Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio streams to the device, listen to all station messages as well as uncover the Wi-Fi password for any network the radio is connected to.

The issue (CVE-2019-13473) exists in an always-on, undocumented Telnet service (Telnetd) that connects to Port 23 of the radio. The Telnetd service uses weak passwords with hardcoded credentials, which can be cracked using simple brute-forcing tactics. From there, an attacker can gain unauthorized access to the radio and its OS.

In testing, researchers said that the password compromise took only about 10 minutes using an automated “ncrack” script – perhaps because the hardcoded password was simply, “password.”

After logging onto the device, researchers were able to access the “etc” path with root privileges to request various file contents, including the full system password shadow file, the group password shadow file, the USB password and the httpd service password containing the “wifi cfg” file with unencrypted information on the wireless LAN key.

“By now we had a full access to the file system with httpd, Telnet and we could as well activate the file transfer protocol,” according to an advisory from the Vulnerability Lab on Monday. “Then we watched through the local paths and one was called “UIData”. In the UIData path are all the local files (binaries, xml, pictures, texts and other contents) located which are available to process the Web GUI (Port 80 & 8080). For testing we edited some of the folders, created files and modified paths to see about what we are able to change in the native source of the application. Finally we [were] able to edit and access everything on the box and had the ability to fully compromise the smart web radio device.”

Adding insult to injury, the researchers also found there to be a second vulnerability (CVE-2019-13474) in the AirMusic client onboard the device, which allows unauthenticated command-execution.

“Using the mobile application on Apple iOS in combination with the port scan result shows us by intuition that the AirMusic client may be connecting on port 80 through 8080 httpd to send and receive commands,” the researchers said. After an hour of testing, they were able to send commands to the client via the web.

Successful exploitation of the two bugs would open the door to a range of malicious activity. An attacker could change the radio stream or deliver their own live message or audio file. Remote attackers can also snoop to see radio streams played or listen to messages.

“Blackmailing, shocking and simple web-server defacements are also an ability for attackers,” the researchers explained. “In the worst case, a remote attacker could modify the system to spread remotely ransomware or other malformed malicious viruses/rootkits/destructive scripts. He can also use the web server to be part of a IoT botnet.”

A proof-of-concept video is available here:

The flaws “[affect] a huge amount of models in the Imperial and Dabman web radio series,” according to the researchers, who said more than 1 million devices are at risk. The radios are distributed in Germany by Telestar Digital GmbH, and sold globally on Amazon and eBay; they’re used in both home and office environments. Telstar said that it is discontinuing the use of Telnet going forward, and has launched manual binary patches for existing deployments.

“The pattern behind these disclosures is reminiscent of how the template used in the original Mirai botnet attack was designed, using an open Telnet port with weak security to perform external actions, including port forwarding,” said Tim Mackey, principal security strategist at CyRC, Synopsys, via email. “IoT security is a critical element in which creators of these products need to invest. The principle of least privilege should apply to all internet-facing devices and involves no open ports unless absolutely required and documented; no weak passwords; all external accesses, including remote update models, documented; and commitment to security updates aligned to the user expectation for the device lifespan. While the latter element isn’t truly part of a principle of least privilege, it does provide consumers with a level of confidence that the vendor takes security seriously enough to invest in it.”

Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insights about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.