01-25-2013, 02:07 PM | #1 |
Connoisseur
Posts: 59
Karma: 57554
Join Date: Jan 2012
Location: Romania
Device: Kindle Touch
|
Kindle Touch stores WiFi passwords in plain text on user partition
Hello.
I found something interesting/shocking: /mnt/us/system/WifiCfg.ini Here I can find the name and password of my WiFi in plain text. I think this is quite a serious security problem because if someone takes your kindle for just a few seconds they can break into your WiFi with ease. PS: I have a Kindle Touch with firmware 5.3.2 . PPS: I also have Duokan in a dual boot configuration it seems that it may be the culprit. Sorry for the false alarm... Last edited by wolftail; 01-27-2013 at 11:17 AM. |
01-25-2013, 02:09 PM | #2 |
Wizard
Posts: 2,251
Karma: 3720310
Join Date: Jan 2009
Location: USA
Device: Kindle, iPad (not used much for reading)
|
How, in a few seconds, is someone going to hook your Kindle up to a USB port, and read that file?
ETA: And, how would they know that file is even there? |
01-25-2013, 02:12 PM | #3 | |
Connoisseur
Posts: 59
Karma: 57554
Join Date: Jan 2012
Location: Romania
Device: Kindle Touch
|
Quote:
It takes about 30 seconds to connect a Kindle to a computer, copy a file from the user partition (the one you see in Windows Explorer) and put the Kindle back. |
|
01-25-2013, 02:14 PM | #4 |
Wizard
Posts: 2,251
Karma: 3720310
Join Date: Jan 2009
Location: USA
Device: Kindle, iPad (not used much for reading)
|
And, how likely is that to happen?
|
01-25-2013, 02:20 PM | #5 |
Connoisseur
Posts: 59
Karma: 57554
Join Date: Jan 2012
Location: Romania
Device: Kindle Touch
|
Just because something is not very likely to happen doesn't mean it will never happen. Moreover it's a trivial fix for Amazon.
Passwords should never be stored in plain text, and especially not in easily accessible locations. |
01-25-2013, 05:11 PM | #6 |
but forgot what it's like
Posts: 741
Karma: 2345678
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
|
|
01-25-2013, 05:19 PM | #7 |
Member
Posts: 14
Karma: 475352
Join Date: Feb 2012
Device: Kindle Paperwhite 2
|
As I recall, most wifi passwords on computers can be viewed in plain text. I can go onto either my Windows 7 or Ubuntu 12.04 PC at home, pull up the wifi connections app, view connections, and click a box for it to display the password if I want.
I believe this is true for the Kindle wifi connections app too, when you're either creating or editing a connection. I realize you're talking about reading the raw password file independent of the wifi connections app, but it would be just as easy for somebody to pull up the wifi connections app. I think the idea of security is letting nobody get onto your computer/ebook reader/ipod/whatever in the first place. |
01-25-2013, 05:46 PM | #8 |
Grand Sorcerer
Posts: 6,478
Karma: 26425959
Join Date: Apr 2009
Location: USA
Device: iPhone 15PM, Kindle Scribe, iPad mini 6, PocketBook InkPad Color 3
|
setting a passcode can protect somewhat.
|
01-25-2013, 05:54 PM | #9 |
Connoisseur
Posts: 59
Karma: 57554
Join Date: Jan 2012
Location: Romania
Device: Kindle Touch
|
I have also installed Duokan on my Kindle, but Duokan has it's own folder. I doubt it would write to the Kindle system folder. This needs to be investigated... Can anyone else find a wificfg.ini file on their Kindles?
|
01-25-2013, 09:50 PM | #10 |
but forgot what it's like
Posts: 741
Karma: 2345678
Join Date: Dec 2011
Location: north (by northwest)
Device: Kindle Touch
|
Well, googling for "wificfg.ini" (in quotes) returns many results from Duokan forum and also link to Deutsch blog containing post about wificfg.ini after a post about Duokan.
|
01-26-2013, 04:38 PM | #11 |
(offline)
Posts: 2,907
Karma: 6736092
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
|
The original Amazon firmware stores user settings in /var/local, not /mnt/us/system/ .
|
01-27-2013, 02:20 AM | #12 |
Enthusiast
Posts: 38
Karma: 10000
Join Date: Feb 2012
Device: Kindle Touch
|
|
Tags |
kindle touch, password, security, wifi |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help - Kindle Touch 3G + ADS partition image required | dicalp | Kindle Developer's Corner | 34 | 09-09-2012 03:47 PM |
Kindle upload-via-email plain text formatting | wirawan0 | Amazon Kindle | 1 | 03-12-2012 02:52 PM |
kindle touch partition within a partition? | geekmaster | Kindle Developer's Corner | 8 | 03-12-2012 08:53 AM |
Text files, passwords | Pudnhead | enTourage eDGe | 9 | 07-01-2011 01:36 AM |
convert plain text to other formats ? | Joebill | Other formats | 6 | 05-10-2010 11:10 PM |