353,436 Exposed ZTE Devices Found In Net Census

mask.of.sanity writes "Hundreds of thousands of internet-accessible devices manufactured Chinese telco ZTE have been found with default or hardcoded usernames and passwords. The devices were discovered in analysis of the huge dataset from the Internet Census run this year. ZTE topped the charts, accounting for 28 percent of all affected devices worldwide. Only one manufacturer has responded to the researcher's bid to supply the data in efforts to stop production of insecure devices."

Hmmm

[cold fjord]

I seem to recall a story or two about concerns regarding vulnerable Chinese telecom devices before. Didn't many people think it was nonsense?

Re:

[SQLGuru]

The concerns of the earlier articles were about back-doors. Default credentials is basically every device is enabled with admin/1234 and the users aren't educated (or forced) to change them. It's like how briefcases are initially set to all zeros and it's up to you to change the combination. The manufacturers either need to make the default credentials differ for each device or provide a LOT of education.

Re:

[cold fjord]

The story is about default and hard coded passwords. A secret hard coded password is a backdoor. Are all the hard coded accounts / passwords known?

Re:

[gweihir]

Indeed. This is just plain stupidity, not maliciousness. Of course, that will not prevent the NSA and others from using them.

By

[gsslay]

manufactured by Chinese telco ZTE.

The original article was badly written and proof read, so naturally slashdot contains the exact same obvious error.

Re:By

[EvilSS]

So the devices didn't manufacture a Chinese telco named ZTE? That makes this a much more boring story. Guess I have to put my "Rise of the Machines" supplies back in the closet now.

Re:

[Anonymous Coward]

The original article was badly written and proof read, so naturally slashdot contains the exact same obvious error.

And the same error will likely not be fixed when they repost it again tomorrow.

Foreseeable?

[__aaltlg1547]

Given how many internet devices are manufactured in China, wasn't it pretty foreseeable that the majority of devices with X were going to be found to have been manufactured in China?

heh

[shentino]

Who wants to bet that chinese intelligence was involved in this?

Re:heh

[Anonymous Coward]

Who wants to bet that chinese intelligence was involved in this?

And we're supposed to trust US products don't have settings demanded by the NSA?

Sorry America, but you're just as un-trustworthy these days, and your corporations are just an arm of your government for spying -- and your government is just an arm of your corporations for foreign policy

A nice little incestuous feedback loop.

Re:

[godel_56]

Never attribute to malice that which is adequately explained by stupidity.

Never attribute to stupidity that which is adequately explained by malice, when the people involved have prior form, and have close associations with the Chinese military.

To quote cold fjord above, "The story is about default and hard coded passwords". What valid reason is there to put those in (presumably) commercial modems and routers?

Re:heh

[Idimmu Xul]

The default root password for every DRAC (Dell Remote Access Card) in existance is

*Drumroll*

calvin

fucking american spies

Cant we put that moble CPU to good use?

[Anonymous Coward]

Is there any chance I could lease this phone botnet and get some one to write an algorithm that could help discover new ways to help viagra medication become even more effective? imagine 1 million CPUs working together helping the progress of boner pill technology.
Its pretty clear this was the true intention of why China has so many backdoor phones out there, sheesh.

Re:

[Gold Plated]

Too late, its already in progress!

Gaoke Communications is just as bad

[Anonymous Coward]

Gaoke MC600x WiFi routers are used all over South America and probably elsewhere.

They are installed by the telecom company and they do change the admin password. However, you don't even need a password, just go to the internet IP address of a device, the default is the web interface is visible from the Internet, and rather than logging in change the last part of the URL to wifilan.htm and it will think you are logged in as guest. The guest user can change all the WiFi settings.

They may be insecure but at least they are cheap!

Blocking 23

[Gary Perkins]

His recommendation at the bottom is for ISP's to start blocking port 23. I certainly hope that doesn't become a "solution". Many people like to host their own servers, and these default port blocks just make life horrible. The BBS hobby scene uses 23 quite a bit and would take a hit. Blocking ports is not an answer, and in fact I'd like to see the practice banned.

Re:

[The-Ixian]

Agreed...somewhat. Port 23 though? really? Why would you not be using telent and not SSH to connect to any server from the outside?

Re:

[Gary Perkins]

There are rather effective ways to blacklist IP's that abuse ports. I think there's even a list out there. However, I've been running a BBS server for several years now, and I've rarely felt the need to do anything about any hammering on my ports. The one time I actually had to block anyone with IP rules was no matter what I did, I couldn't get Google to stop crawling FTP day and night. But other than that, I'll occasionally get one or two connects at a time sporadically thoughout the day from all over

My favorite bit of the article

[The-Ixian]

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did. Whenever you think "that shouldn't be on the Internet but will probably be found a few times" it's there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password."

It amazes me, still, how these things can happen. It really shouldn't, I am a contractor after all and have seen hundreds of different networks, large and small. Most with amazing security....deficiencies, usually done in the name of convenience.

Well, surprise! Surprise! Surprise!!

[gestalt_n_pepper]

The Chinese exploited a brain-dead obvious attack vector. Nobody checked. Nobody looked. Nobody cared. The empire rots from within.

scoop

[porjo]

From TA:

"Shukla (the report author) was given exclusive access by the anonymous author to the sensitive data collected in the project (using an illegal botnet to scan the target devices)."

Sounds just a little too convenient to me