Problems with hardcoded credentials are hitting consumer IoT devices, industrial SCADA devices, and even critical infrastructure. Despite the appeal on source code and firmware audition, this type of vulnerability recurs and threatens users’ privacy and data security.
Security researcher Elliot Williams posted on Hackaday that most GSM-to-IP devices made by DBLTek have a remotely accessible hardcoded credential which leads to a shell with root privileges. The finding was reported to the manufacturer, who didn’t really fix the underlying vulnerability. Instead, they implemented a workaround: they added an extra challenge-response process, whose algorithm can be obtained by reverse-engineering. Trustwave’s blog post summarizes the entire chain of events. A tool exploiting this vulnerability is also available on Github.