Convicted VoIP Hacker Robert Moore Speaks

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"

Random passwords

[MobyDisk]

It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...
- They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
- You would have to print it on the router, or on a slip of paper
- If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.

Even if you don't implement that last bullet, it still seems like it would help a lot.

Re:Random passwords

[steelshadow]

I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

Re:Random passwords

[John_Sauter]

Every device with an Ethernet interface has a 48-bit unique identifier built in. All such devices, in my experience, also have a sticker that displays their Ethernet address. Would it be so difficult to include, at manufacturing time, a small ROM that contained an initial password, unique to each device, and also displayed on a sticker? The additional cost of such a feature needs to be weighed against the additional security provided, but I think in some markets it would be a definite win.

The manufacturer need not keep a list of which passwords went with which device, only a list of the passwords already issued to ensure the new ones were unique. If uniqueness is not an absolute requirement, only keep the last thousand passwords, and use a good random number generator.

Re:So easy a caveman could do it

[Anonymous Coward]

What ever happened to the supercool hacking-thang called "not getting caught"?

Oh like that'll get you a book deal and job in the computer security field.

If you don't get caught you'll never even merit an article on /.

Re:Here's one I do

[Destoo]

Why would they care, if it just works?

I think I had 5 routers in my neighborhood on channel 6, with default passwords.
I logged on into each and switched them to different channels.

Re:Well

[mcrbids]

The weakest link is often the user: leaving the default password of a router,

Are you sure it's the user?

So, let me ask you this - why is the default password on routers all the same? Why isn't it different for each unit, and imprinted on the box or something? Such a trivial thing to do, yet it would do so, so much for improving security, and would have a trivial effect on usability.

Routers are security devices. Other security devices (such as bike locks) have the default being rather secure, why can't routers?

why?

[azrin_abbas]

why is he going to prison? why don't make him like a password administrator or something where he finds all the default passwords( seems like he had the time back then) and ask those owners to change them? and of course got paid for that. like that what's-his-name guy in the 'catch me if you can' movie..

about the weak link [the users]

[cadu]

Even if we try to do the RIGHT thing, we end up punished and bashed for 'doing wrong stuff', when you're dealing with a bunch of joe averages [specially one being your boss], sometimes it's better just watch it crash down and burn than to try to fix/warn the bosses about a potential security breach.

i used to work as a cybercafe admin in a hotel [ClubMed(R)] and someday, when i was messing with the routers telnet interface, i decided to do a quick check on the pdf manual i had about it and look for the default password,i input the default username and password and bam, got in.... all free for me to change, as it was a leased line, i could give real internet ips to inside machines by just specifying ip+mac, could reflash the whole thing, could destroy it... instead... i've prepared a paper describing the security risks of leaving the main hotel's router [the one that serves both the guests internet access and the company private data system] using the default password, documented everything with screenshots and whatnot, and put it on my boss's desk.

guess the result!?

even trying to explain/teach/advise him about the risks , saying that he should call the leased line company and complain about them putting an unsecured device in his network, the retard fired me for 'hacking attempt' and said that i shouldn't be 'trying to sneak in places where i shouldn't' (damn, i just found a BIG flaw and got bashed for finding it!).

2 days later : the fscker changed the password.

when i think of it, i regret not arriving at home at that day and reflashing the modem's firmware with zeroes or something and hitting reboot. that would be total chaos and give them a nice big lesson :)

Go tell...

[Anonymous Coward]

I used to work in a MAJOR telecom firm. I had a list of about 10 common passwords which granted me root permissions on 99% of machines. My boss had a similar list for cisco boxes. When we needed to change/check something we just used password after password till we hit the right one.

The other option, the proper procedure, was to sent an email to the bureaucrat boss of sysadmins. He then would send order to an admin to temporally change the password for the machine you needed and give you that password. Then when you finished he would change the password again. The problem was the sucker usually just ignore your requests, or take weeks to give you access. So if we wanted to end our job in time, we had no choice.

In 1% the rare cases that the password was different, we just directly phone one of the admins bypassing his boss, and ask him the password :D In the even more rare case that the admin didn't want to tell such a sensitive data via phone, we'd just start reciting him our root-password list to prove him we were who we pretend to be. That always did the trick :D

So users are not always the problem. Stupid policies are also to blame.