CVE-2022-2107 The MiCODUS MV720 GPS tracker API has a master password authentication mechanism.

There are several ways to avoid this. You can harden the password itself, store it in a password management system, or use a dynamic algorithm that generates the password on the server. The most secure option is to use a dynamic algorithm that generates the password on the server. MiCODUS offers two algorithms for this purpose: PBKD and LDAP. The advantage of the PBKD algorithm is that the password is hard-coded in the device’s firmware and cannot be extracted from the device. The disadvantage is that the password cannot be changed by the owner. The advantage of the LDAP algorithm is that the password can be changed by the owner and that the password can be extracted from the device’s memory.

PBKD Algorithm

PBKD implements a cryptographic key derivation function that is used to derive a random password from two provided passwords. The first password is generated by the user and the second password must be hard-coded on the card’s firmware. This is important because it means that the passwords cannot be extracted from the devices, so you can’t use brute force to extract them.

PBKD and LDAP Algorithms

The PBKD algorithm is a simple hash function that will generate a 16-character password by combining upper and lowercase letters with numbers, symbols, and special characters. The advantage of the PBKD algorithm is that it is very fast to calculate. The disadvantage is that the password cannot be changed by the owner.
The LDAP algorithm generates passwords based on a dynamic string of numbers, letters, and symbols that are unique to each device. It doesn’t use any static components like the PBKD algorithm does. The advantage of this algorithm is that the password can be changed by the owner and it can be extracted from memory if necessary. The disadvantage is that it takes more time to calculate than the PBKD algorithm does.

PBKD algorithm (Stored in the firmware)

The PBKD algorithm is stored in the firmware on the device and cannot be changed. The main advantage of this algorithm is that it cannot be extracted from the device.


Published on: 07/20/2022 16:15:00 UTC
Last modified on: 07/27/2022 21:46:00 UTC
