IoT Radios Vulnerable Due to Telnet Flaw
Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote hacker to gain root access to the device's embedded Linux BusyBox operating system. Hackers can install malware, add the device to a botnet or send their own audio streams to compromised devices. Hackers can also get the Wi-Fi password for any network the radio is connected to.
The vulnerability exists in an always-on, undocumented Telnet service that connects to Port 23 of the radio. The Telnetd service uses weak passwords with hardcoded credentials, which can be cracked using simple, brute-force. From there, a hacker can gain unauthorized access to the radio and its OS.
Researchers were able to access the etc path with root privileges to request various file contents, including the full system password shadow file, the group password shadow file, the USB password and the httpd service password containing the wifi cfg file with unencrypted information on the wireless LAN key.
Researchers also found a flaw in the AirMusic client onboard the device, which allows unauthenticated command-execution. Researchers were able to do this by using the mobile application on Apple iOS to send and receive commands.
This is similar to how the Mirai botnet attack was designed, using an open Telnet port with weak security to perform external actions, including port forwarding. IoT security is a critical element in where manufacturers need to invest. The principle of least privilege should apply to all internet-facing devices.