So last night after the reception for The IT Nation ended I hooked up with the team at Bulletproof InfoTech, a client of ours for over five years now. We were discussing the event when one of their techs pulled out this app on their smartphone that was designed to help attendees stay connected with the event. Looks like a great app that allows you to check out events, sessions and what not. We started talking more about it and as I listened to them discuss some of the challenges they were having with it in regards to logging in, it was explained to me that each attendee has access to this app and by default, the username is your email address, and the password is the last four digits of your phone number. I couldn’t believe this when I heard about it; that just seemed far too dangerous.
I asked them if the app allowed attendees to find each other, and sure enough, the profile for each user is displayed in a manner that would allow you to read up about others. Which started sending alarm bells for me. What if someone had mischievous or malicious intent?
Being fellow Canadians, I like hanging out with the guys at Bulletproof. But seconds after I asked the question about the information displayed in the app and how easy it was to change their minds started spinning, and the next thing I knew discussion ensued about friendly ribbing with Ted over at IT Weapons, another great IT company in Canada. And sure enough, several minutes later someone had Ted’s profile up. It wasn’t hard. Everyone knows Ted’s email address, and finding his phone number isn’t that hard these days.
The result was interesting. I really couldn’t show some of the images that started to go up on his profile picture. When things settled down, Ted’s profile now looks something like this (information sanitized for Ted’s protection):
What can we learn from this?
Default passwords are a bad idea. ESPECIALLY when they are well known. Simply using a pattern of someone’s last four digits of their phone isn’t a deterrent. It’s a guessing game for people to play. Apparently, it only took a few minutes to win.
While the event itself has little harm, and Ted has taken it in stride, the reality is this is indicative of a bigger problem. Here we are sitting in a bar just before midnight and honest, ethical IT administrators at an IT show start hacking each others account. Without thinking of the real impact or consequences of the event.
What would have happened if one of the “other” pictures stayed, and Ted’s profile was used during his speaking session to introduce him? Imagine the impact and embarrassment he may have had. Or what if the guys had competitive motives to make Ted look bad? This wasn’t Ted’s fault, it was a poor password security decision by the developers of the IT Nation app.
I think you get the idea. Default passwords are a bad idea, and should never be used. While this incident has little consequence, have you considered the default password on some of the gear you deploy? Like the photocopiers. You know that in many cases, digital files are stored of everything you copy? Have you made sure no one can login and grab those? What about those routers? Switches? iLo and Drac subsystems? You owe it to yourself to question vendors and make sure they don’t use default passwords. And if they do… you need to go and change it. Store it in the AuthAnvil Password Server. And move on.
Of course, if you are still at IT Nation, consider changing your password to your profile. And then download our free eBook on how to better protect yourself while at IT Nation.
Stay safe my friends.