The official RSA app exhibitors use to scan delegate badges contains a hardcoded password allowing vendors to access the full features of the device, says Bluebox Security’s Andrew Blaich. Vendors of the San Francisco mega-conference expo hall were handed Android Samsung Galaxy S4 phones, locked into kiosk mode and intended for use as scanners of delegates’ badges. Lead security chap Blaich tinkered with the app downloaded from the Play Store to power the scanners and found a hardcoded admin password within the apps’ code. With that password, an attacker could gain control of the phones.
View full story
ORIGINAL SOURCE: The Register