[Ovmsdev] Registered phone / password security issue

Michael Balzer dexter at expeedo.de
Wed Jul 22 00:23:32 HKT 2015


Hi everyone,

some users including me experienced loss or garbling of eeprom
parameters. I once saw by chance that my registered phone number had
turned empty -- I seldom need to use SMS, so I only saw this when
checking the parameter list on the App for another config.

The same now also occured to another user I'm in contact with, and it
now turned out that's not only annoying but a security issue:

The current logic of net_sms_checkcaller() allows access to any phone
number if the parameter is empty. The same applies to
net_sms_checkpassarg(), which will allow any password to be used if no
password is stored.

As this kind of data loss can only be detected by checking the
parameters, it's possible to check for "open" modules by just trying to
access them from time to time -- you only need to know the SIM card number.

I'm about to submit a change for both functions to NOT allow access if
their respective param slots are empty.

As the initial flash contents has the "OVMS" standard password, a
completely lost module should still be restorable by re-flashing.

Do I miss something? Is there any reason for the "empty=wildcard" behaviour?

Regards,
Michael

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dexter.vcf
Type: text/x-vcard
Size: 206 bytes
Desc: not available
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20150721/69ce04c8/attachment-0002.vcf>


More information about the OvmsDev mailing list