<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">The vulnerability is the open access point, up until the time the user changes the password.<div class=""><br class=""></div><div class="">@Michael: Can we extend webserver to show a screen prompting for password change, when user logs in, if the current password is of the format: 20\d{8,8}\w{4,4}. Either that, or have a config setting to record that password has been changed, and keep prompting that change password screen, on login, until it has been set (then clear the flag). Change both the module and default wifi password to whatever is entered?</div><div class=""><br class=""></div><div class="">Firmware deadline for first production is Monday 19th March 2018, so I’ll tag the code on Sunday with wherever we are and build based on that. We always have OTA ...</div><div class=""><br class=""></div><div class="">Regards, Mark.</div><div class=""><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 15 Mar 2018, at 1:32 AM, Greg D. <<a href="mailto:gregd2350@gmail.com" class="">gregd2350@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
Interesting. But the "hacker's delight" risk is only with physical
access to the module, in order to reset it back to factory
(somehow). Once the module's password is changed by the owner,
knowing the "master password" is useless. Right?<br class="">
<br class="">
Greg<br class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">Mark Webb-Johnson wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:5D4B6729-588E-4B4B-BD78-77D236AACACD@webb-johnson.net" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Just got a file in my eMail from factory. First 120 serial
numbers. Like this:
<div class=""><br class="">
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding:
0px;" class="">
<div class="">2018010014ABCD (last four characters redacted)</div>
</blockquote>
<div class="">
<div class=""><br class="">
</div>
<div class="">Very nice, and should work well. If we keep it quiet, the
users will start an online discussion topic about the
mysterious encoding in the last four characters of the serial
number and what it means.</div>
<div class=""><br class="">
</div>
<div class="">I also realised that those 120 lines in the file are a
master password list for the OVMS modules! A hacker’s delight.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 4 Mar 2018, at 12:35 PM, Mark Webb-Johnson
<<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;" class="">Plan
is as follows:
<div class=""><br class="">
</div>
<blockquote style="margin: 0 0 0 40px; border: none;
padding: 0px;" class="">
<div class="">
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">Serial
numbers are of the form:</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">YYYYBBNNNNN</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">* YYYY is
four digit year. For example; 2018</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">* BB is two
digit batch. For example; 00, 01, 02, etc</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">* NNNN is
four digit sequence. For example; 0001, 0002,
etc</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">First
production batch is 2018010001 - 2018010120.</span></font></div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">
<div class="">That would be 10 digits. Not the most
secure, and pretty predictable, but better than a
simple “OVMS”.</div>
</div>
<div class=""><br class="">
</div>
<div class="">I’m asking if the software they have can
generate random characters. If it can, then will add
four random letters onto the end.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 4 Mar 2018, at 11:23 AM, Greg D.
<<a href="mailto:gregd2350@gmail.com" class="" moz-do-not-send="true">gregd2350@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
Hi Mark,<br class="">
<br class="">
WPA2 PSK passphrases for WiFi need to be at
least 8 characters. Do the serial numbers
have leading zeros?<br class="">
<br class="">
Greg<br class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">Mark Webb-Johnson
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:9CBD2939-6C54-4BEB-B4B7-C41B857E9DD0@webb-johnson.net" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><br class="">
</div>
They’ll do pretty much whatever we ask them
to do.
<div class=""><br class="">
</div>
<div class="">To try to formalise this, so
everyone can see, I’ve created a
production/qc/production_notes.txt file
with the production notes that will be
given to the China side. This should
document all the production and QC steps
they should do.</div>
<div class=""><br class="">
</div>
<div class="">What I have at the moment is:</div>
<div class=""><br class="">
</div>
<blockquote style="margin: 0 0 0 40px;
border: none; padding: 0px;" class="">
<div class="">
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">********************************************************************************</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">**
TOOLS</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">********************************************************************************</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">1]
DB9 CAN Bus QC tool</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
DB9 Female with:</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
* Pins 2, 4, and 6 connected
(all CAN-L signals)</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
* Pins 5, 7, and 8 connected
(all CAN-H signals)</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
* R120 between pins 2 and 5</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
* External 12V power connector</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
* GND on pin 3</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
* +12V on pin 9</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">********************************************************************************</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">**
PRODUCTION STEPS</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">********************************************************************************</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">1]
Default wifi AP and module
passwords</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
OVMS> config set wifi.ap OVMS
<serialnumber></span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
OVMS> config set password
module <serialnumber></span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale Mono"><span style="font-size: 14px;" class="">
Where <serialnumber> is the
serial number from the label on
the enclosure.</span></font></div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">I think that should set both
the module default and auto wifi AP
passwords to the serial number of the
module. That will be on a label on the
underside of the module.</div>
<div class=""><br class="">
</div>
<div class="">You are correct: this is a
connected car, with possibly disastrous
consequences should somebody malicious
gain access. Best to err on the side of
caution.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 3 Mar 2018, at 4:07
AM, Michael Balzer <<a href="mailto:dexter@expeedo.de" class="" moz-do-not-send="true">dexter@expeedo.de</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""> Mark,<br class="">
<br class="">
<div class="moz-cite-prefix">Am
26.02.2018 um 07:28 schrieb Mark
Webb-Johnson:<br class="">
</div>
<blockquote type="cite" cite="mid:B7AB3971-3FB1-4717-98FF-388A790206E7@webb-johnson.net" class="">
<div class=""><br class="">
</div>
I’ve asked the China side.
Specifically:
<div class=""><br class="">
</div>
<div class="">
<ol class="MailOutline">
<li class="">Can you print
serial number stickers for
these modules? I can
provide design - and we
can print a large batch.</li>
<li class="">Then, during
manufacturing, have one
step to enter serial
number as password into
module, like:</li>
<ol class="">
<li class="">Flash</li>
<li class="">Connect
terminal</li>
<li class="">QC checks</li>
<li class="">New step to
type: config set wifi.ap
OVMS
<serialnumber></li>
</ol>
</ol>
</div>
</blockquote>
<br class="">
Just to double check: so we won't
set the module password, only the
AP pass phrase?<br class="">
<br class="">
Has setting the module password
any drawbacks?<br class="">
<br class="">
I'm asking because I assume the
SMS channel -as soon as
implemented- will also provide
command access, which would be
open by default as well without a
module password.<br class="">
<br class="">
Setting the module password would
secure the webserver as well.<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.teslaclub.hk" class="" moz-do-not-send="true">OvmsDev@lists.teslaclub.hk</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.teslaclub.hk/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.teslaclub.hk/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.teslaclub.hk" moz-do-not-send="true">OvmsDev@lists.teslaclub.hk</a>
<a class="moz-txt-link-freetext" href="http://lists.teslaclub.hk/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.teslaclub.hk/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.teslaclub.hk" class="" moz-do-not-send="true">OvmsDev@lists.teslaclub.hk</a><br class="">
<a href="http://lists.teslaclub.hk/mailman/listinfo/ovmsdev" class="" moz-do-not-send="true">http://lists.teslaclub.hk/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.teslaclub.hk" class="" moz-do-not-send="true">OvmsDev@lists.teslaclub.hk</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.teslaclub.hk/mailman/listinfo/ovmsdev">http://lists.teslaclub.hk/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.teslaclub.hk">OvmsDev@lists.teslaclub.hk</a>
<a class="moz-txt-link-freetext" href="http://lists.teslaclub.hk/mailman/listinfo/ovmsdev">http://lists.teslaclub.hk/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">OvmsDev mailing list<br class=""><a href="mailto:OvmsDev@lists.teslaclub.hk" class="">OvmsDev@lists.teslaclub.hk</a><br class="">http://lists.teslaclub.hk/mailman/listinfo/ovmsdev<br class=""></div></blockquote></div><br class=""></div></div></body></html>