Not preventing against password replay attacks. It not only allows attackers to unlock any of these devices, but it allows the vendors to unlock any of these devices as well. This is essentially like having the same backdoor password on all devices. Such software can easily be tampered with. Relying on software on the host PC to validate the correctness of a user's password. The security flaws in the design of those products that permit this hack are: They can unlock any of those devices instantaneously without knowing the user's password. SySS was able to write a simple unlocker tool that patches the software to always send the unlock code to the devices. This is an inherent design flaw, and is not secure. Simply put, those products are using software that runs on the host PC to verify the correctness of a user's password, and then sending a signal to the device to unlock itself. The vulnerability is an architectural flaw in the design of those affected products.
0 Comments
Leave a Reply. |