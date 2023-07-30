By Adrian Mühlroth | Jul 27, 2023 1:34 pm

Currently companies like Siemens and even NASA are affected by a vulnerability in their internet equipment. The reason for this is an empty password.

The operating system RouterOS from the Latvian manufacturer Mikrotik runs on millions of routers and PCs worldwide. A serious security gap in an older version of the software makes up to 900,000 routers vulnerable. Internet providers with LTE antennas in rural areas, companies with Mikrotik Ethernet routers, and smaller access points for private use are all affected.

Vulnerability in Mikrotik operating system

RouterOS forms the backbone for a not inconsiderable part of the worldwide Internet infrastructure. The Linux-based operating system not only runs on the routers that Mikrotik offers itself, but is also installed on many other devices that manage Internet traffic in companies, via transmission towers and in private households. This makes the software a popular target for hackers.

Security researchers from VulnCheck have now found a vulnerability in the Mikrotik software that allows hackers to take control of a router. For example, they can use this to penetrate a company’s network and carry out man-in-the-middle attacks (MITM). The attackers act as middlemen without the victims knowing anything about it – and possibly revealing sensitive information. The vulnerability affects devices running RouterOS 6.49.6 (April 2022) and older. According to VulnCheck, as of July, the second most used version (6.48.6) is also vulnerable to attacks.

Empty password makes attacks easy

Among others, NASA, Ericsson, Saab and Siemens use router hardware from Mikrotik. The problem with the older versions of RouterOS is the Winbox graphical interface, which is usually used to access the operating system. However, the software comes with a default administrator – with “admin” as the login name and a blank password. This makes attacks on networks almost child’s play. Newer versions of RouterOS therefore urge system administrators to delete the “admin”.

