[Cryptography] Brute-force password crackers?
leichter at lrw.com
Sat Dec 25 12:43:14 EST 2021
> I've heard that some IoT devices have been hacked by extracting /etc/passwd + /etc/shadow and then cracking the 'hard coded' passwords found within.
Could well be. I wouldn't put much faith in the salting/hashing used in most IoT devices (so brute force is easier than it should be), some of the pre-assigned passwords (unique per device and shown on the exterior; if they are common across all devices you hardly need to do password cracking) are pretty weak; and people who assign passwords to IoT devices probably don't think they are subject to much of an attack and will choose for convenience, not security.
Though I'm not really sure what the attack model is. If you can remotely get to the point where you can read /etc/shadow, you've already compromised the device pretty fully. If you have your hands on the device, you can read the sticker on it, so even a strong, unique default password is known to you - let's hope the user either changed it (if that's possible!) or removed the sticker. If you can bypass the OS to read /etc/shadow, you can modify it as well and create your own username/password. (I doubt any IoT devices are capable of this, but there could be a secure boot sequence that prevents you from changing what's there. But anyone who implements that will sign - and probably encrypt - the entire thing.)
The only attack that makes much sense is if you gain physical access to one of a number of such devices and the passwords are shared across the devices - which is a reasonably likely case; again, people don't perceive that these are accounts that need real security. Heck, it's just this little box in a corner of a room in my house.... This also includes the case that there's a common "secret" password for all instances of the device, but that kind of information has a way of leaking.
More information about the cryptography