WiFi Password
The WiFi uses an open network. This should be replaced with
a default password printed on the device label.
Everything Runs as Root
This means any command-injection in the web UI
would lend itself to immediate system compromise.
Password hashes are stored in /etc/passwd. If
normal processes ran as something other than
root, they would be restricted from fetching
password hashes.
Telnet identifies non-users
If attempting to log in over Telnet with
an invalid username, Telnet displays
'getpwnam returned null'. This allowed me
to quickly exclude a list of common username
and password combinations used in IP camera
devices. Also telnet should be replaced
with SSH.
Poor Password Choices
By sharing a short alphanumeric password, ev1324,
across all drones, the compromise of a single
drone(mine), combined with telnet, allows
wireless bricking of devices.
Weak password hashing algorithms
The root password is hashed with MD5. This
took only about 20 minutes to brute-force.
Since it is not common for someone to log
into this device, there is little downside
to using a much slower algorithm.
Unlocked Bootloader
This one I have mixed feelings on, but a bootloader
password would have prevented me from extracting
password hashes from the firmware. However, if the
bootloader were locked, I then would have extracted
it from the SPI flash. And then you need disk encryption.