A security flaw in Oman’s stock exchange was easily hackable for months.
The problem has since been fixed – quietly – after security researchers found that a primary Huawei router for one of the Middle East’s biggest exchanges had both its username and password as “admin”.
Having the same username and password combination set as default is not uncommon. However, basic security protocols dictate that this should be changed manually, otherwise the inadequate combination would likely grant hackers administrator privileges, ultimately giving them control over the device.
>See also: Wi-Fi network vulnerability presents a severe security flaw
“Actually, ‘owning the network’ is a breeze,” said the security researcher – Victor Gevers – who discovered the flaw.
Gevers told ZDNet that despite several attempts to contact Omani authorities by phone and email about the vulnerability, they failed to respond. According to Gevers, if a hacker had stumbled onto the vulnerable router, the network’s traffic could then have easily been manipulated, ZDNet reported.
The security flaw has been fixed, but exactly when is unclear.
ZDNet reported that Gevers found the vulnerable router’s IP address in a list of Telnet credentials that were leaked last year by an unknown individual.
This person/s leaked around 33,000 credentials, belonging to over 1,700 IoT devices. And these leaked details are still in operation for other devices, and so are vulnerable to hackers.
>See also: Security flaw exposes almost every computer worldwide
Ilia Kolochenko, CEO of web security company High-Tech Bridge, explained that unfortunately, “similar negligence is pretty common nowadays. IT people don’t really care about cybersecurity, while IT security teams have too many other priorities and emergencies to take care of. I wouldn’t be surprised if well-known Western stock exchanges have similar problems and omissions.”
“In case of a breach, their financial liability to the victims may surge if facts of overt and continuous ignorance of cyber security essentials are proven. While enforcement of GDPR in May 2018 may severely punish such carelessness even if victims don’t file a civil lawsuit.”