Home page logo

nanog logo nanog mailing list archives

Re: Cisco, haven't we learned anything? (technician reset)y
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 12 Jan 2006 21:05:52 -0500

In message <200601130141.k0D1fiZ1007762 () world std com>, Martin Hannigan writes:

Actually, and fairly recently, this IS a default password in IOS.  New 
out-of-box 28xx series routers have cisco/cisco installed as the default 
password with privilege 15 (full access).  This is a recent development.

This is hardly only cisco's problem. Most office routers I've dealt with
also come with default username/password and on occasions when I dealt
with  existing installation those passwords have rarely been changed.

What should really be done (BCP for manufactures ???) is have default
password based on unit's serial number. Since most routers provide this
information (i.e. its preset on the chip's eprom) I don't understand
why its so hard to just create simple function as part of software to 
use this data if the password is not otherwise set.

Ex: Thot's how a Netscreen 5 works after a reset. The password is the
serial # if I remember correctly.

How much entropy is there in a such a serial number?  Little enough 
that it can be brute-forced by someone who knows the pattern?  Using 
some function of the serial number and a vendor-known secret key is 
better -- until, of course, that "secret" leaks.  (Anyone remember how 
telephone credit card number verification worked before they could do 
full real-time validation?  The Phone Company took a 10-digit phone 
number and calculated four extra digits, based on that year's secret.  
Guess how well that secret was kept....)

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]