Unable to change admin password on OBi110

<< < (2/2)

SteveInWA:
Quote from: Shale on October 21, 2014, 06:36:13 am

Glad it worked out.

I am a bit shocked that the OBiTalk interface could get into the OBi without knowing the password.




I assume that the device had first been added to the OBiTALK account with a default user ID and password, so this gave it access to the device, regardless of any subsequent changes to the device on the local side -- as soon as the device reboots, it syncs with the portal, which wipes out anything locally-configured, including the password.  One might argue that this is a vulnerability, but the assumption is that the user had to have physical access to the device to add it to the portal (go through the **5 device discovery routine), so they're authorized to access the device via the portal.

aselvan:
Quote from: SteveInWA on October 21, 2014, 08:04:50 pm

Quote from: Shale on October 21, 2014, 06:36:13 am

Glad it worked out.

I am a bit shocked that the OBiTalk interface could get into the OBi without knowing the password.




I assume that the device had first been added to the OBiTALK account with a default user ID and password, so this gave it access to the device, regardless of any subsequent changes to the device on the local side -- as soon as the device reboots, it syncs with the portal, which wipes out anything locally-configured, including the password.  One might argue that this is a vulnerability, but the assumption is that the user had to have physical access to the device to add it to the portal (go through the **5 device discovery routine), so they're authorized to access the device via the portal.


Yes, the device was added to the OBITalk account and OBITalk, using the default admin/admin credentials resetting everything on the device! I was shocked too. In my opinion, the sync should be the other way around (i.e physical device to website) or not sync at all...and most importantly, it should never sync admin credential on the physical device to a website. Though I changed the admin password on the OBITalk interface for the device, I just don't like the idea of a website having access to a physical device inside my network. I bet most users did not bother to change admin/admin password on this device!


Navigation

[0] Message Index

[*] Previous page