Robert Moore (at left), a 23 year-old hacker from Spokane, Wash., is to go to prison later this week for his role in a plot to steal VoIP services from some 15 legitimate VoIP providers and then sell them as a separate company.Information Week's Sharon Gaudin has some quotes from Moore, who, as they say, "acted as the hacker, admittedly scanning and breaking into telecom companies and other corporations around the world."
"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."
Moore told Information Week he was able to execute six million scans of enterprise VoIP points largely through the huge, gaping hole of default passwords on misconfigured routers.
"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. ...
But exploiting default passwords was not the only trick in this VoIP hacker's bag.
We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."
The article, which you should read, then quotes several experts who essentially agree with Moore's assessments, and then offer pointers that center on changing your default password often.
The issue is even more prominent given the commonality of products- and not just VoIP, with pre-installed default passwords that don't require change the first time they are used.
Alan Paller, director of research at the SANS Institute, tells Information Week that "products should be sold so the default password has to be changed first time they use it. It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."
But I say that sometimes, in the process of installing and enabling VoIP products, changing the default password can be overlooked. Not that it ever should be, but it is.