A core router for Oman's stock exchange, the Muscat Securities Market, had both its username and password as "admin" for months, even after several attempts by a security researcher to warn the exchange of the security implications.
The model of the router, developed by Huawei, isn't known, but it runs a web interface limited to a few enterprise models, allowing administrators to configure the network from the web browser. Many of these routers have the same username and password combination, which if not changed could let hackers obtain "super administrator" privileges, granting them complete access to the device.
Victor Gevers, who found the vulnerable router, said an attacker could've intercepted and manipulated the exchange's network traffic. "Actually, 'owning the network' is a breeze," he told ZDNet.
The Muscat Securities Market lists over a hundred primarily Omani companies, and has a market cap -- an indicator of the exchange's overall value -- of about $23.3 billion.
Several attempts by both Gevers and ZDNet over the past few months to contact Omani authorities and officials at the Omani consulate in New York by phone and email were unsuccessful.
Default passwords are one of the easiest ways to hijack a device over other exploits because companies who provide networking devices often include the password in their public documentation. Bundled under the umbrella of "broken authentication," OWASP says default passwords rank second in the top ten list of web application security vulnerabilities.
Attackers often scan for telnet ports and try standard passwords to hijack devices because they are an easy target, said Gevers.
The router's password was eventually changed in the last few weeks -- though exactly when is not known.
It's also not known if anyone else found or accessed the router. The router's IP address was found buried in a list of about 33,000 credentials, which could be used to access devices over the old and insecure telnet protocol. Although the origins of the list aren't known, a significant portion of the list's credentials still worked. Those credentials, if used, could let botnet operators ensnare the network to knock other sites offline, mine bitcoin, or be used to conduct surveillance on vulnerable networks.
Gevers, chairman of the GDI Foundation, a Netherlands-based non-profit group focused on finding security vulnerabilities, spent months reporting each vulnerable device in the list to its owner. Many had already been compromised.
It was during his searching and reporting process when Gevers found the stock exchange's router among the thousands of vulnerable devices on the list, he told me at the time.
"Our advice was to block the telnet protocol on your firewall because this protocol is not safe to use anymore," said Gevers. "If you need to mitigate this problem quickly we suggest you change this telnet password for a long and complex one. And then immediately apply a firewall rule to block the telnet service to only allow on their local network and start a replacement for this Huawei router as soon as possible."
Gevers' work is far from over. Last year, the GDI Foundation reported 484,613 security vulnerabilities, and 358,426 reports were fixed -- a success rate of about 73 percent.
"We saw a potential of 1.9 million vulnerabilities online" last year, he said. "In 2018, that number will go up." And that will result in more data breaches and more cyberattacks.
"So, we need to step our game as well and continue on our mission to show that responsible disclosure is a good way to go," he said.