[smutticus]

Is anyone else dissatisfied with the amount of information we get in many sec bug reports? Almost everytime I read a CVE or other vulnerability I find myself with more questions than answers. There's so little information given.

Is telnet on by default? Is this device normally plugged into a network, for how long? How common is this device? Has it been on the market for long?

Without this kind of information it's very difficult to assess risk, or otherwise form an opinion.

[dyngnosis]

Telnet is on by default. It is a busybox shell. This device is normally connected to a network via wifi. There is an additional Ethernet port on the back. It is safe to say every patient using one of these has physical access. The wireless encryption keys are stored in plain text.

[adt2bt]

On the other hand, for potentially significant security holes, answering those questions would make attacking the devices easy. I imagine more detail will come out in a postmortem once the affected devices are updated. I may be overly optimistic, though..

[dyngnosis]

I've got a full advisory written up. It is unclear if the vendor will patching the device. When I get that cleared up I'll have a full advisory for everyone. In the meantime if you need something answered urgently you can contact me directly.

[flashman]

Hopefully not a literal post mortem.