Telnet Backdoor Opens More Than 1M IoT Radios to Hijack

Attackers can drop malware, add the device to a botnet or send their own audio streams to compromised devices.

Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio streams to the device, listen to all station messages as well as uncover the Wi-Fi password for any network the radio is connected to.

The issue (CVE-2019-13473) exists in an always-on, undocumented Telnet service (Telnetd) that connects to Port 23 of the radio. The Telnetd service uses weak passwords with hardcoded credentials, which can be cracked using simple brute-forcing tactics. From there, an attacker can gain unauthorized access to the radio and its OS.

In testing, researchers said that the password compromise took only about 10 minutes using an automated “ncrack” script – perhaps because the hardcoded password was simply, “password.”

After logging onto the device, researchers were able to access the “etc” path with root privileges to request various file contents, including the full system password shadow file, the group password shadow file, the USB password and the httpd service password containing the “wifi cfg” file with unencrypted information on the wireless LAN key.

“By now we had a full access to the file system with httpd, Telnet and we could as well activate the file transfer protocol,” according to an advisory from the Vulnerability Lab on Monday. “Then we watched through the local paths and one was called “UIData”. In the UIData path are all the local files (binaries, xml, pictures, texts and other contents) located which are available to process the Web GUI (Port 80 & 8080). For testing we edited some of the folders, created files and modified paths to see about what we are able to change in the native source of the application. Finally we [were] able to edit and access everything on the box and had the ability to fully compromise the smart web radio device.”

Adding insult to injury, the researchers also found there to be a second vulnerability (CVE-2019-13474) in the AirMusic client onboard the device, which allows unauthenticated command-execution.

“Using the mobile application on Apple iOS in combination with the port scan result shows us by intuition that the AirMusic client may be connecting on port 80 through 8080 httpd to send and receive commands,” the researchers said. After an hour of testing, they were able to send commands to the client via the web.

Successful exploitation of the two bugs would open the door to a range of malicious activity. An attacker could change the radio stream or deliver their own live message or audio file. Remote attackers can also snoop to see radio streams played or listen to messages.

“Blackmailing, shocking and simple web-server defacements are also an ability for attackers,” the researchers explained. “In the worst case, a remote attacker could modify the system to spread remotely ransomware or other malformed malicious viruses/rootkits/destructive scripts. He can also use the web server to be part of a IoT botnet.”

A proof-of-concept video is available here:

The flaws “[affect] a huge amount of models in the Imperial and Dabman web radio series,” according to the researchers, who said more than 1 million devices are at risk. The radios are distributed in Germany by Telestar Digital GmbH, and sold globally on Amazon and eBay; they’re used in both home and office environments. Telstar said that it is discontinuing the use of Telnet going forward, and has launched manual binary patches for existing deployments.

“The pattern behind these disclosures is reminiscent of how the template used in the original Mirai botnet attack was designed, using an open Telnet port with weak security to perform external actions, including port forwarding,” said Tim Mackey, principal security strategist at CyRC, Synopsys, via email. “IoT security is a critical element in which creators of these products need to invest. The principle of least privilege should apply to all internet-facing devices and involves no open ports unless absolutely required and documented; no weak passwords; all external accesses, including remote update models, documented; and commitment to security updates aligned to the user expectation for the device lifespan. While the latter element isn’t truly part of a principle of least privilege, it does provide consumers with a level of confidence that the vendor takes security seriously enough to invest in it.”

Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insights about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.

 

Suggested articles

Discussion

  • Slow503 on

    Really hope you guys did research and reported this cause I sure got no where trying to report this issue. Hopefully the patches fix this. Recommend reset and new os this seems like how vista was lol
  • Gernot on

    Very nice written article cause it says a lot about the technical backgrounds and is not suposed to be fake news like the huawei teilnet account from bloomberg.
  • Richard Lucas on

    Suspicious AF. But, you know, I can imagining selling product to a primary market, and then cultivating a secondary market of government agencies, criminals with "...and this is how you get inside."
  • Robert Dillon on

    I guess this means that dd-wrt and openwrt are now as safe as sharing a needle with a hep-c test subject. I have a joke about the President and security vulnerabilities, but it is a secret, and it will not be declassified until he meets the people who are not supposed to know it.
  • Irfan Paxym on

    wow!, what an asinine jump to maligning dd-wrt / openwrt. The default for both these systems is no telnet, and ssh (disabled by default). The developers of this radio deliberately chose to enable telnet, and then set a weak password. It should've been caught in QA or beta. You need to do actual work with xWRT to know what you're talking bout.
  • Elmar on

    Reading the article and watching the full technical details shows a final proof in the industry of today as perspective to argument for tomorrow on laws, gudielines or restrictions.
  • Cletus Vandamme on

    Why did it take them 10 minutes to figure out the password was "password"? That seems like it is about 9.5 minutes too long.

Leave A Reply to Gernot Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.