The Curse of the Default Password
How the Triton ATM default password, the Verifone default password and other out-of-the-box passwords are causing headaches and much worse…
In light of the hack attacks we hear about regularly in the news nowadays, you’d expect that today’s computer users would be more security conscious than they would’ve been a few years ago… Or would you? From the continued usage of default passwords, it seems we still have some learning to do.
It’s true that many hacking campaigns use sophisticated methods. They exploit vulnerabilities in our systems like bugs and misconfigurations. They might target specific Internet users or organizations with social engineering scams. But some of the worst hacks rely on little more than the user’s simple oversight. In the few famous cases we’ll look at here, that simple lack of awareness—where no one thought to change the default password that came with their hacked device—did a lot of damage.
Here are three types of devices that come pre-configured default usernames and passwords, and some major hacks that happened when hackers took a moment to flip through the manual and discover what those passwords were.
Back in 2007, a gang discovered the credentials of Triton ATMs. These are the sort of ATMs you can find in various shops and kiosks. They used the default password to reprogram the ATMs to dispense twenties instead of singles. ATMs have different cartridges that hold different types of bills, and they can be programmed according to which cartridge holds notes of which monetary value. By reprogramming the ATM, they made it believe the cartridge holding the twenties actually had single dollar bills. In this particular case, blame didn’t belong entirely to the ATM operator, because there were two types of passwords in place: the “administrator password,” which the operator had changed, and the “master password,” which he hadn’t, because it was rarely used.
The Triton ATM default password hack wasn’t the first of its kind. Triton’s competitor Tranax also suffered a similar incident. A more recent incident includes a BMO bank’s ATM which was hacked by two 14-year-olds using the ATM’s default password. Thankfully, the young hackers reported the vulnerability to the bank.
At the RSA Conference USA 2015, the world’s largest security conference, two researchers revealed that the world’s largest manufacturer of point-of-sale terminals had been using the same default password since 1990. (That manufacturer is Verifone, who had little to say about the initial claims that were made.) Even worse, the main reason point-of-sale malware is so successful is because of default passwords. Because these terminals’ operators keep using default passwords, cybercriminals who discover those passwords (and they do discover them) can compromise the systems and install malware that sniffs out the details of credit cards swiped on the terminals. We’ve written about how point-of-sale malware continues to plague us with no seeming end in sight, making this type of opportunity for hackers caused by our own negligence all the more redundant.
Yep, we’ve all got them. So if you’re not operating an ATM or a point-of-sale terminal, don’t run off thinking this problem of the default password doesn’t pertain to you!
Spammers have been hacking routers that still use default passwords. In fact, earlier this year hackers hacked into 300,000 routers using default passwords in order to make malicious changes, directing users who surf through them to Phishing pages instead of the legitimate sites they intended to visit (a type of attack known as “Pharming”).
Whatever device you may be using, changing the default username and password is a small, simple step that can save you a huge headache—and potentially lots of money—down the road. Manufacturers of your devices may not force you to make this change, but that doesn’t mean you should neglect to do it. After all, as hackers get all the more creative, it won’t be surprising if they start targeting new types of devices using default settings. It might be a slow and arduous process for these hackers, but the payoff of discovering defaults can be high.
Want to see more content like this? Subscribe to get a weekly roundup from BlogDOG.
The LogDog anti-hacking and privacy tool protects the most popular online account types including Gmail, Facebook, and Dropbox by detecting unusual access activity and alerting users so they can take control of their accounts before hackers do.
The service can be used across all devices and OS’s, so you’re always being protected. Here’s the Android and iOS links for you to check out.