Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

75811 : Ducati Diavel Motorcycle Default Ignition Password

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 29 Sep 2011 00:31:10 -0500 (CDT)
http://osvdb.org/show/osvdb/75811

Timeline

Disclosure Date         Exploit Publish Date
2011-04-05              2011-04-05

Description
By default, Ducati Diavel motorcycles install with a default ignition password. The bike can be started using a manufacturer default PIN, set to the last 4 numbers of the Vehicle Identification Number (VIN), which is publicly known and documented. This allows attackers to trivially access the bicycle and enjoy the 162 horsepower and wind blowing through your hair. 

Classification

Location: Physical Access Required
Attack Type: Authentication Management
Impact: Loss of Integrity
Solution: Workaround
Exploit: Exploit Public
Disclosure: Vendor Verified
Solution: Immediately after purchase, change the startup PIN as directed in the instruction manual (you did read that, right?). 

Products

Unknown or Incomplete

References

* Other Advisory URL: http://twitpic.com/4hd6up
  http://www.laresblog.com/2011/04/why-cant-i-just-buy-motorcycle-without.html

Credit

* Chris Nickerson - Lares Consulting


[...]


_____________________________________________________________
FINAL CALL to register #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/
Previous By Date Next
Previous By Thread Next

Current thread: