Awesome Conferences

Hardware password recovery

Hardware didn't used to have passwords. Your lawnmower didn't have a password, your car didn't have a password, and your waffle iron didn't have a password.

But now things are different. Hardware is much smarter and now often requires a password. Connecting to the console of a Cisco router asks for a password. A Honda Prius has an all-software entry system.

My first experience with being "locked out" of my own hardware was a Cisco router in 1991. Luckily every Cisco device has a way to work around the password. In fact, Cisco maintains the Password Recovery Process web site that links to the procedure for every device they've ever made. Now one might say, "but if there is a way to work around a password, it isn't very secure, is it?" These procedures all require some kind of physical access. A Sun workstation requires you to press L1 and "A" at the same time, and these keys are only on a physical console. Some appliances require you to boot them while holding down a button. Requiring that the machine be powered up while holding down a certain button means you have access to the power switch, and if you have access to the power switch you can perform one heck of a denial of service attack. If you have physical access there are worse things you can do than reset the password, like smash the box with a sledge hammer.

In the 2nd edition of The Practice of System and Network Administration one of the updates we needed to include was our discussion of physical access to machines. The first edition was written mostly in 1999/2000 and at the time remote access to consoles was something that only Unix servers did, and Windows servers were just starting to get KVM switches that permitted over-the-network access (IP-KVMs). The 2nd edition tries to treat the issue more evenly-handed since both Windows and Unix communities now recognize the benefit of remote consoles. We also re-emphasize the importance of security in KVM and other remote-console access systems. Hardware designers assume that physical access will be restricted. Adding a remote-console system means attackers no longer need physical access to attack the console.

I've always looked for the ability to reset hardware passwords on any new equipment I buy. I make sure there are three ways to access these instructions. On my "sysadmins wiki" I make a link to the instructions on the vendor's web site, and I copy those instructions into the website so that I have a recent copy just in case I need them when I don't have internet access. My third copy is a printed copy that I tape to the side of the device (be careful not to block the vents).

Not every company realizes the importance of this. I recently bought a used Sony tape library (LIB-162) and couldn't find a way to reset the password. Luckily I didn't need the password for the basic functionality required to do backups. However, to get access to the web-based administration system or do software upgrades one needs the password. The previously owner doesn't know the password thus I am stuck.

The manual says that one can't reset the password and I should call my dealer. I figured they just didn't want the information spread around, so I contacted Sony and they gave me the right people to speak with. A very helpful person names Lucia informed me that I could send in the device and for only $899 they would reset the password. That seemed unreasonable, but escalating it brought me no joy. John Marshall, Customer Service/Support Manager at Sony (not to be confused with the Chief Justice nor the famous percussionist) was very polite and friendly, but was not able to tell me the secrets to doing the process myself. I even offered to sign a non-disclosure if the process was secret. No luck. He offered to reduce the rate to $699 but that was unstatisfactory.

More and more of the products that sysadmins deal with are sold as appliances. It's a relatively new industry (I'm being sarcastic) so companies are still figuring out the "norms" that customers expect. I'm not sure what the entire list should be, but I know that the ability to reset the configuration without spending $899 should be one of them.

So in the meanwhile I'll be using only the minimal features of the device which is ok because I had planned on using this purely for a hobby project. However, I can't recommend that anyone purchase products from Sony Storage until they stop designing their products this way. There is too much business risk in a product like the Sony LIB-162 AIT tape library at any price.

Posted by Tom Limoncelli in Technical Tips

No TrackBacks

TrackBack URL:

6 Comments | Leave a comment

_ Toyota _ Prius...

Honda has several hybrids, but none that I think are worth the price of admission.

I don't think the previous owner of you Tape lib can have set a password. We too have a LIB-162a ours is not second hand, it's brand new and the default password doesn't work for the web-admin at all. I can enter the IP of the device in my browser, and then navigate to "System Configuration" -> "Network" I enter "LIB-162A" in the password field, and then I receive a dialog asking for a user name and password. The manual says to enter "LIB-162" for the UN and "LIBRARY" for the PW. I do this and receive a big fat 401 - Unauthorized. The moral of this story; don’t ever buy Sony if at all possible.

I have managed to solve this problem. The default password was LIB-162A. After entering this password you will need to enter Username: LIB-162 and the password is: SONY and it works fantastic.

Sounds like I'm not the only one reading the wrong manual. I was also trying LIBRARY as the password. This manual has the password as SONY, whick works.

I have exactly the same problem. This link is misse:

I have a Sony LIB-162 AIT4. Could you tell me what the password is?

Thanks in advance
Best regard

I logged into the first screen with:

pwd = LIB-162A (all caps)

2nd screen

UN = LIB-162
pwd = SONY

Leave a comment