Bugzilla – Bug 1828
SB2 reveals WPA/WEP encryption key/password in plaintext
Last modified: 2009-09-08 09:11:56 UTC
Anyone who has access to the SqueezeBox2 and its remote can easily discover the plaintext password for the WEP/WPA encrypted network to which it is connected. Once entered, this password should never be revealed. SB2s tend to live in lounges where they are easily accessible to friends, friends of friends at parties etc. Any of these people could deliberately or accidentally discover the password when using the device. This would potentially allow them to access the wireless network or, in the common case of password reuse, to other services (email, shopping sites etc). The obvious drawback to hiding the password is that it may be forgotten, but it really isn't the SqueezeBox's place to act as a password store!
The other drawback is that entry and verification of the WPA password is complicated by not being able to see it. I agree, relying on physical access to the player is probably not ideal, but we need to make sure that setup isn't made more difficult.
No, you don't need to hide it while it's being entered, but you do whenever anyone returns to this area of the setup. This won't make entering it any more difficult, but will probably make troubleshooting a bit harder. If the SB is having trouble connecting to the wireless network, the only way to be sure that you have the correct key or password will be to return and reenter it. An alternative approach would be to password protect this area of the setup, or perhaps this and other areas as well. Other settings aren't as security- sensitive, but it might be desirable to keep kids or visitors out of the setup altogether. If this is done, then it's unnecessary to 'hide' the plaintext display of the wireless password since it's behind the setup password. I'd have a default setup password, something like '1234', and then leave it up to the SB owner whether he wants to change it.
I've seen some mention of a PIN or some kind of keyed password to enter setup. I think I prefer this as an overall solution rather than picking at each element. perhaps a kiosk mode (like the slimp3), that skips setup even on a power_hold reset. key code turns on and off, or password only on startup before allowing access to setup. Only problem there, now you can't allow exposure of that password, etc etc. There is always the occasional 'I've lost my http password', and THAT is an easier one for the user to fix than something in flash.
Will address this post-6.2
If you add a setup password you MUST provide a way out if its forgotten. For example - full reset must work without the password and return the box to its original state, including the no password state. And - its really better to start with no password. Or in the alternative to display the default password value in the startup dialog. People do loose their documentation.
Marc: see bug 3260 for password protecting setup. We'll do asterisks to obscure the password when it's not locked (and fully set up).
> We'll do asterisks to obscure the password when it's not locked (and fully set up). Please do NOT do this. It makes it virtually impossible to debug errors in the string. I don't plan on using a lock code, but this change would require me to use one just to see the key in plaintext. If someone chooses NOT to use a lock code then that's their decision to leave their wireless key exposed to remote ui users.
Jim, it's ok. The password remains in clear text until you have successfully connected to the slimserver. When the password is known to work, only then are asterisks used in place of the password.
Fixed in firmware 41