Nokia exposes passwords & secret access keys to its internal systems

Another day, another data breach – This time, multinational tech giant Nokia has been caught exposing highly sensitive data of industrial nature that would have put its internal security at risk.

The data was discovered by the director of the cyber risk research team at Hacken and Hackenproof Bob Diachenko during routine Shodan security audit on December 13th. The leak involved a trove of data including several internal databases, passwords, and secret access keys to Nokia’s internal systems, the company said in its blog post.

Upon further digging, Diachenko noticed that these leaked credentials contained Heketi user and admin passwords, a Weave password, a k8s secret encryption key, a Gluster user private key, SSH and RSA private keys, a cluster key and AWS S3 secret keys, etc.

Nokia exposes passwords & secret access keys
Screenshot of the leaked data (Credit: Hackenproof)

Diachenko contacted Nokia through its website’s contact form but did not receive any response from the company. He then contacted the relevant authorities on Twitter, as a result of which on December 17th, the unprotected data was secured and taken offline.

Nokia’s Security team, on the other hand, acknowledged the leak and stated that it was merely a “testing environment.” A testing environment is a setup of software and hardware for the testing teams to execute test cases. In other words, it supports test execution with hardware, software and configured network.

“This particular AWS server was created some time ago by one of our developers for testing purposes. We can confirm that the server contains no sensitive information. That said, we’ll use this episode for own awareness training for Nokia R&D employees,” said Nokia.

However, Diachenko thinks otherwise and maintains that “Although it is unknown if any customer data was put at risk (as systems observed were mostly of industrial nature), there is still a great danger of these credentials being exposed on an unprotected public server online, indexed by an IoT search engine.”

“At the end of the day, we can not be 100% sure that this was a testing data, given the nature of the observed environment and the number of exposed passwords. It is also important to note that we did not try to use credentials against the services,” said Diachenko.

It is noteworthy that Diachenko’s findings have protected the online privacy of millions of Internet users around the world. Earlier this month Diachenko discovered 73 gigabytes of data on misconfigured ElasticSearch servers containing private data of more than 82 million US citizens. To go through more of Diachenko’s work, follow this link.

Related Posts