Weze-Xupe" or "DediNida3"
- Choose two short words (or a long one that you split) and join them together with one or more punctuation marks between them. For example: "dogs+F18" or "comP!!UTer"
Pascal Oser & Sharad Agarwal for the Computer Security Team
Do you want to learn more about computer security incidents and issues at CERN? Register to receive our monthly report. For further information, questions or help, check out our website or contact us at Computer.Security@cern.ch.