More than 1 million Imperial & Dabman Internet Radio Devices could fall prey to remote code execution (RCE) attacks thanks to an undocumented Telnet service using feeble default login credentials. The flaw came to light after researchers at Vulnerability Magazine (VM) performed a routine port scan of a few devices. Dubbed Telnetd, the service was found to be running on port 23. Since Telnetd relies on relatively weak login credentials, it may serve as a backdoor for a wide variety of malicious threats.
Weak Password, But Still a Password. Is It THAT Bad?
While having a weak password is better than having no password at all, it is hardly a reason to breathe a sigh of relief. Passwords fall prey to brute-force attacks all the time. Weak passwords may be neutralized in a matter of minutes while strong ones may prove remarkably resilient all the way. In Imperial & Dabman's case, Port 23 has weak password protection. Should attackers succeed in cracking this pass, they would gain admin-level access to the very core of the devices' Linux-based BusyBox OS. It took VM's researchers 10 minutes to break the Telnet service pass. Once in, they found they had acquired root access. Were cybercriminals to obtain such access, they could potentially do plenty of damage such as:
- Drop a malicious payload
- Edit audio streams, files, and folders
- Retrieve the wi-fi password of the user's home or corporate network (provided the radio device has connected to one, that is)
- Distribute ransomware and other malicious scripts/tools via the compromised wi-fi home/corporate network.
The dangers mentioned above are indicative of all the implications a weak password may bring about in a worst-case scenario. That is why the new-found vulnerability is now available in the Common Vulnerabilities and Exposures Database under CVE-2019-13473.
As far as the scope of affected devices is concerned, it is indeed THAT bad. For one, Imperial & Dabman web radios are sold by Telestar Digital GmbH within Germany. However, they are also available on eBay and Amazon for international home and corporate users, as well.
The Admin Access Allowed Researchers to Dig Another Vulnerability
Having gained admin access via Port 23, VM's researchers came across a second flaw in the devices' onboard AirMusic client. The vulnerability in question (CVE-2019-13474) could allow for remote code execution if exploited. The AirMusic client uses several ports (80 through 8080) to exchange commands with its web service. As it turned out, it took the researchers one hour to take full control of the web-client communication, including the option to live stream custom messages.
Similar to the Mirai Botnet
The flaw in the Imperial & Dabman devices originated from a poorly-protected Telnet port. Ironically enough, the notorious Mirai Botnet emerged by the same token, raising awareness about IoT security or the lack thereof. Telestar Digital GmbH has already taken measures to cope with the problem. The redundant Telnetd service is no longer active. Manual binary patches are freely downloadable from the distributor's website in addition to a wi-fi ready firmware update.