Hardcoded Credentials

Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:

  • Username/Passwords
  • Cryptographic keys/Certificates
  • API tokens

Unlike Default Credentials, these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.

Adversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.

ID: T0891
Sub-techniques:  No sub-techniques
Platforms: None
Contributors: Aagam Shah, @neutrinoguy, ABB
Version: 1.0
Created: 29 September 2022
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S1045 INCONTROLLER

INCONTROLLER can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.[1]

S0603 Stuxnet

Stuxnet uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. [2]

Targeted Assets

ID Asset
A0013 Field I/O

Mitigations

ID Mitigation Description
M0801 Access Management

Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Monitor logon sessions for hardcoded credential use, when feasible.

DS0029 Network Traffic Network Traffic Content

Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.

References