Million+ IoT Radios Open to Hijack Via Telnet Backdoor

Fnord666 persuaded upstart to forward us this tale of fail:

Million+ IoT Radios Open to Hijack via Telnet Backdoor:

Attackers can drop malware, add the device to a botnet or send their own audio streams to compromised devices.

Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets' embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio streams to the device, listen to all station messages as well as uncover the Wi-Fi password for any network the radio is connected to.

The issue (CVE-2019-13473) exists in an always-on, undocumented Telnet service (Telnetd) that connects to Port 23 of the radio. The Telnetd service uses weak passwords with hardcoded credentials, which can be cracked using simple brute-forcing tactics. From there, an attacker can gain unauthorized access to the radio and its OS.

In testing, researchers said that the password compromise took only about 10 minutes using an automated "ncrack" script - perhaps because the hardcoded password was simply, "password."[sic - I suspect the '.' wasn't part of it, -- Ed.]

After logging onto the device, researchers were able to access the "etc" path with root privileges to request various file contents, including the full system password shadow file, the group password shadow file, the USB password and the httpd service password containing the "wifi cfg" file with unencrypted information on the wireless LAN key.

Read more of this story at SoylentNews.