home.social

#osdp — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #osdp, aggregated by home.social.

  1. The second vulnerability impacting #OSDP our researchers discovered: downgrade attack potential.

    As Dan Petro writes, "Just because an OSDP controller and reader support encryption doesn’t mean that they both enforce that it actually be used. One of the first things that happens when a reader comes online is that it transmits a list of capabilities to the controller. This tells the controller all sorts of things, such as whether it has a fingerprint reader, tactile buttons, and (importantly) whether it supports encryption. For chicken-and-egg reasons, this message cannot itself be encrypted. Thus, an intercepting device in the wire can modify this capability message to lie about the reader’s capabilities and claim that it does not support #encryption."

    Check out the breakdown of the other #vulns in the write-up. bfx.social/3OFWOsT