I am evaluating a new device that has its own internal webserver. It’s a box that deals with some input signals that can be used via TCP/IP. It sounds great since it provides also WiFi port and is security enabled. All great standard way to communicate with a device, but (there is always a but ) …
- Security is provided by encrypting the password with MD5. Sadly MD5 is completely defeated and should be used only for compatibility reasons. It’s very easy to crack MD5 in minutes by using MD5 Rainbow Tables. Simply MD5 should never be used for new things.
- WiFi option is provided by using WEP encryption. Oh yes, the most standard thing about WEP is the crack!!! Its algorithm is completely compromised. By using reply-attacks anyone can crack a Wep in few minutes … you can do it also in seconds under certain conditions.
I had the chance to show Rainbow Tables techniques, WiFi and Pre-shared key WPA, and many other cracks during last october WPC conference in Milano. Showing hacking techniques it’s a good way to warn developers and adminstrators about the risks they assume.
Standards are a good thing but, even when they are proved to do the bad thing, you’ll have to keep them around for a long time. So we should all hope that standards don’t grow under the trees.