Hard-coded passwords remain a key security flaw
This common developer flaw is a widespread problem that isn’t likely to go away any time soon, said Alex McGeorge, head of threat intelligence, Immunity.
Unfortunately, hard-coded passwords are an intrinsically hard problem to solve, and McGeorge said, “There is not a great solution to it. People are getting compromised all the time. Security is a hard problem to solve.”
People who make networking gear are big targets and development companies are very protective of their source code because that’s their life code. “We saw the case that Cisco brought against Huawei Technologies claiming that Huawei had stolen their source code and were using it in their own brand,” said McGeorge.
[ MORE HARD CODED ISSUES: Hard-coded credentials placing dental offices at risk ]
These instances stand as example for vendors who fear that their source code could be used against them. “Vendors are very reluctant to give anybody else access to their source code, and the security of their software suffers because of it,” McGeorge said.
Consumers have an intrinsic trust relationship with vendors, and they are trusting vendors not to put in a back door, but the risk that someone has put one in surreptitiously remains. “Juniper had this issue. They were not able to spot or were not looking for this problem, said McGeorge.
Someone had surreptitiously put in a back door with a hard-coded password so that they could log in and had modified some of the encryption variables. The danger, said McGeorge, “If you were able to man in the middle between Juniper’s firewall and something else, you could potentially decrypt that traffic.”
It’s a problem without a real practical solution. Most give Juniper the benefit of the doubt that they didn’t do it and assume that somebody else did. Still, they weren’t able to figure this out for a number of years.
“As a consumer there is not a whole lot you can do. You can’t audit the source code because it’s not public. You could demand that Juniper bear that cost, or demand that they have to have their source code audited by a third party and share those results,” McGeorge said.
Chris Weber, co-founder of Casaba Security, whose white hat firm does a lot of software assurance and code audits, said that passwords in released products are easy to find because they ship with the product. “Someone who gains access to the product can disassemble the firmware or software and find the passwords easily. Aren’t easily hidden and easy to find,” Weber said.
The security risk to enterprises depends on how the passwords are being used, but by shipping the password along with the software, the potential that it can be discovered by malicious actors is heightened.
The problem isn’t new, yet it also is not going away for many different reasons. “In the development process, often times people work on teams and they need to access different systems and share access to systems and credentials,” said Weber.
Developers need to share access to certificates and private keys used for encryption and decryption, and then they need a place to store and share these passwords safely. The software needs to connect to other systems and they need a login. “When you send data to a database to interact, it requires a login,” said Weber. As a result, developers will often hard code the passwords into the software.
Sometimes having the passwords in the software is a matter of convenience during the development process, but failure to remove it is often an oversight. “These developers may start with one scenarios, then quickly there is another thing we need to do and store passwords for it,” Weber explained. “They might think ‘maybe now is a time to look at secure password management but we are too busy,’” he continued.
Often times a pen tester will see passwords written in the source code, and Weber said, “Whether they are published intentionally or unintentionally, it’s a bad habit. It’s one of those things with security: security is an inconvenience. A road block that slows people down.”
[ MORE ON CSO: Hard-coded password exposes up to 46,000 video surveillance DVRs to hacking ]
Ryan Olson, director of threat intelligence, unit 42, Palo Alto Networks, said the role the device plays in the enterprise will determine the level of risk the passwords pose to security. “The worst case scenario is that device has control over a significant portion of the network and the password gives complete access to the device,” Olson said.
Sometimes the hard-coded password is intended to be used in order for the initial set up. “If the password is used for a default account, that was probably going to be used by the first person installing device, and at the end of process that person should be removing that account,” Olson said.
Those default accounts don’t always get removed, and Olson suggested auditing your devices to understand that they do have default accounts. “It won’t work in every case because in some cases the hard coded passwords are in the code itself,” Olson said.
Enterprises can take some action to protect themselves and their networks by putting pressure on vendors to make sure they are not leaving the passwords in the devices. Asking key questions about whether the vendor has a way to recover this device if they were to lose the password will give a good indication of whether there are hard coded passwords.
Olson said, “It’s better to know that it’s a hard-coded password upfront and to know that your vendor is also aware of the passwords.
Because hard coded passwords are a way to get into the device with no username or authentications, they represent various ways of getting into a system that have been hard-coded in. Some of the information that is accessible might be sensitive, said Morey Haber, vice president of Technology, BeyondTrust.
“Many times we are not aware of hard-coded passwords until they are exposed. Enterprises need to protect those passwords by segmentation. Make sensitive data not accessible. Use control platforms and on premise password safe technology,” said Haber.
In addition, their IP subnets should not be accessible to anything except some form of management that proxies their use, Haber said. “For example, you’re a bank. If the sensitive data is on the same subnet as everything else, you need some type of proxy where there is a safety or filtering. You can mitigate the risk to an acceptable level because you have to authenticate before access to those hard-coding passwords,” Haber explained.
If vendors are outsourcing the software or firmware behind the scenes, they usually aren’t going the route of changing usernames and passwords, Haber said. So, for any company that is evaluating technologies, if the tool doesn’t allow them to change the username of the administrator or the password, that’s a big red flag.
“Look for another technology,” Haber said, “and If that is the only technology available, make sure it’s included in any RFPs or vendor discovery discussions. You need to know how your device is secured from an administrative perspective.”