Iain Thomson at The Register follows up on the “hacked” crosswalk buttons across Silicon Valley (and Seattle!) that hilariously spoofed the voices of Mark Zuckerberg and Elon Musk. He notes, first, that the app to manage the devices was pulled from the various app stores as a theoretical precaution against further “hacks”, and second:

After installing the app, and linking the smartphone to a nearby crosswalk system via Bluetooth, the user can configure the spoken messages triggered by button presses, adjust the signal timing, and install language packs […]

However, getting in requires a password — and anybody who’s worked in security can see where this is going. As Polara’s own documentation states, the default passcode is 1234 and it’s up to the purchaser to change that in production. We’d wager most installers never bothered, or picked something easily guessable.

This was also my assumption when I skimmed the device manual. I refrained from explicitly noting the password, figuring anyone curious enough to read the manual would know what to look for.

But I’m not convinced access was achieved via an unchanged or easily guessed password. First, the system requires changing the default password:

Each unit will require the password be changed from default in order to avoid the repeating “Change Password” voice message.

Second, there’s a ten-minute timeout after five wrong entries. Truly simple passwords (1111, 1212, 1397, 1471, 1595, and other repeating or geometric patterns) might require only 20 to 30 minutes; more difficult ones could require a couple hours. Humans being human, it’s possible, even likely there was a remarkably poor password choice. With enough “hackers” at enough crosswalks—or simply persistent effort—brute forcing it is a very likely scenario.

However, there’s another possibility, one which makes me face-palm and chuckle. From the device manual:

If the password is unknown, the password can be reset to factory default by tapping the Reset button on the password prompt dialog. Call Polara at the number listed on the reset dialog and request a password reset verification code. Enter the new verification code into the dialog box and the password will be reset to 1234. Enter the default password at the prompt and then follow the below instructions to change the password from default and continue configuring the device.

Yep, you can just call the company, give them a “challenge code” from the app, and they’ll reset the password to the default.

It’s unclear if there’s any additional verification.

Security theater at its finest. You wanted a miracle, I give you the IT Team.

Paul Kunert for The Register, on Thursday:

HP Inc is trying to force consumer PC and print customers to use online and other digital support channels by setting a minimum 15-minute wait time for anyone that phones the call center to get answers to troublesome queries. […]

At the beginning of a call to telephone support, a message will be played stating: “We are experiencing longer waiting times and we apologize for the inconvenience. The next available representative will be with you in about 15 minutes.

“To quickly resolve your issue, please visit our website support.hp.com to check out other support options or find helpful articles and assistant to get a guided help by visiting virtualagent.hpcloud.hp.com.”

Paul Kunert for The Register, on Friday:

HP Inc today abruptly ditched the mandatory 15-minute wait time that it imposed on customers dialling up its telephone-based support team due to “initial feedback.” […]

It went down like a lead balloon internally at HP, with some staff on the front line unhappy that they were having to deal with a decision taken by management, who didn’t have to directly interact with customers left hanging on the telephone… for at least 15 minutes.

Now HP has abandoned the policy […]

Imagine being so tone-deaf as a company that you force your already frustrated customers to unnecessarily wait for help, as a way of foisting them off to online “self-solve” options (which, I’m guessing, many had already tried—and which failed to help).

Perhaps HP was trying to save a few ducats to cover their recent acquisition.