Ask / Submit
4

connmanctl has tethering password in cleartext

asked 2018-03-18 14:56:17 +0300

tortoisedoc gravatar image

updated 2018-03-22 12:35:02 +0300

Steps to repro:

1) enable tethering (set password)

2) open terminal

3) run connmanctl technologies | grep Pass

4) password set for tethering is in the result list

edit retag flag offensive close delete

Comments

@Edz : you were in terminal already, so why the need for another one?

tortoisedoc ( 2018-03-18 18:09:53 +0300 )edit
1

What's the bug? Unless the password is stored in cleartext you wouldn't be able to reveal it when you wan't to see what to type in the station you're connecting to the hotspot.

luen ( 2018-03-18 18:51:09 +0300 )edit

@luen say w0t?

tortoisedoc ( 2018-03-18 18:55:09 +0300 )edit

@tortoisedoc How would you like to have it stored?

luen ( 2018-03-18 18:59:03 +0300 )edit

@luen Please note that im complaining about connman having the password in cleartext (read: how it's displayed) not how it's stored.

tortoisedoc ( 2018-03-18 19:07:41 +0300 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2018-03-19 12:59:16 +0300

Stedephys gravatar image

thing is, that doesn't even matter because if you go to settings->mobile hotspot and click on the abc symbol next to the password it shows it in clear text too.

edit flag offensive delete publish link more

Comments

im sorry but it does matter.

As mentioned, if a secure phone starts with the assumption having cleartext passwords displayed on screen (without prior intention to do so by the user, which is the case in the scenario you mention) is privacy, its growing from the wrong bases. Security is an attitude, not a feature.

tortoisedoc ( 2018-03-19 13:54:44 +0300 )edit

but to do that you would need ssh access witch not only means that you already have the ssh password witch doubles as a root password so you would be able to do pretty much whatever you please at that point but also would it mean that you don't fucking need a hotspot anymore.

Stedephys ( 2018-03-19 14:27:16 +0300 )edit

@Stedephys not really; any application can execute as nemo a shell script which will return the password in clear text; so you do not really need ssh, you need an application (installed from openrepos?) and bang you are in.

tortoisedoc ( 2018-03-19 14:39:59 +0300 )edit
Login/Signup to Answer

Question tools

Follow
2 followers

Stats

Asked: 2018-03-18 14:56:17 +0300

Seen: 359 times

Last updated: Mar 19 '18