Hacking “Time”: When Critical Infrastructure Forgets to Set a Password

Finding live earthquake detectors exposed on the public internet sounds like a movie plot, but sometimes it is just a normal Tuesday for security researchers. Accessing these high-precision GNSS timing systems didn't require a sophisticated hack, but rather the willingness to visit a webpage that had absolutely no interest in asking for a password. While it looked like a critical vulnerability at first glance, the investigation showed that the security gate was fully functional — it just hadn't been closed. It highlights the amusing reality that the strongest digital defense often comes down to simply remembering to turn the lock.

The Discovery Phase

Effective reconnaissance relies on using the right tools to filter out the noise. The investigation began by leveraging Modat Magnify

to scan for common IoT signatures. Searching for generic login paths is often the first step to gauge the attack surface, but it rarely yields specific targets immediately. A standard query for one of the most common CGI login strings returned an overwhelming number of results.

Query:

web.html ~ "cgi-bin/login.cgi"

web.html ~ "cgi-bin/login.cgi"

Total Results:

7,207,031

Sifting through seven million results is impractical. To find high-value targets, the search required a unique fingerprint rather than a generic door handle. Curiosity led to testing specific CGI strings that suggest internal device functionality. By replacing the generic login endpoint with a unique trigger command, the search query in Modat Magnify was refined to target something much more specific.

Query:

web.html ~ "cgi-bin/showtrigger.cgi"

web.html ~ "cgi-bin/showtrigger.cgi"

Total Results:

41

The results instantly dropped from millions of generic hits to just 41 specific endpoints.

Detailed analysis confirmed that every single result was a StaneO GNSS device. Unlike the previous broad search, these results were not just displaying login forms; they were exposing critical infrastructure interfaces that lacked any authentication mechanism.

So, What Could Go Wrong?

Finding an open dashboard is fun, but the real question is: does it matter? In this case, absolutely. We are not talking about hacking a smart toaster to burn someone's bagel; we are talking about devices that act as the eyes and ears for scientists monitoring the Earth's crust.

The Power to Delete History These devices record massive amounts of seismic data locally. With full access, a random visitor could simply format the storage or stop the recording tasks. Imagine a major geological event occurring — an earthquake or a tremor — but the official record shows absolutely nothing because someone on the internet decided to hit the "Stop" button for fun. It is effectively a digital blindfold for researchers.

The Digital Blindfold The most immediate risk is simply turning the lights out. These devices are often deployed in remote locations to listen for earthquakes or monitor the structural health of dams and bridges. With full administrative access, a random visitor could simply stop the recording tasks or disable the sensor lines

The Ultimate Lockout Perhaps the most annoying impact is the ability to change the network settings. Since the interface allows full administrative control, an attacker could change the IP address or finally set that password the owner forgot about — locking the legitimate scientists out of their own expensive hardware. It would be a very expensive paperweight until someone physically drove out to the site to reset it.

Coordination and Fix We coordinated this disclosure through CISA, and the response from StaneO was refreshingly direct and transparent. They quickly identified that the exposed devices belonged to a single customer who had chosen to bypass the standard security recommendations, effectively leaving the control interface open to the world without a password or firewall.

I fully agree with the vendor's stance, as the hardware provided the necessary tools for protection, but they had simply been left unused by the operator. StaneO went above and beyond by personally contacting the customer to rectify the configuration, ensuring the devices were promptly secured against unauthorized access. It is a great example of how shared responsibility works in the real world. A massive thank you goes out to both CISA for facilitating this process and to StaneO for their proactive approach in helping their users stay secure.

Conclusion:

This investigation serves as a perfect case study for the current state of industrial security. We often obsess over complex zero-day exploits and sophisticated bypass techniques, but the reality is frequently much simpler. Here, high-end scientific equipment capable of monitoring the Earth's movements was left vulnerable simply because a basic password setting was overlooked during deployment.

The successful collaboration with CISA and StaneO highlights that security is ultimately a shared responsibility between the manufacturer and the operator. The vendor provided the digital lock, but the user simply forgot to turn the key. As we continue to connect more critical infrastructure to the public internet, the lesson remains clear: the most sophisticated security features in the world cannot protect you if you choose not to enable them. Sometimes, the most effective patch available is just taking the time to read the manual and click the checkbox that says Enable Password.