Issue: New default login security enhancements.
Applies to: DNA Fusion SSP Firmware 1.19.4
Summary: These enhancements are being done to restrict the conditions under which the default login account is enabled exposing the SSP controllers to unauthorized access.
Download PDF w/images:
The proper configuration to ensure that the default user account is disabled would be to make sure that at least one user account is been created on the controller’s webpage and that dipswitch 1 is set to the OFF position.
Prior to these security enhancements the default login account was available under the following conditions:
● If no other user accounts had been created the default login account was always enabled.
● If Dipswitch 1 was set to ON then the default login account was enabled.
● It was also possible to create a user account that used the same login and password as the default login account
New 1.19.4 Firmware
The Open Options controllers have been modified to ensure that the default login account cannot be left enabled indefinitely. The following changes have been made:
● The default login account is no longer enabled based on the fact that no user accounts have been created.
● To enable the default user account, transition dipswitch 1 from OFF to ON. This will give the user a 5 minute login window.
-A single log in within the 5 minutes or rebooting the board will disable the ability to use the default login account again until dipswitch 1 is transitioned again.
● A user with the password of “password” can not be created. This prevents the addition of a user account with the same credentials as the default user account.
● If attempting to log in using the default credentials prior to dipswitch 1 being transitioned, an error message will be displayed.
-If no user accounts have been created and the default account is used, a warning message will be displayed.
● The controller will perform two verification checks when attempting to apply settings and/or log out. If applicable, warnings will be displayed.
-Validate that the controllers dipswitches have been set to the normal operating mode.
-Verify that at least one user account has been created.
-If either or both of these conditions apply, a warning message will be displayed. To proceed, the warning must be acknowledged
NOTE: If using the ZeroConfig application to configure the controller, an Authentication dialog will appear. Dipswitch 1 must be toggled in order to log in through ZeroConfig the first time; afterwards, the ooAdmin account is added to the Users section. ZeroConfig will need to be closed and reopened for the account to be created as a User.