Re: That's no vulnerability
Most likely added during some testing phase and they forgot to remove it.
Stuff like that should be behind an #IFDEF (or whatever is the equivalent in your favourite language). And the same #IFDEF should also be wrapped around the following functionality:
1) User interface has a prominent "Development Mode" notice displayed on all web pages (or equivalent for a non-web interface).
2) Certain device functionality (in this case, the network connectivity) is disabled at startup.
3) User has to click on "Go Live" (or suitable equivalent) to get normal functioning (but not removal of "Development Mode" warning)
4) On reboot/power cycle, device starts up in Development Mode and is not live until user explicitly invokes step 3.
That should be the case for any "make life easier during development" code. And it should be an instant dismissal offence to put in dev/test code which isn't wrapped in the #IFDEF.
Yeah, there are lots of refinements you could add to the scheme. But something like that should be the bare minimum.
It ain't rocket surgery. In fact, it's so damned obvious it shouldn't have been necessary for me to say it here.
I wonder what I got wrong in the above. There's bound to be something. You can't #IFDEF Murphy's law.
Biting the hand that feeds IT
