Re: Pentesting a wireless Symbol Technologies barcode scanner system

[Glenn Larsson <ichinin () swipnet se>]

bserra () forsythesolutions com wrote:
> All,
> Does anyone have any information or has done a wireless pen-test on a
> Symbol Technologies manufacturing barcode scanning system? I have heard
> that it is possibly 802.11 but uses some propriety encryption and/or
> protocol. Any insight would be helpful.

Hi.

All i know is that Symbol have developed their own kerberos
implementation for
their handhelds + Wireless Networker & Companion, it does not say any
specifics
about the implementation, i.e. using kerberos for _key exchange_ but
still using
rc4 for encryption. Try some basic kerberos attacks against it and see
for
yourself (Would not be surprised if you found something usefull)

- My _guess_ is that the whole system it's backwards compatible with WEP
and
security can be logon-downgraded via an old client that want to speak to
the
network.

- Symbol AP(*)/Bridge Default pwd's: "Symbol" & "SYMBOL".
(24xx/302x/41xx)

- If you find an old PDT, the wep key is found under
HKLM\Software\Symbol
(i think.)¨ This can be transfered to another device then reused on that
(Did it back in 2000 - worked fine)

- PocketPC 3.0 was also succeptible to a nobrainer ICMP-DoS attack;
never
did write an advisory regarding this (not tried PPC 2k+2)

- Note that old clients run dos binaries (PPT 31xx/61xx), usual software
found == MCL & wavelink, you can have fun with these as well.

If you want to know more, i suggest you ask OSP people to send you
details
regarding security, also, i think there is a whitepaper on regarding
their
kerberos, i've never read it.

Regards,
Glenn

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/