Beware of Hardcoded Backdoor Passwords in Motorola Site Controllers

CVSScvssV3_1: 9.4

The Motorola MBTS Site Controller is a device used to manage cellular networks. It was discovered that these controllers have a hardcoded backdoor password that cannot be changed or disabled in their management interface.

This is a serious security issue as it allows anyone who knows the hardcoded password to access the management interface and make changes to the configuration without authentication. They could disable important security settings, install malware, extract sensitive data like encryption keys or even shut down critical network services.

As the password cannot be changed, the vulnerability leaves these systems completely exposed to remote attacks over the internet. A hacker could potentially compromise a site controller without any interaction from legitimate administrators.

If you have a Motorola MBTS Site Controller deployed, you should contact Motorola support immediately to see if any software updates are available to patch this vulnerability. In the meantime, restrict access to the management interface only to trusted internal IP addresses. Monitor the device closely for any unauthorized changes.

It’s also a good reminder that hardcoded or default passwords are a major risk. Manufacturers need to ensure admin interfaces have strong, unique passwords that owners can change on deployment. Network owners should prioritize changing passwords from their defaults as well. Taking basic steps like this can prevent many external intrusions and data breaches.