[Nottingham] On Virgin Media?

Michael Quaintance penfoldq at penfoldq.co.uk
Wed Mar 12 20:35:03 UTC 2014 

On Wed, Mar 12, 2014 at 12:16 PM, Jason Irwin <jasonirwin73 at gmail.com>wrote:

> On 12/03/14 18:02, David Aldred wrote:> Why an admin password change isn't
> simply forced on first login I don't know.
> Why a password isn't randomly assigned in the factory (sticker on
> bottom) is beyond me.


It is technically quite a tricky process to make the code image unique for
each device coming off a production line in a way that is not trivially
broken.

For instance, it is a mandatory requirement that the MAC addresses for the
devices be unique, so the manufacturers have worked out how to do that, and
they mark the MAC addresses on the sticker. But MAC addresses are simple
incrementing identifiers and are not private information. If the password
is based upon this MAC address (even through some complex hash) it becomes
simply security through obscurity. The password is harder to determine but
still remotely exploitable.

You need this password to be _properly_ randomly generated. And that's an
expensive step in the manufacturing process. Not impossible, and I can
think of multiple ways to achieve it that are manufacturable but still it
costs. And remember these devices are made with very small margins. If they
made them even a little more expensive, they would need to market the heck
out of the benefit to shame other manufacturers who did not do it, or lose
out because they were too expensive with no perceived benefit. And then
they would be the target of loads of hackers/crackers around the world
trying to break this new fancy system. With that much attention, the
company would certainly fail, and the market would punish them for failing
much more than they get punished for not trying.

Basically, it's just not worth it for the manufacturers. This is one of the
problems that is only going to improve with legislation, not free-market
economics.

-Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20140312/f4347ddb/attachment.html>

More information about the Nottingham mailing list