Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hard-coded passwords remain a key security flaw

Kacy Zurkus | March 8, 2016
From Juniper to Fortinet and Cisco, a lot of companies have been cited for having shipped products that contain hard-coded passcodes to market which poses security risks to the enterprise.

From Juniper to Fortinet and Cisco, a lot of companies have been cited for having shipped products that contain hard-coded passcodes, which poses security risks to the enterprise.

This common developer flaw is a widespread problem that isn’t likely to go away any time soon, said Alex McGeorge, head of threat intelligence, Immunity. 

Unfortunately, hard-coded passwords are an intrinsically hard problem to solve, and McGeorge said, “There is not a great solution to it. People are getting compromised all the time. Security is a hard problem to solve.”

People who make networking gear are big targets and development companies are very protective of their source code because that’s their life code. “We saw the case that Cisco brought against Huawei Technologies claiming that Huawei had stolen their source code and were using it in their own brand,” said McGeorge. 

These instances stand as example for vendors who fear that their source code could be used against them. “Vendors are very reluctant to give anybody else access to their source code, and the security of their software suffers because of it,” McGeorge said.

Consumers have an intrinsic trust relationship with vendors, and they are trusting vendors not to put in a back door, but the risk that someone has put one in surreptitiously remains. “Juniper had this issue. They were not able to spot or were not looking for this problem, said McGeorge. 

Someone had surreptitiously put in a back door with a hard-coded password so that they could log in and had modified some of the encryption variables. The danger, said McGeorge, “If you were able to man in the middle between Juniper’s firewall and something else, you could potentially decrypt that traffic.”

It’s a problem without a real practical solution. Most give Juniper the benefit of the doubt that they didn’t do it and assume that somebody else did. Still, they weren’t able to figure this out for a number of years. 

“As a consumer there is not a whole lot you can do. You can’t audit the source code because it’s not public. You could demand that Juniper bear that cost, or demand that they have to have their source code audited by a third party and share those results,” McGeorge said.

Chris Weber, co-founder of Casaba Security, whose white hat firm does a lot of software assurance and code audits, said that passwords in released products are easy to find because they ship with the product. “Someone who gains access to the product can disassemble the firmware or software and find the passwords easily.  Aren’t easily hidden and easy to find,” Weber said.

De-coding

Use your leverage to push pressure on vendors to strengthen security by asking these 5 questions about hard-coded passwords.

  1. Does the vendor use a third party for a source code audit?
  2. Are the results of the audit available?
  3. How secure is the vendor’s development program?
  4. Has the vendor used a pen tester on the product?
  5. Does the vendor have a way to recover the device if the password is lost?

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.