[121241] in North American Network Operators' Group
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Wed Jan 13 14:28:40 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <19278.5334.402304.466638@world.std.com>
Date: Wed, 13 Jan 2010 14:26:25 -0500
To: Barry Shein <bzs@world.std.com>
Cc: nanog@nanog.org, nonobvious@gmail.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
>=20
> There seem to be a lot of misconceptions about RFID tags. I'm hardly
> an expert but I do know this much:
>=20
> RFID tags are generic, you don't put data into them unique to your
> application.
>=20
Part of the original (or at least early) context for this thread was =
recovery of default passwords. If the password is F(ser#), it's only =
learnable if you know both F() and ser#. The vendor knows F() -- who =
knows ser#? If it's in an RFID tag, or is DBlookup(tag#,vendor_db), =
being able to read this admittedly-arbitrary number may indeed be a =
threat.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
