My Uniden Insecurity

Status
Not open for further replies.

belvdr

Member
Premium Subscriber
Joined
Aug 2, 2013
Messages
491
I forgot my password to My Uniden and clicked the Forgot Password link. Lo and behold, I discover Uniden is storing credentials in cleartext. This is unacceptable these days.

Word to the wise, ensure you use a random password there.

EDIT: Per my conversation below, I thought it prudent to add that the password is stored in either cleartext or in a reversible encryption. I apologize for misleading on that point. Either way, it's not stored properly.
 
Last edited:

diskmonger

Member
Joined
Jul 1, 2004
Messages
428
Location
Michigan
How do you know they are storing passwords in plain text? I think what you meant to say is the password was emailed to you.
 

jonwienke

More Info Coming Soon!
Premium Subscriber
Joined
Jul 18, 2014
Messages
11,317
Location
VA
I forgot my password to My Uniden and clicked the Forgot Password link. Lo and behold, I discover Uniden is storing credentials in cleartext.
How did you manage to do that? Do you have access to the drives on Uniden's server?
 

jonwienke

More Info Coming Soon!
Premium Subscriber
Joined
Jul 18, 2014
Messages
11,317
Location
VA
Using the "Forgot Password" link is all that's required. No physical access needed.
WRONG. Having your password emailed to you in the clear does NOT mean that the password is stored on Uniden's server in the clear.
 

belvdr

Member
Premium Subscriber
Joined
Aug 2, 2013
Messages
491
WRONG. Having your password emailed to you in the clear does NOT mean that the password is stored on Uniden's server in the clear.
Sure, it could be encrypted, but I have never seen that done in practice. I'd venture it's > 90% probable it's in the clear.

Regardless, the password storage mechanism is reversible and that's the root of the issue: it's a flawed storage mechanism, therefore insecure. Passwords should always be stored using a one way hash and the Forgot Password mechanism should never email you the password they have on file directly, not to mention sending it via email puts it in the clear as well.

No need for caps, I can hear you clearly.
 

belvdr

Member
Premium Subscriber
Joined
Aug 2, 2013
Messages
491
How do you know they are storing passwords in plain text? I think what you meant to say is the password was emailed to you.
The password they have on file was emailed to me, not a new random password. That's not secure unfortunately.
 

RogueSteward

Member
Joined
Mar 25, 2018
Messages
72
Sure, it could be encrypted, but I have never seen that done in practice. I'd venture it's > 90% probable it's in the clear.

Regardless, the password storage mechanism is reversible and that's the root of the issue: it's a flawed storage mechanism, therefore insecure. Passwords should always be stored using a one way hash and the Forgot Password mechanism should never email you the password they have on file directly, not to mention sending it via email puts it in the clear as well.

No need for caps, I can hear you clearly.
Unless Uniden wants to be the next company in the news with the headline, "Security researcher discovers credentials for 5,000 users", this problem should be fixed asap.
 

slicerwizard

Member
Joined
Sep 19, 2002
Messages
6,228
Location
Toronto, Ontario
WRONG. Having your password emailed to you in the clear does NOT mean that the password is stored on Uniden's server in the clear.
If the server can serve up the password, it either has the cleartext password or an encrypted password and the decryption key - which is the same thing.
 

GTR8000

NYS Database Guy
Database Admin
Joined
Oct 4, 2007
Messages
8,164
Location
BEE00
If the server can serve up the password, it either has the cleartext password or an encrypted password and the decryption key - which is the same thing.
^ This.

If the server is returning the password in clear text via email or any other method, then the server can be compromised. Passwords should be one-way encrypted on the server so that no one, including the company that owns the server, can recover a password. Only the hash gets compared when logging in, not the actual password itself, as the server shouldn't be able to decrypt it.

A properly setup and secure server will never return your password to you, it will force you to reset it.
 

jonwienke

More Info Coming Soon!
Premium Subscriber
Joined
Jul 18, 2014
Messages
11,317
Location
VA
If the server can serve up the password, it either has the cleartext password or an encrypted password and the decryption key - which is the same thing.
Not necessarily, if the data is stored on something like this:
https://www.amazon.com/Apricorn-Padlock-Fortress-Validated-Encrypted/dp/B00NTQGZNS/

The decryption key is entered separately into the storage device, and the server doesn't have access to the encryption/decryption key.

Is it possible that Uniden is storing passwords in the clear on an unencrypted drive? Yes.

And I agree that storing a cryptographically strong hash of a password is much more secure than storing the password itself.

But getting a password in an email is not proof that passwords are being stored in the clear on an unencrypted drive, which was the original claim.
 

belvdr

Member
Premium Subscriber
Joined
Aug 2, 2013
Messages
491
Not necessarily, if the data is stored on something like this:
https://www.amazon.com/Apricorn-Padlock-Fortress-Validated-Encrypted/dp/B00NTQGZNS/

The decryption key is entered separately into the storage device, and the server doesn't have access to the encryption/decryption key.

Is it possible that Uniden is storing passwords in the clear on an unencrypted drive? Yes.

And I agree that storing a cryptographically strong hash of a password is much more secure than storing the password itself.

But getting a password in an email is not proof that passwords are being stored in the clear on an unencrypted drive, which was the original claim.
How would Uniden then be able to email me the password they have on file without the server having access to the key? It has to have that access in order to decrypt the password.

I updated the my original post after our first discussion.
 

jonwienke

More Info Coming Soon!
Premium Subscriber
Joined
Jul 18, 2014
Messages
11,317
Location
VA
How would Uniden then be able to email me the password they have on file without the server having access to the key? It has to have that access in order to decrypt the password.
The key is entered separately, directly into the storage device, and the storage device handles the encryption and decryption, rather than the server. Or, the server can use something like BitLocker in addition to the encryption built into the external drive.

It's still not the same as storing hashed passwords, though.
 

iMONITOR

Member
Joined
Sep 20, 2006
Messages
7,204
Location
MACOMB, MI.
The best thing you can do to protect yourself is not to let websites remember your charge card billing information. Yes it's very convenient not to have to reenter it every time. But I'll take the time to renter it each time rather than make it convenient for the hacker as well!
 

belvdr

Member
Premium Subscriber
Joined
Aug 2, 2013
Messages
491
The key is entered separately, directly into the storage device, and the storage device handles the encryption and decryption, rather than the server. Or, the server can use something like BitLocker in addition to the encryption built into the external drive.

It's still not the same as storing hashed passwords, though.
The drive encrypts data stored on it. That would not work as you'd expect for a web service. The service would think it is writing cleartext and the drive would encrypt it. Thus, a password is still readable and if the web service were compromised, so is the data.

It's similar to transparent data encryption, which solves the issue of data at rest, but doesn't solve the problem of the application writing cleartext. This is an application issue, not an issue at the hardware or operating system level.

I cringe when web services do this. A hash isn't hard to do and is the most secure option, especially with a salt.
 
Last edited:

jonwienke

More Info Coming Soon!
Premium Subscriber
Joined
Jul 18, 2014
Messages
11,317
Location
VA
The Uniden site doesn't store CC info, so the worst case scenario if a hacker got my password is that they would be able to see the serial numbers of the scanners I've purchased and the upgrade keys associated with them.

If you use the same password across multiple sites (and I know people do), that raises the stakes a little.
 

Ubbe

Member
Joined
Sep 8, 2006
Messages
3,950
Location
Stockholm, Sweden
I have to agree. I have never seen a web server give you the current password, it always says that it has been reset and you need to change it by following a link. If its true that Uniden sends out the active password in an email then that are very odd indeed.

/Ubbe
 

RayAir

Member
Joined
Dec 31, 2005
Messages
1,786
Hopefully you don't enter your pw on an http site either or they didn't send it to you insecurely.
One in-the-clear captured log in and pw can cause all kinds of trouble, especially if its used for multiple accounts (very common).

Side note: Right here when logging into Wiki, I noticed it was http and my PC gave a warning that credentials could be compromised. I found a way to log in secure, but had to go through some hoops. I run Https Everywhere.
 
Status
Not open for further replies.
Top