03/12/2005
Med Associates total lack of security
Last week I went to Athens, Greece to set up a laboratory with a pc connected with 2 mice cages(!). Mice are put inside the cages and then one can monitor their movements through some infrared sensors. Data is sent to the pc where a program (Activity Monitor 5) made by med-associates is used to analyze those movements.
It was saturday when I tried to install the program. I inserted the cd inside the cd-rom, and started the installation process. After 2-3 “Yes, I Agree, Next,etc” I faced a password entry field. But I was given no password! I checked the manuals and I saw that I should sent them an application form filled with some names, location and so on, to be sent a password via email. I started calling them, but noone would answer at their offices, it was saturday and pretty close to Halloween…so there was no chance of ever finding anyone at their office.
Luckilly one of my friends was with me and he was looking inside some dlls to check if there was any sign of the password checking algorithm, so that we could extract any infos about it. He didn’t find anything, and then I told him to start looking inside the installer. He started looking for the error message while I was calling a proffessor that I know, that was using the same program. There was a chance that the password for the program the proffesor uses could work for our case as well. After 10-15 minutes I got the password, and when I went to the pc to enter it my friend had located the error message, some garbage beside it and then a string of 8 letters and numbers.
I first tried the previous password that the professor gave me…it did not work. Then we tried the string that we found next to the error message…GUESS WHAT! IT WORKED! !!
Was what we did “illegal” or was the company plain stupid ? We had bought the program but we had no password so we had to “hack it”. I think it’s rediculous for a program that costs more than 1000$ to have it’s password hardcoded inside the installer. They could have a password checking algorithm inside the installer and a password generator at their offices. That sounds more “secure”.
Anyway…it’s a program meant to be used by doctors…its real price should be around 50-100$. There’s nothing really special about it…but hey..doctors have money…they should pay 😛
Filed by kargig at 13:03 under Encryption,General,Privacy
1 Comment | 5,740 views