Nokia denies leaking internal credentials in server snafu

Security researcher finds treasure trove of passwords and API keys on an internet-accessible etcd database.

nokia.jpg

Finnish phone vendor Nokia denied today a security company's claims that it exposed a treasure trove of internal credentials, encryption and API keys in a server that it accidentally left exposed and easily accessible over the Internet.

The issue at hand is in regards to an etcd server discovered by HackenProof researcher Bob Diachenko.

Etcd is a database server that is most often used in corporate and cloud computing environments. They are a standard part of CoreOS, an operating system developed for cloud hosting environments, where they are used as part of the OS' clustering system. CoreOS uses an etcd server as a central storage environment for passwords and access tokens for applications deployed via its clustering/container system.

Diachenko told ZDNet last week that he came across one such etcd server last week, on December 13. He says he discovered the server using the Shodan search engine for internet-connected devices. Diachenko said it was immediately clear that the server belonged to Nokia.

In a blog post today, the researcher finally detailed last week's findings, after Nokia had secured the exposed server earlier this week. According to Diachenko, the server included credentials for applications such as Heketi, Redis, and Weave, but also Kubernetes secret encryption keys, a Gluster user private key, SSH and RSA private keys, cluster keys, AWS S3 secret keys "and a couple of others."

nokia-etcd.jpg

Image: HackenProof

The HackenProof researcher said that the same server was also running a logging service that was left exposed without authentication, allowing anyone to access it over the internet.

Contacted by ZDNet on Monday, a Nokia spokesperson denied the server contained any sensitive information.

"This particular AWS server was created some time ago by one of our developers for testing purposes," the Nokia spokesperson told ZDNet. "The server contains no sensitive information or internal credentials. That said, we'll use this episode for own awareness training for Nokia R&D employees."

But the HackenProof researcher does not believe the company's explanation. "It did not look like testing environment to me," Diachenko said. "In contrary, [it was] a treasury."

Nonetheless, the researcher can't contradict Nokia's assessment beyond a statement. White-hat security researchers like Diachenko do not use exposed logins to access a company's internal network, as this constitutes an unauthorized login, a crime in all countries.

"At the end of the day, we can not be 100% sure that this was a testing data, given the nature of the observed environment and the number of exposed passwords," he said.

Nokia is certainly not the only company having this problem. Earlier this year, a security researcher first raised the issue of exposed etcd servers when he pointed out that there were over 2,200 etcd databases easily accessible via Shodan, and most were storing a vast quantity of passwords and API keys.

Today, that number is over 2,600, according to the same Shodan search query, meaning that server owners have not heeded his initial warning.

More data breach coverage: