I have a GW MODBUS TCP/RTU 1E/2DB9 (item 2702765) modbus gateway. This is the second, independent occurrence of this issue with this product (same thing happened on another one of the same device and firmware).
When resetting from the default username/password Admin/admin, the new password appears to be accepted without a hitch (green banner indicating as such). Upon trying to re-log in, no password is accepted, no errors are shown, and I am locked out of the device. My best guess is that the new password successfully hashes and stores (hence the green banner indicating my new password was accepted). I mean, after all, what modern hashing algorithm wouldn’t allow long, complex passwords loaded with various special characters. However, on login, the process breaks, with my best guess being that some buggy script tries to read the stored password and breaks on special characters. This likely means three scary things:
- The device is dealing in plaintext passwords.
- The device forces a password that is around 10-bits less entropy (no special characters and assuming the imposed maximum length of 16).
- Due to the lack of documentation on this, there are probably many units in the wild with the default factory username/password credentials.
I can maybe understand scary thing one, as this is an embedded device with minimal room for encryption libraries that can salt and irreversibly hash a password (for later use of the nice, non-special-character hash rather than a plaintext password).
Scary thing two is likely just a result of a bug, and leads to this post’s question: When will this be fixed? If PC must use plaintext passwords to keep costs down, okay. However, I’d love to use special characters. Especially in a world where brute force attacks are cheap and easy and the firmware has no ability to block rapid succession of login attempts.
Scary thing three can be mitigated by documenting this issue somewhere. This post is my attempt at that, as I can’t find any documentation of this being a known issue.
Notes on firmware versions:
If I recall correctly, the first one of these that this happened to me on was running firmware 1.05 out of the box (the only firmware available on the product page). The second one came with firmware 1.09 (It looked like 1.09 was another firmware that turns this device into another product platform). I actually set the new password in firmware 1.09 before I even realized the difference (it’s always the first provisioning step I do). Then, before logging out, I flashed to firmware 1.05 during the rest of my provisioning steps and it came back with me locked out.