Monday, June 26, 2017

The “I Can Use Facebook Any Time I Want To” Offspring Password Reset Attack

No matter how ridiculous, every "cyberthreat" must have a catchy name.

Sometimes parents will restrict the times that a child can use the Internet for anything other than homework or downloading Malwarebytes to fix their parent’s PC. Policy and compliance, as every parent and IT professional know, are not always followed by choice. If you are a parent, how do you enforce such a policy? Technology to the rescue…

Many cable modems, and other network connectivity devices, allow the administrator to set up times they can block certain computers from using specific Internet sites. Of course that doesn’t work if you leave the default administrator username and password unchanged... it’s either on the Internet, or on a sticker on the bottom of the device.

Since you already knew that, or someone who did know that helped you configure the device, your kid isn’t going to log in to the console and fix the “policy.” Here is where the old adage about physical access and game over come into play. Simply stated, if a person has physical access to a device, they own it. If your teenager has physical access to the network device, they can perform an insidious password reset attack and you will never be the wiser. There’s a reset button on the device. Among other things the reset button resets the... yeah, password. You may never know it happened until 25 years later when during some random conversation your kid confesses. At that time, if your kid still lives at home, go ahead and enforce lockout hours again. The defense against the offspring password reset attack is to prevent physical access to the device. For the average parent that would be a pain in the @ss inconvenient. I’m not a parent so it isn’t really my problem, I’m just the messenger.

Before you state the obvious, there are parental control apps that can enforce policy on a mobile phone. These apps are almost certainly more common than parents doing anything with their cable modem configurations. If you’re a kid, that’s what burner phones are for.

OK, the attack is esoteric and it just amused me, but the point is that sometimes physical security is required where you least expect it. Perhaps next time I will discuss the legal implications of the offspring password reset attack, but don’t lock up your kids yet.

By the way, I recommend using a password manager and keeping both your current username and password in it and the default username and password. For one, it can be a pain in the @ss inconvenient to turn over the device with all of those network cables and the stiff coaxial cable attached on order to see the sticker with the password on the bottom. For another, if anything happens to the sticker with the password, and it is a modem specific password, you are now vulnerable to a password lockout attack. I find it embarrassing to tell my ISP that my cat licked off the cable modem sticker…. especially the second time.

Randy Abrams

Independent Security Analyst with a Stranger Sense of Danger 
It has been so long since I posted here that most of the posts were irrelevant. I did leave the two rules you damned well better know post though. It is currently timeless, but that may change at a future time.