While responding to a vulnerability report submitted in April, ICS-CERT told a researcher that documented, changeable default passwords are not vulnerabilities. But given the risk behind default passwords and the focus on critical infrastructure security, shouldn't such things be considered an issue?
Darius Freamon, a researcher from South Carolina, reported a vulnerability in an ICS (Industrial Control System) used for Solar power generation last April. ICS-CERT, a division of the U.S. Department of Homeland Security that focuses on risk across critical infrastructure, told him that the flaw he disclosed in Solare Datensysteme wasn't valid.
"After analyzing the installation manual, we found that though there is a default password for this device, the manual clearly tells how to change it. We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability," an email from ICS-CERT informed Freamon.
Freamon, who has submitted five different vulnerabilities this year to ICS-CERT, was understandably perplexed by the response. In his work, he told CSO that he sees default passwords all the time, and while he understands the response given to him, the problem itself remains.
"The big problem is that administrators just don't change them," Freamon told CSO, referring to default passwords used in critical systems.
"Even if 50% do it, [that] means there are hundreds or thousands of systems left open to the world. With all the attention on ICS and SCADA it is scary how many systems are connected to the Internet [with default credentials]."
CSO spoke to a few other security experts about the ICS-CERT response, in order to assess their stance on the issue. It's standard practice, at least on paper, to change default settings when deploying technology wherever possible. The reality however, is that software and hardware go into production with default settings as it makes usage and management easier.
A.N. Ananth, the CEO of EventTracker, told CSO that the default password report made in April is quite severe and the defense / explanation provided by ICS-CERT is weak.
"Microsoft learned this lesson the hard way from the days of Windows XP. Insecure default options were a primary driver for the NIST to develop the SCAP standard and require annual assessments of configuration across the network. The US Air Force secure desktop configuration is one result of this work and has led to significant reduction in attack surface across endpoints," Ananth said.
Moreover, secure configurations, such as changing default passwords, is listed as Critical Control #3 on the SANS Consensus Audit Guidelines.
"Simply put, a very large majority of users leave installations of hardware and software at default settings despite repeated warnings. It is imperative for manufacturers or vendors to supply secure configurations by default. In this case, it would be much better to force the user to pick a compliant non-default password on installation as a mandatory step," Ananth added.
Mirroring that stance, Grayson Milbourne, the security intelligence director at Webroot, told CSO that default passwords are a vulnerability when left on the system, and that while there should be an initial, default method to access a new device, passwords should be immediately changed after the first login.
"It shouldn't just be policy, but a required action on the part of the software once a user logs in. If default passwords remain unchanged or if they're guessable, they can be accessed and harvested through brute force attacks. The operational security for industrial systems is far behind corporate network protection, and the potential damage to our infrastructure far supersedes the damage that any one company could sustain," Milbourne said.
Kyle Adams, the Chief Software Architect for Junos WebApp Secure at Juniper Networks, told CSO that allowing default passwords to remain just isn't advisable. While guidance in a manual helps reduce the number of vulnerable installs, it still leaves room for people to make mistakes "likely leading a significant percentage of systems wide open for exploit."
"Why risk having any be open? They should just force them to set a new password on the first boot. Or at the very least, have it generate a random password when it first installs and display that password to the installer."
CSO encourages you to weigh-in on this topic, leave a comment below tells us why you agree, or disagree, with stance taken by ICS-CERT. Is documentation enough, or should there be additional processes?
The sources contacted for this article, who were able to respond on the record by deadline, all agreed that default passwords are an issue unto themselves, and need to be taken care of. Those who spoke on background still disagreed with ICS-CERT, so we'd be interested in hearing from the other side of that argument. Is there anyone who thinks default passwords are not a vulnerability?