Back in April I disclosed some vulnerabilities to ICS-CERT a division of the US Department of Homeland Security. One of the issues was a default password in an Industrial Control System (ICS) that did Solar power generation. ICS-CERT replied that a default password was not considered a vulnerability.
After analyzing the installation manual, we found that though there is a default password for this device, the manual clearly tells how to change it. We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability.
I understand why someone would say this but not in 2013! Yeah an admin can change it but in reality they don’t seem to very often! When I have time I poke around on Shodan looking at the saved searches other people do and a lot of them are related to SCADA or ICS systems. In many cases the saved search notes the default password. Sometimes I try then on a system just to see if it works and there are always some systems that have the default in place. I did a lot of past blogs on these vulnerabilities and there are tons of defaults out there that haven’t been changed. ICS-CERT says an admin can change it but I say that if the program doesn’t force them to change it or make a random password for the admin it should be considered a vulnerability! I mean come on whats more dangerous a reflected XSS that the admin has to click on to disclose credentials or just being able to log in as the admin without sending them a phishing mail??