Thursday, August 25, 2011
Trouble with the default PIN!
There is a lot of talk about security these days. The m9 has a lot of stuff that should help to make your phone calls secure. However, what is all the security good for when users don’t change the default passwords?
The default PIN for the base is 0000. This is something that is hard to avoid. We were thinking about assigning a random PIN in the factory, so that it becomes a lot more difficult to hack the base which is using the default PIN 0000. However, marketing sent a very clear signal: Keep it simple for the users and so we kept the default 0000 PIN. However, we put a warning on the landing page after the user logs in and make the point, that choosing a different PIN does increase the security of the device a lot. For example, you can factory reset the device if you know the base PIN without having to have physical access to the base—and not even access to the room or even building (keep in mind this is a wireless device).
It is important to know that handsets can register only while the DECT base accepts registration. Essentially what happens is that the handset and the base use the PIN as a “salt” to generate a 128 bit shared secret that is stored both in the handset and the base. Later, when the handset wants to register again, it is using the shared secret and the base compares it with the stored secret. The generation of the shared secret is possible while the “registration is open”, probably a more precise wording would have been “the base is open to generate shares secrets” (again, I guess marketing would have stopped us here as well). The registration is open after a reboot for about ten minutes and after the registration was turned on explicitly from the web interface.
During that registration phase, everyone who knows the PIN can register a new handset. This is a dangerous phase; for example if you automate the PIN trying process you could probably easily try out the 10000 possible combinations. There is a warning sign on the web interface during that time.
The good news is that typically, the base should not be rebooted too often and within the booting period, the admin can check if there are unwanted handsets registered to the base. But as a minimum I think admins should change the PIN code to something better than 0000. And maybe we should open registration after a reboot only if the admin logs into the web interface and hits the registration button.
Again, I suspect marketing would stop us again here! So for now, we need to know that the default PIN is a bad thing, should be changed ASAP and you should not reboot the device too often, and if you have to, watch which handsets are registered to the base.