I see the recommendation in the HEX-NET FAQ to change the VCDS-Mobile password, but I don't really see what that adds in terms of security. Even after changing the password to a non-default value, I can still use the HEX-NET from VCDS (desktop) without knowing its password, even if I connect to it over the network rather than USB. And at that point I can do almost everything that can be done within VCDS-Mobile. The only things I can see in VCDS-Mobile that can't be done in VCDS are:
If security is a real concern here, then the HEX-NET should require VCDS desktop to provide its password whenever connecting to it over the network. Or at a minimum, there should be an OPTION within VCDS-Mobile to make the HEX-NET operate this way. In that case, if the user selects NET mode in VCDS desktop and clicks TEST to connect to a HEX-NET that has this option enabled, VCDS will prompt for the HEX-NET's password, and the test will only succeed if the password is correct. (Maybe VCDS desktop could optionally store passwords for HEX-NETs by serial number for convenience.) Skipping the password prompt for USB connections would be reasonable, since in that case the user has physical access and could therefore reset the password anyway. But if VCDS desktop can use a HEX-NET over the network with no password, then protecting VCDS-Mobile doesn't seem to deliver much of a security benefit.
- View Saved Files (are these sensitive?)
- Setting Debug Level (changing that doesn't seem like a security risk)
- Low Power Config (same as above)
- Remote Control (not even sure what this is)
- Change Password, Clear Dataset Cache and Clear Rod Files (all can be done from the physical button. Even if an attacker doesn't have physical access, clearing cache and rod files doesn't seem like a security risk, and changing the password is only a security risk if the password is protecting something worthwhile.)
If security is a real concern here, then the HEX-NET should require VCDS desktop to provide its password whenever connecting to it over the network. Or at a minimum, there should be an OPTION within VCDS-Mobile to make the HEX-NET operate this way. In that case, if the user selects NET mode in VCDS desktop and clicks TEST to connect to a HEX-NET that has this option enabled, VCDS will prompt for the HEX-NET's password, and the test will only succeed if the password is correct. (Maybe VCDS desktop could optionally store passwords for HEX-NETs by serial number for convenience.) Skipping the password prompt for USB connections would be reasonable, since in that case the user has physical access and could therefore reset the password anyway. But if VCDS desktop can use a HEX-NET over the network with no password, then protecting VCDS-Mobile doesn't seem to deliver much of a security benefit.
Last edited: