 Tom here for more systems and we're going to talk about 48 if you want to learn more about me or my company head over to Lawrence systems calm feel like the hires for a project or see hires button at the top If you want to support channel another way There are affiliate links below for products and services that we talk about and now we're going to talk about 48 Got no offer codes or affiliates for them. I don't even own a 48 device I'm going to talk about some of the security culture as I see it from outside Looking in based on a list of articles. I have in security vulnerabilities We're going to talk very specifically about the coding mistakes that 48 has been making and has been making for a number of years Regarding hard-coded keys now I was at an event of auto a few months ago, and I got to meet some of the 48 people the sales people They seem pleasant and there is always a problem in companies a real decision that has to be made We want to make things easy for the users. This is the sales and marketing team We want to make it very easy and simple to use and there's a security team going don't hard code passwords Then management sets the precedents in the culture of deciding who wins that battle and that battle has been Well, really really not going well over at 48 in my opinion so this is the latest as of Just what few days ago. This was all made public 40 40 sim hard-coded SSH key tested on version 525 526 Haven't confirmed all versions 40 net has their own CVN and they do 40 sim has a hard-coded SSH Public key for you user tone user, which is the same between all installs an attacker with this key can successfully Authenticate as the user for 40 sim supervisor now. This is a restricted user It is any points out restricted to only opt shell In this particular tone shell script, but I want you to think about something once a user has some level of access in The firewall it's a matter of keep trying that access until you can pivot see if there's a way to crash that particular program See if there's a way there's something you can exploit I don't want anything potentially Authenticating on my firewalls firewalls or would divide us between our networks and the internet So they are critical in terms of security and there appears to be some goof-ups in terms of them actually getting the email from this particular security researcher I'm a little fuzzy on why they didn't respond to the emails But he did his closure based on them not responding as opposed to going through a waiting He posted before they had the fix, but they have the fix So here is the fix for 40 sim default SSH key tunnel user and you're probably thinking this is an isolated incident But I have tons of evidence of the contrary So this is over at our second year hard-coded password raises new backdoor for e-shopping fears discovery comes a month after Competitor Juniper also had a hard-coded there and yes, we now have a hard-coded password in there This would allow people to log in so that's not good So it's a challenge response for routine logging in with servers, etc What let's dive further. What about other products 40 heat makes 40 recorder sets credentials to a 48 to static values Another problem they have here. It's an authentication control bass a bypass because it's a hard-coded credentials Not a default password. That's different hard-coded credentials means they could just log in But what about their other vulnerabilities? Certainly, these are just coding vulnerabilities and you're being you know hyper bad about them time. You're really pushing it here No, no these also this is just I Don't know how to describe it other than not secure So in addition it was disclosed and fixed on May of 2019 that for you as included a magic string value They had been previously created at the request of a customer to enable and implement password change process When said passwords aspiring that function had been inadvertently bundled into general 40 OS release and improper Authorization informability resulted that that value being usable on its own remotely changed password addresses LVP and users credentials Yeah, we just bundled in a password on accident We don't apparently take our customer code base and our main code base and check them Back to security culture use of hard-coded cryptographic key cipher sensitive data and backup files hard-coded key again See a common phrase here some 49 pressure to the another hard-coded encryption key This was a one that took 18 months to fix this was to close also in 2019 And took months to get this fix there's a whole breakdown of here They do have fixes for this and of course there's the security research and I'll leave links to all these so you can Do further reading if you want to dive into the details But you notice the phrase I used in hard-coded key Repetitively over four years. We're probably gonna find more of these why well, you know Once someone has discovered that a company has a practice of putting hard-coded keys in there People and security researchers are gonna keep looking and probably keep finding more and more hard-coded keys It is a problem I have with a lot of closed source firewalls You don't know if there's hard-coded key until security research take the time to poke away at it now with open source Jim really speaking a mature open source products not gonna have hard-coded keys Someone would notice them very very quickly. So if a large open source project were to go You know, we're just gonna go and put these static encryption keys and everyone can use them And by the way, we'll go ahead and put the public and private one all bundled into the source code So anyone can see it that someone would really look hard at that That doesn't make any sense now There are always code flaws that do come in because coding is hard and a larger your code base gets them more Difficult it is to secure that's the statistics and especially gets harder as you have programmers that are probably being pushed over by marketing Or maybe they just hired the lowest bidder. I don't know details. I've never been inside 48 to understand this I don't even know if they're going to address this in any way or ignore this video completely But my feeling and watching a company that has an entire long history and I only pulled up the one specifically And I know there's still more that were related to hard-coded passwords This does not set well with me in terms of me and my thoughts on any company that does this if you're hard coding passwords Not setting defaults not like hey, here's a default and change it like hard coding cryptographic keys That's bad. This may have been some security ideas people have many many years ago out of convenience But it's really arbitrary to generate new keys on new installs on new boots and then create different key pairs And yes, I know that you do have to spend a little bit more time setting these things up when you have that versus the convenience of Hey, it just used the same key. So anytime I load the software it gets there awesome. That's great, but I Don't believe 48 does that They appear to just choose the really really easy route of create a key and bundle it in our firmware The last little note I'll have is I don't own any 48 devices, but I did try logging in a 48 website I did create an account with them But I notice you can't download firmware and my understanding and someone can correct me if I'm wrong The only way to get firmware is when you have a device that is under support if I'm wrong about that Just let me know I did notice though without a device It didn't let me choose to download firmware, but lack of device means I kind of stopped there I've had a few people mention it to me and I've had people tell me two different answers So if you want to leave that as a comment below whether or not you need to have a Support contract in order to get firmware. I'm interested now, but as far as my overall thoughts on 48 every time someone asks this video is now The reply I don't know if the company's gonna make some major changes, but I kind of think they should this is definitely concerning And once again why advocate for open source and of course not not because it's open source I think it's secure open source mature product gone through code vetting that makes a product much more secure That helps a lot and it you know We are not as likely to find default cryptographic keys in them. Thanks And thank you for making it to the end of the video If you liked this video, please give it a thumbs up if you'd like to see more content from the channel Hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums that Lawrence systems calm where we can carry on the discussion about this video other videos or Other tech topics in general even suggestions for new videos. They're accepted right there on our forums Which are free also if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time