If you heard about that hacking of the voices of traffic light crosswalks in the US recently, the root cause is the devices all had the password '1234' and an app to reprogram the devices was on the Apple app store.
https://www.theregister.com/2025/04/19/us_crosswalk_button_hacking/
One could argue that the password "admin" is slightly more secure than "1234" because
a) it is longer, and
b) it is composed of characters from an alphabet that has 26 characters instead of only 10.
@srslypascal @bytebro @GossiTheDog I miss the admin:system of the VMS era! :floofLol:
Apr 24, 2025, 2:24 PM@WastelandWandrr @srslypascal @bytebro @GossiTheDog
I accidentally got into a SYSTEM account this one time, with test:test (I was only supposed to be testing circuits, and I was sure that one wouldn't work).
Sure; not at work, bcs most places I have worked would fire people if such obvious access was available because it would get picked up on the most trivial security audit, however, I've reasonably often been round to help a friend with 'internet issues', and everything on the router is set to factory defaults, and I learned that admin:admin works for a terrifying number of older routers.
Apr 24, 2025, 10:25 PM@bytebro @WastelandWandrr @srslypascal @GossiTheDog
The one I found was on a VAX in the HQ of a large corporate entity in the food sector (on the other end of a private link). I was at a remote site, testing a LAN extension that shared an existing DECnet LAT with a new Novell IPX deployment. On the same wire. Which was coaxial.
Gradually, PC terminal software replaced the flickering glow of VT52 and VT100 terminals.
I was making sure that 'average' traffic could coexist for both systems.
Apr 24, 2025, 10:37 PM@bytebro @WastelandWandrr @srslypascal @GossiTheDog
I was just making sure that the site's LAT was still reaching CORPVAX1 in HQ with Novell users active. I wasn't expecting an "I'm in" moment on a machine several hours drive away.
So I logged out, and raised my concern about the test/test account with the most appropriate person at the local site.
The admins in the company HQ determined that a 3rd party vendor had left the backdoor in place. I don't know what happened about that.
@bytebro @GossiTheDog wait you have a password? Mine is just admin with no password!
@GossiTheDog Yes well, can you imagine the bureaucratic hassle involved in correctly and accurately recording a separate password for each device, and making sure it can be found in fifteen years' time next time someone needs to change the programming?
Password control doesn't sound like a very clever design choice to me, given how impractical it would be in real life to change the default password.
So ... in real life, if the password were changed then legitimate people making legitimate configuration changes would have to fall back on sticking a pin up the factory reset hole to get the default password back. And ... guess what ... the hacker could do that too!
@GossiTheDog Master hackers strike again
@GossiTheDog Now hack street lamp posts to sound like Dementia Donald.
@GossiTheDog that's amazing, I've got the same combination on my luggage
Apr 22, 2025, 8:55 PM@GossiTheDog Too bad the hackers didn't do something useful like putting them in ped recall.
Apr 22, 2025, 8:59 PM@GossiTheDog article covers one of the important points: automatic lockout after too many tries. Leaves out: are they all 4 digit PIN even if changed? Does the lockout expire?
Has the Microsoft president already announced that this must have been the work of 1000+ Hackers?
https://www.infosecurity-magazine.com/news/microsoft-1000-hackers-worked/
https://specopssoft.com/blog/solarwinds-hack-weak-password-solarwinds123-cause/
Haha, hilarious!
@GossiTheDog and this is why the PB/5 is awesome, and the best in the world. Good luck hacking that
@GossiTheDog And the hackers fucked over any person who needed the sound to cross safely.
@GossiTheDog
I sure HOPE the parking lot security robots have better passwords. I'm worried knowing Kristi Noem is looking for a new purse.
Bill
@GossiTheDog https://www.youtube.com/watch?v=a6iW-8xPw3k (pretend there is no 5).
Apr 22, 2025, 10:47 PM@GossiTheDog Hardcore password cracking!
1️⃣2️⃣3️⃣4️⃣
Apr 22, 2025, 10:51 PM
@GossiTheDog :blobcatthinkingsmirk2:
@GossiTheDog
As a general rule, people don't think of embedded systems (like those in traffic lights) as something that needs to be secured, probably partly because they're not viewed as true computers and also because people can't think of a reason why anyone would want to hack them. I remember a DEF CON talk that I watched a while ago where someone was able to remotely disable their neighbor's drone because it had an open Telnet port with absolutely no security whatsoever.
@GossiTheDog move fast, break things
@GossiTheDog Anyone reading this and getting ideas: please don't fuck with the crosswalks. Blind people rely on the voices to cross the street safely.
Apr 23, 2025, 1:53 AM@GossiTheDog in #Germany one needs at least a modified #Siemens #DECT phone to do so....
@GossiTheDog Lolololol! Ridiculous!
@GossiTheDog I wonder if they'll change the "1234" password to "4321".
@GossiTheDog The best hacker shit is just poking what's in plain sight 😁
