[clug] Drive-By Pharming Attack Could Hit Home Networks

Alex Satrapa grail at goldweb.com.au
Thu Feb 22 03:32:49 GMT 2007

On 22/02/2007, at 13:39 , Andrew Boyd wrote:

> On 2/22/07, Sunnz <sunnzy at gmail.com> wrote:
>> Well Windows Adobe whatever etc. make people type in serial numbers
>> for a long long time so it should be no way "customer unfriendly".

> I think that, as a species, we could probably do better.

I think the appeal of the default password is simply that the  
manufacturer can mass produce the hardware, burn a single image onto  
each and every ROM, and ship it to the customer.

For a system such as "initial password is the serial number", they'd  
have to modify the memory of each piece of hardware separately. Of  
course, the fact that each piece of hardware goes through some form  
of QA testing would imply that there is a point in the process at  
which it becomes trivial to generate a random password, burn that  
into the device's ROM, and print out a label with the password, then  
attach the label to the device (this could even be the "tested by …"  

Alternately, the mass-produced anonymous device could ship with  
wireless deactivated by default, with the initial administrative  
connection being made by cable connected to the device. Turning on  
the wireless would then require a password to be entered (or  
modified). This preserves the economy of mass-produced anonymous  
devices, while providing some means of preventing "default password"  
attacks on such devices as installed at users' premises.

But then, as the saying goes, the world will build a better fool. The  
people at home — now required by the setup procedure to invent a  
password — will simply copy the password from the example in the  
manual, and we'll be back to square 1.


More information about the linux mailing list