Advantech is providing IoT software company. It is providing HMI, Web access platform, and HTML-5 based user interface. Therefore, I keep research on the devices.
After the research of IoT devices, I have found some of systems don’t have the password. Anonymous user can easily enter his system. This is a critical vulnerability to open your machine and don’t have a strong password. I always wondering about IoT devices and It’s vulnerability. I know the powerful device search engine zoomeye. After more research, The leader of Knownsec 404 team Heigh (@80vul) He tweeted about Advantech and zoomeye dork.
In the end, I am confused where should I have to report about this? Is this mistake of the Advantech they didn’t provide any default password or Mistake of the company who didn’t set the password.
Proof of concept.