[Ovmsdev] Registered phone / password security issue

Tom Saxton tom at idleloop.com
Wed Jul 22 08:39:45 HKT 2015 

Hi Michael,

Have you confirmed the security problem? I've had time when the EEPROM got
zeroed out and I couldn't access the module via SMS at all. I had to
reflash with a valid EEPROM image in order to re-register my cell number.

I'm pretty careful not to share my OVMS phone number with anyone. If
someone unfriendly had it, they could send it a bunch of SMS messages each
of which costs me a penny. Do that 1,000 times, and they've disabled my
box until I refill my H2O account.

   Tom

-----Original Message-----
From: Michael Balzer <dexter at expeedo.de>
Reply-To: OVMS Developers <ovmsdev at lists.teslaclub.hk>
Date: Tuesday, July 21, 2015 at 9:23 AM
To: OVMS Developers <ovmsdev at lists.teslaclub.hk>
Subject: [Ovmsdev] Registered phone / password security issue

>Hi everyone,
>
>some users including me experienced loss or garbling of eeprom
>parameters. I once saw by chance that my registered phone number had
>turned empty -- I seldom need to use SMS, so I only saw this when
>checking the parameter list on the App for another config.
>
>The same now also occured to another user I'm in contact with, and it
>now turned out that's not only annoying but a security issue:
>
>The current logic of net_sms_checkcaller() allows access to any phone
>number if the parameter is empty. The same applies to
>net_sms_checkpassarg(), which will allow any password to be used if no
>password is stored.
>
>As this kind of data loss can only be detected by checking the
>parameters, it's possible to check for "open" modules by just trying to
>access them from time to time -- you only need to know the SIM card
>number.
>
>I'm about to submit a change for both functions to NOT allow access if
>their respective param slots are empty.
>
>As the initial flash contents has the "OVMS" standard password, a
>completely lost module should still be restorable by re-flashing.
>
>Do I miss something? Is there any reason for the "empty=wildcard"
>behaviour?
>
>Regards,
>Michael
>
>-- 
>Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
>Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
>
>_______________________________________________
>OvmsDev mailing list
>OvmsDev at lists.teslaclub.hk
>http://lists.teslaclub.hk/mailman/listinfo/ovmsdev

More information about the OvmsDev mailing list