The Raspberry Pi was just a more modern example. The same pattern does, however, apply.
A quote from
http://www.guardian.co.uk/technology/blog/2012/oct/08/technology-links-newsbucket
: "
So Raspberry Pi ships with a) sshd on b) root login on sshd on c) the
same default password on every Pi - doh! Do not plug in your pi to a net
before changing at least one of the above, or you will, like a famous
professor in the [Cambridge] computer lab last week, get hacked, and
deserve to be:)
"
More info here: http://raspberrypi.stackexchange.com/questions/508/how-can-i-protect-against-intrusion-and-malware-before-connecting-it-to-the-inte
These embedded devices stick around for a long time without anyone paying attention to them. In addition, my fear is that many of these devices will never be updated. To quote a paragraph from a workshop report (http://tools.ietf.org/html/draft-gilger-smart-object-security-workshop-01#section-4):
"
"
Designing a software update mechanism into the system is crucial to
ensure that both functionality can be enhanced and that potential
vulnerabilities can be fixed. Functionality as well as security will
need to remain unchanged for several years. Also the importance of
security threats changes over time.
"
Ciao
Hannes
Gesendet: Donnerstag, 21. März 2013 um 11:26 Uhr
Von: "Johannes Gilger" <[email protected]>
An: "Hannes Tschofenig" <[email protected]>
Cc: "Cao Zhen (CZ)" <[email protected]>, [email protected]
Betreff: Re: [Lwip] Internet Census 2012 -- Insecure embedded devices
Von: "Johannes Gilger" <[email protected]>
An: "Hannes Tschofenig" <[email protected]>
Cc: "Cao Zhen (CZ)" <[email protected]>, [email protected]
Betreff: Re: [Lwip] Internet Census 2012 -- Insecure embedded devices
The author only uses telnet logins to try to connect to the devices. I
don't know any current OS which enables telnet by default, much less
with root:root or admin:admin, not even the Raspberry Pi. So the set of
possible devices is already relatively small. Furthermore the author
developed and cross-compiled his bot-binary for OpenWRT platforms.
Regards,
Jojo
--
Dipl.-Inform. Johannes Gilger
Research Group IT-Security
RWTH Aachen University
Mies-van-der-Rohe-Straße 15
52074 Aachen
Office: 211
Phone: +49 241 80 20781
http://itsec.rwth-aachen.de
don't know any current OS which enables telnet by default, much less
with root:root or admin:admin, not even the Raspberry Pi. So the set of
possible devices is already relatively small. Furthermore the author
developed and cross-compiled his bot-binary for OpenWRT platforms.
Regards,
Jojo
--
Dipl.-Inform. Johannes Gilger
Research Group IT-Security
RWTH Aachen University
Mies-van-der-Rohe-Straße 15
52074 Aachen
Office: 211
Phone: +49 241 80 20781
http://itsec.rwth-aachen.de
_______________________________________________ Lwip mailing list [email protected] https://www.ietf.org/mailman/listinfo/lwip
