Hacker News new | ask | show | jobs
by Dragon863 1178 days ago
As others have pointed out, even hashed passwords can be used to connect to a network. However, storing the password in plain text is an embarrassment for a company as big as Amazon, and they should at least be stored in a non readable format if not encrypted. The physical access necessary does make the exploit less dangerous, though. You asked what the point of the article was, I think this could also be a starting point for running our own software on these devices, especially as there is a kernel for the mt8163 available on github from the postmarketos project
2 comments
AshamedCaptain 1178 days ago
I really don't agree here. There are many arguments for storing plaintext passwords in, well, plaintext, rather than behind pointless obfuscations. Expressed quite concisely by Pidgin authors many years ago: https://developer.pidgin.im/wiki/PlainTextPasswords
link
mavili 1178 days ago
After hearing you're 14 I don't want to turn this into an argument really, but please note just because something "sounds" embarassing it may not be actually. Like others have pointed out, physical access to the device means many other measures that can be taken to protect security is not valid anymore. If there is no real need or security benefit for that password to be stored in anything other than plaintext then Amazon doesn't need to go out of their way to save any "embarassment".
link
Dragon863 1178 days ago
I agree that physical access is a major limitation, yet it is something that could easily be resolved with an OTA firmware upgrade or by simply informing users how their password is stored. I personally think that physical access should still be considered when designing products like these, even if it is a more remote possibility.
link
mavili 1177 days ago
You seem to be missing the point my friend. The point of the security here is if someone has access to the device, are they able to extract information with which they can then connect to the wifi? The answer is yes REGARDLESS of whether it's hashed or not. When that is the case, not hashing is not a flaw. All hashing does in this case is 'obscure' it, which isn't the same as 'more secure'.

I suppose access to plaintext vs hashed password in this case saves the owner embarassment if they've used a secret, or if they've used the same password elsewhere, though that isn't a problem of device manufacturer.

link