OBI Device Security - syslog WARNING

[dboling]

I have an OBI202 and OBI212 which have syslog enabled (level 7) and pointed to my Linux server. Both OBI logs are pointed to a single log file.

I like to tailing the log files to make sure everything is working correctly.

It did disturb me to watch my partner on the OBI212 make a phone call to the our bank.

What I saw in the logfile was:

Bank Phone Number (Connect).
pause.
Her Social Security Number.
pause.
Pin Number.

I totally understand the need to see what buttons are pressed on the phone for diagnosis, but seeing financial information in the log file was disturbing.

I guess I'll be writing a cron process that overwrites the OBI log file every 5 - 10 minutes for security.

This also make you wonder how much of this information is logged by the local phone companies.

[Sheffield_Steve]

So you have it in debugging mode and it's recording all key presses.

What did you expect? 

[dboling]

So you have it in debugging mode and it's recording all key presses.

What did you expect? 

Level 7(debug) is default.
I expected just what I saw as syslog is far from new to me.
I just hadn't though about bank info and such being recorded in syslog and was surprised.

This post also serves to inform new users of the possibility that their recording personal info within syslog. 

[Sheffield_Steve]

It has no idea about bank information or PIN numbers, it's simply recording all key presses as requested.

Try some of the other levels and see if they meet your need.