A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not – without ever connecting to them.
CVE-2018-7900 exists in the router panel and allows credentials information to leak – so attackers can simply perform a ZoomEye or Shodan IoT search to find list of the devices having default passwords – no need for bruteforcing or running the risk of running into a generic honeypot.
“When someone has a look on the html source code of login page, few variables are declared. One of the variables contain a specific value. By monitoring this specific value, one can come to the conclusion that the device has the default password,” explained Ankit Anubhav, principal researcher at NewSky Security, in a posting on Wednesday. “The attacker can simply go to ZoomEye, find a list of devices, login, and do what they want with minimal hacking skills. As easy as that.”
Huawei has issued a fix and worked with its carrier customers to implement it across networks.
NewSky said it wouldn’t disclose exact details of the flaw nor the numbers of affected devices that it uncovered during its own ZoomEye search (though Anubhav referred to the numbers of affected devices as “concerning”).
This is only the latest issue affecting carrier-level gear – and it’s a problematic trend given the scope of the potential attack surface.
“The attack vectors which can infect a huge number of IoT devices are much favored than a using a vulnerability in a vendor which has only 500 devices online,” said Anubhav. “Hence, in 2018 we saw CVE-2018-14847 (MikroTik) and CVE-2014-8361 are being highly used. One commonality among them is the sheer high number of devices which can be abused using the vulnerabilities. Hence, a security loophole in a big IoT vendor can be a more critical issue than a usual one.”