Cisco, haven't we learned anything? (technician reset)y
Steven M. Bellovin
smb at cs.columbia.edu
Fri Jan 13 02:05:52 UTC 2006
In message <200601130141.k0D1fiZ1007762 at world.std.com>, Martin Hannigan writes:
>
>>
>>
>>
>> > Actually, and fairly recently, this IS a default password in IOS. New
>> > out-of-box 28xx series routers have cisco/cisco installed as the default
>> > password with privilege 15 (full access). This is a recent development.
>>
>> This is hardly only cisco's problem. Most office routers I've dealt with
>> also come with default username/password and on occasions when I dealt
>> with existing installation those passwords have rarely been changed.
>>
>> What should really be done (BCP for manufactures ???) is have default
>> password based on unit's serial number. Since most routers provide this
>> information (i.e. its preset on the chip's eprom) I don't understand
>> why its so hard to just create simple function as part of software to
>> use this data if the password is not otherwise set.
>
>Ex: Thot's how a Netscreen 5 works after a reset. The password is the
>serial # if I remember correctly.
>
How much entropy is there in a such a serial number? Little enough
that it can be brute-forced by someone who knows the pattern? Using
some function of the serial number and a vendor-known secret key is
better -- until, of course, that "secret" leaks. (Anyone remember how
telephone credit card number verification worked before they could do
full real-time validation? The Phone Company took a 10-digit phone
number and calculated four extra digits, based on that year's secret.
Guess how well that secret was kept....)
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list