What Is a Hardcoded Password?

Despite the never-ending discussions on rising cybersecurity threats and how to avoid them, some developers are still using hardcoded passwords. While using them might be convenient, it is essential to remember that hardcoded passwords are considered to be vulnerable. If you are a regular user, you may not know anything about such passcodes. They can be found on various devices, such as printers or routers, software applications, firmware, etc. Thus, it is likely you could be using software or devices that have hardcoded passwords. This may all sound confusing, but if you continue reading this blog post, you can find a more detailed answer to the question of what are hardcoded passwords. Also, in the article we discuss why hardcoded passwords could put systems and devices at risk, and what could happen if they fall to the wrong hands.

What are hardcoded passwords?

Hardcoded passwords are also known as embedded credentials or plain text passwords in source code. Such passcodes can be hardcoded into hardware, firmware, scripts, applications, software, and systems. Usually, they are found on various applications and devices, such as medical or IoT (Internet of Things) devices. They can have multiple purposes too, for example, for application-to-application/application-to-database communications, setting up new systems, API or other system integration, etc. They often help developers to access their products faster and make their jobs easier. Plus, hardcoded passwords may prevent regular users from tampering with the product’s code.

What are the risks of using hardcoded passwords?

Let us start with the fact that a lot of applications or devices can share the same hardcoded password. As a result, guessing the password can enable hackers to connect and control all other devices or applications that use the same passcode. Unfortunately, guessing or learning the embedded combination might be easier than you think. A lot of developers share their code on GitHub and sites alike without realizing that by doing so they may reveal plaintext passwords. Naturally, hackers are aware of this too, so it might be only a question of time till they find the accidentally shared passcodes. Not to mention, various malicious applications and tools can brute-force the application’s or device’s password, so keeping it embedded into the source code is always a risk.

What happens when hackers learn hardcoded passwords?

It all depends on what the cybercriminals have in mind and what kind of passwords they manage to obtain. For instance, hardcoded passwords of various IoT, medical, mobile, and other devices could allow hackers to create a so-called Botnet, a group of compromised machines controlled by attackers. Such networks can be used for DDoS (distributed denial-of-service) attacks, delivering Spam, and so on. Provided the obtained embedded credentials belong to some application, cybercriminals could use it to gain access to sensitive user information, developer’s secrets, etc.

To help you imagine why applications and devices using hardcoded passwords can be vulnerable, we would like to present a few incidents that occurred in recent years and were facilitated by embedded credentials. The first one is the creation of Mirai malware, which might have happened around 2016. The hackers behind it programmed the threat to look for vulnerable devices. Every time it would detect such a machine, the malicious application tried to brute-force its hardcoded password while using a database of known embedded credentials. This allowed the malware to create a massive Botnet of IoT devices like security cameras and routers. One of the victims was the Krebs on Security website that, as a result, was offline for several days. Moreover, Mirai also managed to force lots of other popular websites like Netflix as well as sites of top five Russian banks to go offline.

Another huge incident that occurred in 2016 too was the Uber Breach. Again, hardcoded passwords and people forgetting about them were to blame. To be more precise, one of the Uber employees shared the application’s source code that contained plaintext passwords on GitHub without realizing he was putting both Uber customers and other employees in danger. One of the hackers noticed the posted source code and recognized the opportunity it could present. The hardcoded passcodes allowed him to gain privileged access to the Uber’s Amazon Web Service Account that contained sensitive information of around 57 million users’ and driver license numbers of 600 thousand Uber drivers. The company decided to agree to pay the hacker one hundred thousand US dollars and decided not to report what had happened to anyone. Still, the truth was revealed later on and, as a result, the company lost not just lots of money, but also its reputation.

A more recent incident, related to the vulnerability of hardcoded passwords, happened to an American multinational technology conglomerate known as Cisco Systems. It was reported that the detected weakness might have allowed hackers to gain control of the company’s created services and products. Sadly, after patching the vulnerability, the company found even more flaws that could be exploited. Thus, it is not a surprise that many cybersecurity specialists believe the problem with hardcoded passwords is not going to disappear anytime soon.

All in all, even though we know using devices or applications with embedded credentials might be risky, we cannot always avoid it. Nonetheless, there are ways to lessen the risk of using products containing hardcoded passcodes. Specialists recommend checking for patches and updates frequently, as they are released to deal with various flaws or weaknesses, like hardcoded passwords.

May 13, 2019

Leave a Reply