Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [Braillenote] Warning: BrailleNote Apex Offers Read/Write FTP And Telnet Access To All Comers
From: Alex Hall <mehgcap () gmail com>
Date: Fri, 1 Oct 2010 17:50:05 -0400

While I am shocked at this sort of security risk on a bn, I wonder how
you use it to access your files without, as you say, using ActiveSync?
I am on a public network at school and am therefore rather worried
about this (then again, I doubt anyone on campus knows what telnet is,
let alone how to isolate my machine).
Please email hw with the details of this as soon as possible so they
can see that, even if they meant to do it, it is of concern to users.
If you can tell me how to do this and I can confirm it, I will also
email them. I do not doubt your findings, I just would like to provide
details of my setup so that hw can see that these are two independent
use cases.

On 10/1/10, Sabahattin Gucukoglu <mail () sabahattin-gucukoglu com> wrote:
BrailleNote Apex offers telnet and FTP access on the standard ports, with
read/write privilege on the entire file system, to all comers.  No
authentication is required.  BrailleNote is unsafe on any network whose
devices you are not in full charge of, and which (by NAT or firewall) does
not protect BrailleNote from the Internet.

I am happy and sad.  In a chance port scan of my entire network looking for
interesting services and protocols that were not accounted for by visible
configuration options in all my devices, I found this disaster staring me in
the face on the least likely candidate of them all.  On the one hand, now I
don't need ActiveStink in order to access my files, over the network, from
my Mac.  I want these services running, for sure (maybe just FTP) but
dammit, authentication first!  On the other hand, there is no doubt my trust
in HumanWare is badly dented, as I was clearly optimistic that they would,
and did, do the right thing and secure the device firmware before shipping
it.  Anonymous FTP and telnet are obvious, easily found and effectively
exploited.  If it isn't configurable, it shouldn't be enabled.  I am quite
sure this was the case before now.  The most likely explanation is a build
with a test configuration and services for development still in use on the
newest model; the USB vendor string is further evidence of this.  Note to
self: that popular expression about assumptions turns out to be true.

KeySoft version 9.0.2 build 756, Windows CE 6.0, with telnet and FTP

While we await an update that either disables the services or allows the
user to specify the authentication credentials, do not use your BrailleNote
Apex on any untrusted network, or if you are network administrator,
temporarily prohibit these devices from connecting to your networks.  If
"Bad guys" are on your network, the BrailleNote Apex is, alas, easy meat.


Replies to this message will go directly to the sender.
If your reply would be useful to the list, please send a
copy to the list as well.

To leave the BrailleNote list, send a blank message to
braillenote-unsubscribe () list humanware com
To view the list archives or change your preferences, visit

Have a great day,
Alex (msg sent from GMail website)
mehgcap () gmail com; http://www.facebook.com/mehgcap

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]