April 24, 2015
Allen-Bradley is a division of Rockwell Automation who makes a line of programmable logic controllers (PLC) under the MicroLogix and CompactLogix brands. Several models have a web interface that doesn’t require authentication. These include:
This allows a remote attacker get a lot of information including:
- Internal IP address (/index.html?redirect=/home.asp and /diagnetwork.asp)
- List of remote IP connections (/rokform/advancedDiags?pageReq=tcpconn)
- Network settings
- Application connections
- Bridge connections
- Ethernet statistics
- Ring statistics
- Network diagnostics
- System data
- Event log
- Assert log
- .. and more
April 23, 2015
The Mitsubishi Programmable Controller, High Speed Data Logger Module has a web interface that does not require authentication. However the Internet facing service still discloses an internal IP address for the link to the FTP server even if it is not Internet facing.
April 22, 2015
The Shinsei URoad-Home WiMAX Wi-Fi Router has a web management interface that has default administrator credentials according to the manual.
Type in the login dialog box as follows, and then click the “OK” button.
April 21, 2015
Omron NS-Series Programmable Terminals which include NS12-TS01-V2, NS10-TV01-V2, NS8-TV01-V2, NS5-SQ11-V2, NS5-TQ11-V2 and NS5-MQ11-V2, have default credentials for web access according to the manual.
Enter the user name and password.
The factory settings for the user name and password are as follows.
User name default
April 20, 2015
Mobotix cameras have a web interface to view the camera feed. Several models have default admin credentials according to the manuals, including the Hemispheric Q25, AllroundDual M15 and Allround M25. More manuals are available and all of the models are likely affected including DualDome D15, Dome D25, FlexMount S15, Hemispheric c25, Hemispheric i25 and Vandalism V15.
Default user data
User name: admin
April 19, 2015
The NetComm Wireless NTC-6000 Series 3G M2M Router has default credentials for both telnet and web access according to the manual.
Enter the login username and password. If this is the first time you are logging in or you have not previously configured the password for the “root” or “admin” accounts, you can use one of the default account details to log in.
ROOT MANAGER ACCOUNT
ADMIN MANAGER ACCOUNT
April 18, 2015
The Novus N1040, N480D, N960, N1020, N1040i, N1540, N2000, N3000 and N120 Temperature Controller contains a default access password and default master password (trivially generated based on serial number) according to the manual:
The protected levels, when accessed, request the user to provide the Access Password for granting permission to change the configuration of the parameters on these levels. The prompt PASS precedes the parameters on the protected levels. If no password is entered, the parameters of the protected levels can only be visualized. The Access Password is defined by the user in the parameter Password Change (PAS.(), present in the Calibration Level. The factory default for the password code is 1111.
The Master Password is intended for allowing the user to define a new password in the event of it being forgotten. The Master Password doesn’t grant access to all parameters, only to the Password Change parameter (PAS(). After defining the new password, the protected parameters may be accessed (and modified) using this new password. The master password is made up by the last three digits of the serial number of the controller added to the number 9000. As an example, for the equipment with serial number 07154321, the master password is 9 3 2 1.
April 17, 2015
The WAGO 758 Series IPC controller has several default accounts. According to the wording of the documentation all of their IPCs probably have the same:
The WAGO IPCs are shipped with several different user names and default passwords.
– Root / wago
– Admin / wago
– User / user
– Guest /guest
April 16, 2015
Ubiquiti AirControl sets up three web servers by default. The management port is on port 9005 and has default administrator credentials of ‘ubnt’ and ‘ubnt’. From their wiki:
Configure basic settings of AirControl, like: HTTP Port (by default: 9080), HTTPS Port (by default: 9443), Management Port (by default: 9005) and Administrator credentials (default username and password are ubnt). Click Next.
December 23, 2014
Carlo Gavazzi PowerSoft is a SCADA system for energy management. According to the vendor page:
Carlo Gavazzi is an international group active in designing, manufacturing and marketing electronic equipment.
The Group’s products (sensors, monitoring relays, timers, energy management systems, solid state-relays, safety devices, fieldbus systems) provide automation solutions for the global markets of industrial and building automation.
The manual shows that it has several default accounts:
2.4 USERS AND PASSWORDS
The installing program sets two default users on the system:
These default users can access all the PowerSoft functions (according to the relevant level, see below) but, for safety reasons, it is suggested to create at least a new “Administrator” user (or more of them and the required simple “Users”= and then delete both the default users.
The “User” can access all the data, acknowledge the alarms, and ask for any report, also via web-server.
The “Administrator” can access all the “User’s functions and, in addition, can configure Powersoft and all the relevant modules
A user without the password can only access the real-time values and display the active alarms list.