I actually read the release notes for the last update to my QNAP NAS devices and one thing struck me.
They said that admin/admin as the standard username/password combination wasn’t safe, so they had changed the policy for new devices and device resets…
They are using the MAC address (minus colons)
There are two very big problems to this. admin/admin can be found all over the net and is considered unsafe, so using something else is commendable, but…
The MAC address is printed on a label on the back of the device, the QNAP configuration tool finds the devices over their MAC addresses anyway and, if you don’t have the config tool, you just need a Windows command line and “ARP” the address of the NAS, it will return the MAC address. It took me all of 5 seconds to find the “new” password of my QNAP (if I had reset it).
The second problem is, people will see this address and think “hmm, not admin/admin, it is unique to my device, cool” and leave the password as it is, not realising that anyone with local network access can find the password (not work out the password, actually find the password) in a couple of seconds.
For the brief period of time, during the initial set-up, that is a small window of opportunity for an attack, but if somebody doesn’t change the password, or plugs in a new device, then gets called away, the device might be online long enough to get attacked. If they leave the password unchanged…
I was so astounded, when I read the release notes, I actually ran it by the security researcher Jake Moore at Eset, via Twitter, to make sure I was reading it right, his reaction was “Woah!”
For me, this doesn’t increase the security in any meaningful way. It is just security theatre. And I would say that it is actually more dangerous than admin/admin, because some people will think it is safer.