While organizations focus on patching vulnerabilities, updating software, and training staff, one of the most overlooked yet dangerous entry points remains default credentials. These seemingly harmless username and password combinations are a hacker’s golden ticket into your network or destruction of the network. Unfortunately, default credentials are something we see on every. single. engagement. The applications containing default credentials often are for high valuable targets, routers, HVAC, firewalls, cameras, Vcenter and so on.
During a recent engagement, tester’s identified default credentials for a web interface that controlled the temperature and humidity settings of the datacenter. Testers wrote a script to authenticate into the web application and ran it across the datacenter subnet. The testers discovered 50+ servers with admin access. This finding could have had extreme consequences had a threat actor or disgruntled employee stumble across the application.
What Are Default Credentials?
Default credentials are pre-configured username and password combinations set by hardware or software vendors on devices or applications before they’re deployed. These are often used for initial setup and configuration purposes. Some common examples include:
- Username: admin | Password: admin
- Username: root | Password: password
- Username: guest | Password: guest
- Username: admin | Password: password
These combinations are typically published in user manuals or online help guides, making them publicly available and easily accessible to attackers. In conjunction with Google, we’ve began utilizing ChatGPT to identify vendor specific username & password combinations. For example, the well known default iDrac username and password combination is: root:calvin (we see this on almost every engagement).
Why Default Credentials Pose a Huge Risk?
The danger of default credentials lies in their simplicity. Many businesses neglect to change these factory-set logins, leaving them as is in their production environments. Hackers know this all too well and often rely on this oversight to gain unauthorized access to systems. Here’s why default credentials are a security nightmare:
Widely Known: Many default credentials are publicly available and well-documented on the internet. A simple search can reveal the default logins for routers, switches, and various software platforms.
Easily Exploitable: Attackers use automated tools that rapidly scan networks looking for devices and applications using default credentials. If they find a match, they can easily gain access without advanced hacking techniques.
Expanding Attack Surface: IoT devices, smart appliances, network switches, and cloud applications are increasingly becoming part of corporate networks. Many of these devices come with default credentials, making them vulnerable to attack.
Privilege Escalation: Many systems that retain default credentials are often administrative accounts with high privileges. Once an attacker gains access, they can escalate privileges, change settings, exfiltrate data, and even install malware.
Damage: An attacker on the network, or a disgruntled employee can leverage default credentials to cause massive disruption to business and operations. Imagine someone using the password combination of admin:password to login remotely and change firewall configurations or adjust heating and cooling in the datacenter.
How Can I Defend Against Default Credential Exploits?
Protecting your organization from the risks of default credentials is simpler than you might think, but it requires diligent practices and policies:
- Change Default Credentials Immediately: The first step when setting up any new device or software is to change the default username and password to something more secure. It’s a basic but vital step in securing your systems.
- Implement Strong Password Policies: Use a strong password policy to ensure that new credentials are difficult to guess. Encourage the use of long, complex passwords that include a mix of upper and lowercase letters, numbers, and symbols. Avoid easy-to-guess passwords like “password123” or “admin2023.”
- Use Multi-Factor Authentication (MFA): MFA provides an extra layer of protection by requiring two or more verification methods. Even if attackers manage to steal credentials, they’ll be unable to access the system without a secondary form of authentication.
- Automated Scanning and Monitoring: Regularly scan your network for systems using default credentials.
- Disable Unused Accounts: Many systems come with unused or unnecessary accounts, like “guest” accounts with default logins. Disable these accounts to reduce the potential attack surface.
- Network Segmentation: Isolate vulnerable or critical systems by segmenting your network. By doing this, even if an attacker exploits a device using default credentials, they won’t have free reign over your entire network.
- Security Awareness Training: Train your employees, especially IT staff, about the dangers of default credentials. They should understand the importance of changing these credentials during setup and regularly reviewing account security.
If you need help assessing you or your clients current security posture, Contact Us today to schedule a comprehensive vulnerability assessment.