Xref: utzoo comp.dcom.modems:9160 sci.crypt:4457 alt.security:2139
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!samsung!news.cs.indiana.edu!msi.umn.edu!sctc.com!smith
From: smith@sctc.com (Rick Smith)
Newsgroups: comp.dcom.modems,sci.crypt,alt.security
Subject: Modem backdoor passwords (was re: security functions)
Message-ID: <1991Apr10.150745.4628@sctc.com>
Date: 10 Apr 91 15:07:45 GMT
References: <3888.27f10f22@hayes.uucp> <1991Apr4.144615.22814@dce.ie> <1991Apr5.170644.3076@sctc.com> <1991Apr5.215301.13807@netcom.COM>
Distribution: usa
Organization: SCTC
Lines: 42

I had posted a note decrying the existence of backdoor passwords in
dialback modems.

In article <1991Apr5.215301.13807@netcom.COM>
gandrews@netcom.COM (Greg Andrews) wrote:

>Access to the modem wouldn't compromise security on the computer ...
>... unless the computer has no security at all.

And sw@ (Steve Warner) wrote:

>There is little security risk in this though as all the computers
>connected to these modems have secondary password queries.

The basic question is *WHY* would someone buy a dialback modem in the
first place? Yes, computer systems are pasword protected. For many
users (academic classwork and research machines, for example) this is
sufficient. However, if you are protecting something serious or pricey,
you often want something more than generic authentication techniques.
As we all know, *nobody* has ever had their password compromised ;->

The purpose of dialback security is to prevent dialins from
arbitrary locations. The existence of a backdoor password eliminates
the the dialback modem's whole purpose as a security product. Anyone
with the backdoor password can bypass the dialback security that the
modem was supposed to provide. How many of those backdoor passwords
are floating around pirate BBSes already?

The thing I find most annoying is that the backdoor password doesn't
provide any features that couldn't be provided securely. At least
there could be a DIP switch that enables/disables the master password
so that you had the option to be really secure. Or else the DIP switch
could enable some magic mode for tweaking the modem via its serial
port. On the other hand, giving dialin access to the guts of the modem
means that any wily cracker out there could come and play with your
modem. Secrets (like ROMmed-in passwords) don't remain secret for long.

BTW, does anyone have a list of dialback modem manufacurers who do
and don't have backdoor passwords?

Rick.
smith@sctc.com    Arden Hills, Minnesota