Re: [AFMUG] Trango Security Issue

[Simon Westlake]

And let's also acknowledge that you don't need to offer complete root 
access to a device to do a password reset. There could easily be a 
feature where you can reset the password through a web interface by 
entering a hashed version of the MAC address as an authentication 
string, or some other mechanism that doesn't expose the entire internals 
of the device to anyone.

On 11/14/2016 9:57 AM, Paul Stewart wrote:
Agree 110% …
It does suck re: having to climb a tower to reset a password but would 
also think that folks might suddenly be inclined to keep better track 
of passwords after having to do so a couple of times ;)


On Nov 14, 2016, at 10:52 AM, Simon Westlake <simon@sonar.software 
<mailto:simon@sonar.software>> wrote:

You may not be the only one to make that assumption, but I find it 
hard to throw my hands up and say 'Oh well' to a hard coded, fixed 
password root account that is publicly accessible on any kind of device.

On 11/14/2016 9:44 AM, Ken Hohhof wrote:
I think in some cases this means climbing the tower with a laptop 
and a serial cable though.
Am I the only one who assumes everything has one or more backdoors, 
including my car?  There’s the one the manufacturer knows about, the 
one the NSA put there, the one the software engineer put there and 
didn’t tell his boss about, the one the Chinese chip maker put 
there, the one Fancy Bear put there …
*From:*Af [mailto:af-boun...@afmug.com]*On Behalf Of*Simon Westlake
*Sent:*Monday, November 14, 2016 9:11 AM
*To:*af@afmug.com
*Subject:*Re: [AFMUG] Trango Security Issue

There's no reason for it to be secret, either. If it exists purely 
to assist customers who forgot their password, then there is no 
reason to both disclose it, and offer the user the ability to turn 
it off. As long as there is still a physical reset method, then any 
fallout from forgetting a password ends up on the customer, if they 
disabled the ability for it to be reset.

Let's just imagine right now that someone has already built a bot 
that is going out, scanning for Trango radios, and modifying the 
running code on them. You can argue that some fault lies with the 
operator for not properly securing his/her network, but the root 
cause of the problem is an insecure, root account, hard coded into a 
radio, with a fixed password, that cannot be disabled.

On 11/13/2016 5:12 PM, Paul Stewart wrote:

    True and now it’s been disclosed by a security researcher and
    this blows up badly on the vendor in my opinion….   makes you
    wonder what else they are doing in their software that they are
    not telling you about - just an example and not suggesting
    there’s more in this case

        On Nov 13, 2016, at 5:51 PM, Ken Hohhof <af...@kwisp.com
        <mailto:af...@kwisp.com>> wrote:
        Well, it’s not a secret backdoor if you disclose it.
        “You ever flashy thinged me?”
        “No.”
        “I ain’t playing with you, K, you ever flashy thinged me”?
        “No.”
        *From:*Af [mailto:af-boun...@afmug.com]*On Behalf Of*Paul
        Stewart
        *Sent:*Sunday, November 13, 2016 3:56 PM
        *To:*af@afmug.com <mailto:af@afmug.com>
        *Subject:*Re: [AFMUG] Trango Security Issue
        Different people deploy them different ways … good or bad …
        The biggest problem I have with this is when a vendor
        doesn’t disclose this information and that a customer cannot
        choose to remove this option if the vendor insists on
        putting it in place.

            On Nov 13, 2016, at 4:35 PM, George Skorup
            <geo...@cbcast.com <mailto:geo...@cbcast.com>> wrote:

            I don't exactly see the problem, especially with a PTP
            radio that should only be accessible from within your
            network and possibly only from management subnets/VLANs,
            too. If it's a public facing piece of equipment like a
            router, then sure, I agree.

            On 11/13/2016 3:07 PM, Paul Stewart wrote:

                Totally disagree with this… we would never let a
                vendor into our network if there was a possibility
                of this.  It puts our network at risk from their
                stupidity ….
                We aggressively look at this when new products are
                coming into the network - realizing that sometimes
                there’s no way to detect it but it’s a question we
                ask, tests that we run, and hope that our confidence
                in this being possible is low.

                    On Nov 13, 2016, at 11:59 AM, Ken Hohhof
                    <af...@kwisp.com <mailto:af...@kwisp.com>> wrote:
                    Yep. There are legitimate needs for the factory
                    to have a backdoor



--
Simon Westlake
Skype: Simon_Sonar
Email:simon@sonar.software <mailto:simon@sonar.software>
Phone: (702) 447-1247
---------------------------
Sonar Software Inc
The future of ISP billing and OSS
https://sonar.software <https://sonar.software/>

--
Simon Westlake
Skype: Simon_Sonar
Email:simon@sonar.software
Phone: (702) 447-1247
---------------------------
Sonar Software Inc
The future of ISP billing and OSS
https://sonar.software


--
Simon Westlake
Skype: Simon_Sonar
Email: simon@sonar.software
Phone: (702) 447-1247
---------------------------
Sonar Software Inc
The future of ISP billing and OSS
https://sonar.software