Categories: Compliance, Critical Infrastructure, Data Breaches, Government, Hacks, Vulnerabilities

Comments (2)

  1. Roger
    2

    To be fair, the password is not hard-coded. It uses a password diversification scheme, i.e. generates the password from some unique ID on the device.

    With a proper diversification system (i.e. HMAC or RSA-sig) this is a perfectly sound method. The problem here is really the unkeyed, stupidly simple “hash” they are using to diversify keys.

    Oh, plus that they don’t tell the customer that the backdoor account even exists … that’s a tad, umm, unethical.

Comments are closed.