top | item 9489902

(no title)

smutticus | 10 years ago

Is anyone else dissatisfied with the amount of information we get in many sec bug reports? Almost everytime I read a CVE or other vulnerability I find myself with more questions than answers. There's so little information given.

Is telnet on by default? Is this device normally plugged into a network, for how long? How common is this device? Has it been on the market for long?

Without this kind of information it's very difficult to assess risk, or otherwise form an opinion.

discuss

dyngnosis|10 years ago

Telnet is on by default. It is a busybox shell. This device is normally connected to a network via wifi. There is an additional Ethernet port on the back. It is safe to say every patient using one of these has physical access. The wireless encryption keys are stored in plain text.

adt2bt|10 years ago

On the other hand, for potentially significant security holes, answering those questions would make attacking the devices easy. I imagine more detail will come out in a postmortem once the affected devices are updated. I may be overly optimistic, though..

dyngnosis|10 years ago

I've got a full advisory written up. It is unclear if the vendor will patching the device. When I get that cleared up I'll have a full advisory for everyone. In the meantime if you need something answered urgently you can contact me directly.

flashman|10 years ago

Hopefully not a literal post mortem.