Tag Archives: InfoSec

22Dec/15

Why are the default credentials in the realm attribute?

Recently, I was poking around on Shodan (as I do when I am bored) and I stumbled across an interesting query.  If you search for “Default: admin/1234”, you get over 14,000 devices that are broadcasting their own default username and password.  The devices appear to be Edimax routers.  I reached out to both EmbedThis and Edimax to ask them about this.  EmbedThis said that it was added by the device manufacturer and Edimax neglected to respond to me.

Basic Auth Box

Default usernames and passwords are not a secret.  There are entire websites out there that catalog default usernames and passwords for devices but Edimax made it so that you did not even need to know the make and model of the device.  All you need to do it read the text on the authentication box.