Default Passwords for World Wide Packets/Lightning Edge Equipment

Joel Jaeggli joelja at bogus.com
Wed Jan 13 13:49:36 CST 2010


Steven Bellovin wrote:
> On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
> 
>> There seem to be a lot of misconceptions about RFID tags. I'm hardly
>> an expert but I do know this much:
>>
>> RFID tags are generic, you don't put data into them unique to your
>> application.

Not true, the simplest rfid tags are energized and play back whatever
string is embedded, passive tags, however, plenty of device that fall
under the moniker rfid are at a minimum field programmable. Moreover
when you get beyond passive tags, the devices can be found with full on
java stacks, challenge response system, fips certified crypto engines,
flash for stored value etc.


> Part of the original (or at least early) context for this thread was recovery of default passwords.  If the password is F(ser#), it's only learnable if you know both F() and ser#.  The vendor knows F() -- who knows ser#?  If it's in an RFID tag, or is DBlookup(tag#,vendor_db), being able to read this admittedly-arbitrary number may indeed be a threat.
> 
> 
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
> 
> 
> 
> 
> 




More information about the NANOG mailing list