Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Default passwords and how not to do it

A recent discussion about a Cisco speakerphone vulnerability reminded me this is far from the first time Cisco's had password problems. You'd think a company that has spent so much on security branding and indeed is recognized as the first company that "comes to mind as a Networking Security leader" in six of their eight target locales (7th in Japan, 5th in China, first in US/CAN, UK, Germany, France, Italy and India -- data courtesy Cisco Systems), they'd be a bit more careful about getting the basics right.
I understand vulnerabilities will never be eliminated, but we're long past the day and age where we should continue to struggle not only with basic authentication security, but default passwords that persist long after they should. Microsoft learned their lesson with the Slammer worm back in 2003. MSSQL now forces you to change the SA password and refuses a blank one. Cisco needs to review their products and do likewise, especially for security devices where so much is on the line.

Someone I know--but who would obviously like to remain anonymous in regard to this anecdote due to the legal climate these days--was attending a conference outside the United States last year and happened to be playing around with his laptop in the airport before his flight back home. The airport Wifi provider had a captive portal and pay-to-access internet but he didn't feel like paying. Instead he mapped out the internal network just to see what was accessible without passing the portal and found a Cisco access point management application (I don't know the exact product or version). Seeing a Cisco engineer he had met at the conference a few seats away in the waiting area he asked the guy if he knew the default credentials for such products. Turns out it was cisco/admin or something otherwise blindingly obvious and had never been changed.

So this guy was able to log in and see all the access points. But all the access points for what? The tree menu showed multiple items, but when opened, it turned out they were for provinces. Each province when opened had multiple sites, and each site had multiple locations and each location had multiple access points. This device had management access to every single access point in a very large wireless deployment for a large communications provider.

I probably don't have to emphasize how huge of a vulnerability this was. It could have been used to cause serious damage. Instead, the individual in question, being an ethical white-hat very quickly packed up his laptop and boarded the plane, emailing the company through an anonymous remailer when he got back home to let them know about the hole.

Sure, the company whose network he was on is absolutely responsible and ought to know better than to not change credentials on such a critical box. That said, it's time for Cisco to go the Microsoft route and force default passwords to be changed to help protect users from themselves.