Problems with hardcoded credentials are hitting consumer IoT devices, industrial SCADA devices, and even critical infrastructure. Despite the appeal on source code and firmware audition, this type of vulnerability recurs and threatens users’ privacy and data security.
Security researcher Elliot Williams posted on Hackaday that most GSM-to-IP devices made by DBLTek have a remotely accessible hardcoded credential which leads to a shell with root privileges. The finding was reported to the manufacturer, who didn’t really fix the underlying vulnerability. Instead, they implemented a workaround: they added an extra challenge-response process, whose algorithm can be obtained by reverse-engineering. Trustwave’s blog post summarizes the entire chain of events. A tool exploiting this vulnerability is also available on Github.
On Shodan, a search engine for Internet-connected devices, I was able to find exposed DBLTek GoIP devices both with and without the extra “challenge”. The devices are mostly located in the United Kingdom, Brazil, Ukraine and Germany. Randomly tested devices showed that they were updated to the newer firmware with a challenge-response.
Figure 1. Shodan search for vulnerable DBLTek devices
A compromised GoIP device might cause security risks to VoIP software which is usually on a LAN, resulting in unauthorized inbound/outbound calls, access to voicemail boxes, SIP trunks, and lateral movement. Since it may also work in router mode (which works like a home router), a compromised device can also lead to risks for computers behind it.
Trend Micro recommends against connecting IoT and VoIP gateway products directly to the Internet, as this leaves these devices without the benefit of the protection provided by a router.