North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Cisco, haven't we learned anything? (technician reset)y
- From: Steven M. Bellovin
- Date: Thu Jan 12 21:07:32 2006
In message <200601130141.k0D1fiZ1007762@world.std.com>, Martin Hannigan writes:
>> > Actually, and fairly recently, this IS a default password in IOS. New
>> > out-of-box 28xx series routers have cisco/cisco installed as the default
>> > password with privilege 15 (full access). This is a recent development.
>> This is hardly only cisco's problem. Most office routers I've dealt with
>> also come with default username/password and on occasions when I dealt
>> with existing installation those passwords have rarely been changed.
>> What should really be done (BCP for manufactures ???) is have default
>> password based on unit's serial number. Since most routers provide this
>> information (i.e. its preset on the chip's eprom) I don't understand
>> why its so hard to just create simple function as part of software to
>> use this data if the password is not otherwise set.
>Ex: Thot's how a Netscreen 5 works after a reset. The password is the
>serial # if I remember correctly.
How much entropy is there in a such a serial number? Little enough
that it can be brute-forced by someone who knows the pattern? Using
some function of the serial number and a vendor-known secret key is
better -- until, of course, that "secret" leaks. (Anyone remember how
telephone credit card number verification worked before they could do
full real-time validation? The Phone Company took a 10-digit phone
number and calculated four extra digits, based on that year's secret.
Guess how well that secret was kept....)
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb