Slashdot Mirror
Sprint DSL's Security Hole Easy As 1,2,3,4
An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.
Time to change the combo on the luggage again.
The biggest security hole is not buffer overflows, ICMP packet manipulation, or poorly written software.
The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.
You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
Colonel Sandurz: "1-2-3-4-5."
Skroob: "1-2-3-4-5?"
Sandurz: "Yes."
Skroob: "That's amazing! I've got the same combination on my luggage!"
Who needs a social engineer to get the password, when we have the fine folks at Sprint around.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
Is talking about security holes legal under the dmca?
except that yours was't first. :P
Yeah.. but 90% of home users cant remeber their email password, do you really want them changing the password on the hardware... It comes with the default password, its impractical for the isp to change them all, and should the user change it, then forget it, its a hour long tech support call to fix it. Replace user, press any key to continue.
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
The radio shack modems in the back room run on these things, but the password is the first thing we change when the modem is pulled out of the box. So, don't try to hax0r RS. heh
Beep. Boop. Beep. You have questions. I have answers and your home address.
Anyone who install one of these modems should change the password. It's that simple. Most routers have "admin" "password" combinations. They are all the same. It is the installers responsibility to secure it.
AT&T's key lock hack and Sprint ZyXel Prestige 642 and modems security hole sounds like a party waiting to happen.
-NM
Why would the default be 1234? I'm surpirsed they didn't make it 'password', that'd be too classic. It could have been anything. Even 'asdfghjkl' is harder to guess than 1234. I wonder who made that decision ...
This is Sprint, the ISP who doesn't do a thing about hackers originating from their domain.
I don't know how many times in the past I've tracked hackers at work to Sprint's networks.
Getting a reply or action from Sprint Security is non-existent. I guess it takes an article published in 'Wired' to get action from them.
Sprint and Prodigy are renown for not working with customers in addressing secuity issues.
Dolemite
_________________________________
Save the World! Use a Quote!
Roland: One.
Dark Helmet: One.
Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!
Run with Scissors!
As much as I don't like Sprint, it's not their fault that people aren't changing the default password. If people don't change it, it's their own fault if they get burned.
"Wired found that more than 90% of the modems they polled were using that default password."
Believe it or not, "polling" modems by checking their passwords is hacking. If not hacking, it is at least dishonest. How can I trust Wired not to root around my box looking through my private files now that they "polled" my computer to make sure I didn't use a default password?
That's the kind of stupid number someone might put on their luggage!
I always been told that the longer the password is, the harder it will be to crack. :) :
7 chars or more....therefore...1234567 is good?
Hoooo, mix alpha and numeric, therefore
1234abcd
My luggage PIN is 9999
Known about this for years, I'm amazed that it took this long to come to the public eye. I'll just go home to my apartment now, knowing that my lock will keep the kid next door out (doh).
Can j00 0wnz0r me now? g0000d!
How does it really matter what the default password was? If the default password was -8*k|-- it would still be just as easy to gain access to. The flaw is in not requiring the user to change it.
Whale
I find this hilarious considering I JUST got back from a friend's house where his CPE was non-functional. He'll be switching to my ISP when his 1 year contract is up.
But hey, he was only paying 30 bucks a month for the first 6 months! and surprise, he got what he paid for.
Get paid to code OSS
Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.
They recommend you change it, but don't mention how? (It is listed in the modem manual, which is apparently not provided by Sprint.)
Oh, even better... In February they plan on shipping modems with this disabled. In February. Not now.
This has been around for a while. I wonder how many users have actually been affected.
ZyXel should set it so the password is randomized by default. That way, it might not be possible for the user to get in, but at least it will be more secure. For boosted security, they could make it re-randomize the password every hour.
Jason
ProfQuotes
You'd have to be an idiot to lock your luggage, because with today's new airline security restrictions, that would get you a suite at the GWB's Guantuanamo Hilton!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch? They didn't even tell people HOW to change the password.
So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?
I read the internet for the articles.
I work for an ISP. Lots and lots of equipment comes with widely known default passwords. We have always considered it our resonsiblity to our customers to change the default password on any piece of equipment they buy from us. Things like this are exactly why national ISP's will NEVER have customer service that compares favorably to a local ISP.
-- Sent from a computer.
What? How'd you get my luggage combination?!
20 Print "Brought to you by the 133t Animal Kracker"
30 Print "Go 0wnz some modems!"
40 END
f34r my sk1LLZ!
BTW: The Animal Kracker was the name I used when I was 13 and using Locksmith 3.0 to copy Apple II games. Ahh.. the innocence of youth...;)
They know the IP addresses of all the modems. Create a db with a random string assigned to each IP, then write a script to change the passwords (of all of the ones have the default password) in one fell swoop. They'll have the db of passwords if they need to login for maintenance. The customer doesn't even have to know about it. Any admin can do this trivially. Instead, they are just going to lamely post instructions on their web site, which probably 1% of customers are going to read. Am I missing something?
HA! I bet you thought I was going to make another Spaceballs reference.
You couldn't be more wrong.
Anyway, making a password system like this is stupid and careless. It's a safe bet that if you EVER set up a system (especially if popular and Internet-related) involving default passwords, it'll be compromised pretty quickly.
How much harder would RANDOM passwords have been? Sprint is ignorant and careless and their mobile phone service sucks too.
~D:
Trolls lurk everywhere. Mod them down.
Why is it that ppl will spend a fortune securing their homes and cars and leave their computers wide open? Unfortunatly all these stories wind up on the tech sites but Joe six pack only reads the sports section of the newspaper.
About a month ago, I had to help my on-site person hack into one of those Zyxel modems since they had a fixed IP, and the modem came NAT pre-enabled. Why does the world want NAT enabled?!?!
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
I've used Zyxel (sp?) dsl modems before, and iirc their admin interfaces were only inwardly pointing (only accessable via the ethernet i/f) Is this the case and Wired is overstating the problem, or is the outward admin IF turned on and Sprint are dumbasses? Or is there no way to set it and my memory is shot?
How about continuing the poll to see how many people that changed the password to "secret" or "god" or *gasp* left it blank. I bet that is where you will find the 9.5% of the remaining 10% who did change the password.
The ISP is lazy, the users are ignorant, and that modem manufacturer...
My router/firewall has the same default password, but has remote administration disabled by default
Why is this feature enabled by default? The ISP doesn't need it for anything, otherwise they wouldn't tell the users to change the password (hence the ISP couldn't login)
I ran into the same thing when I was at the University of Scranton. Everybodies voice mail password was defaulted to their room number at the beginning of the year. However, most people never changed it. So I would dial in to their voice mail, leave a rather rude sexual explicit voice mail greeting and then change their password. Oh the fun and the horror.
-Dipster
Jobless, and too smart for my own good, i'm tempted to try and find some routers. Just tempted, I never do bad stuff like comprimise others networks.
Why didn't sprint fix this quietly and quickly though? It seems to me it would have been easy just to write a script to go to each modem, change the password to something random, store it somewhere safe like a customer info database and been done with it.
Now that it's been published on wired, and worse yet here, the exploit is going to be used by many people who want to just break in because they are "bored"
As someone who just (10 seconds ago) changed the default password on their DSL router, I'm actually rather surprised. I had assumed (wrongly, I guess) that the routers would only allow telnet sessions from IP addresses that it manages (via NAT i.e 192.68.x.x..).
Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?
...an idiot might put on his luggage!?!!
When I signed up for US Worst's (now Qwest/MSN) DSL about four years ago, the Cisco 675 modem they were shipping came with a default password. You could telnet in to the modem from over the internet, reconfigure it so that the user couldn't connect to the web and then change the admin password so they couldn't fix it! >:) To make it even easier, all the DSL IPs had hostnames containing "dsl", so a simple DNS zone transfer saved having to scan for the modems/routers.
To only allow remote access once the password had been changed by the user.
I have been doing xDSL installs for a few years and I have noticed a strange thing...
All of your big boy companies have crappy passwords. PacBell (now SBC say their commercials) I have found to be the worst... When I notify the customer they all have the same reaction *blank_look*what password*/blank_look*.
In contrast some of the smaller xDSL providers seem to be more on the ball with these things.
I usually change the password and write down the password and network info then tape it to the top of the modem with my company tech support number. What really gets me mad is the big boy providers never even bother to tell their clients about the need to change the password... I mean how goddamn hard is it to tell em that.
One more thing... one more luggage joke and I'm going to have to kill someone...
Vidomi Killer media player and network distributed video encoder.
I always thought it was spelled Skoorb, whitch is Brooks (as in Mel) backwards...
Maybe you missed it cause it was only posted once.
You mean like <a href="http://developers.slashdot.org/article.pl?s<nobr>i<wbr></wbr></nobr> d=03/01/21/1752251&mode=thread">this</a>?
um... i think they did.
This is a lie. There is in fact a slashdot story on the CVS exploit. You're getting a little too ambitious about spamming Slashdot, aren't you NineNine?
On the other hand you seem to have all it takes to be a Slashdot Editor.
Has the same exact issue. All of the Caymen & Efficient routers are usually setup with the default password. Which by a quick google search, is easily obtainable.
This only applies to business customers who ordered the router option instead of a bridge.
No conspiracy here. Guess you missed it the first time. Don't worry, I'm sure it will be posted again soon.
Oh kinda like this one that was reported yesterday?
"If a quarter is two bits, then a dollar's a byte." -R Deric Miller
Here is the slashdot article.
Considering how much you seem to know I'm sure this is not what you're refering to?
...but what the hell is up with the MICROSOFT ADS on slashdot?!?!
:p Time to start junkbuster up again.
Anyone else notice that bull? Not only is Taco not watching what posts he is reposting, but is also lax on what ads he serves!
Gee do you think maybe it was THIS one? http://developers.slashdot.org/article.pl?sid=03/0 1/21/1752251&mode=thread .... on the other hand, I spend altogether too much time on /. ... sigh...
Funny, I'd say you'd have to be an idiot not to realize that it's a quote from Space Balls... as well as a bunch of other places. Mod you down.
Of course, /. isn't going to post an article telling about a serious hole in CVS [com.com]. Expecially considering their own Sourceforge...
:)
Yeah! Slashdot would never post an article like that! Especially not a few days ago on the front page! (If you missed it the first time I'm sure you'll get to see it again in a few days.)
Note to whoever modded that up as informative. I would recommend at least reading Slashdot before moderating it. Then again, if those doing the posting would do the same we wouldn't have nearly as many duplicates...
Are we allowed to secure the modems or will we get sued for modifying them?
Your security is only as good as your dumbest user.
A buddy of mine and I have been uttering those words for years.
Wired found that more than 90% of the modems they polled were using that default password
Isn't this wrong?
Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.
When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.
They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.
I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.
Anyone care to comment?
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Hey, this story was already discussed on 15:20 21st January, 2003.
Please move along. No conspiracy here. Try not to snark too quickly.
Please email all complaints to root@127.0.0.1 and the issue will be dealt with in due time.
I think so. Seems that general laziness is more of a security threat than any other. It's much eaiser to leave a default password or make a simple one such as this than to generate either a unique one per modem or at the very least a unique one for the company.
Also, them blaming the user is totally bunk. 90% of home dsl users are lucky to beable to even run outlook express let alone go in and change a password on a router. This is more discusting than anything IMO. They should have atleast generated another password for these routers before they shiped them. Yes, people who run these types of connections should have more of a clue but companies have to start owning up to and taking actions to help prevent this when the main consumer for that product are people with little to no knowledge of comptuers.
Spammers set up NAT to re-direct incoming port 33 traffic to AOL mail server on port 25. This way, they can still spam via a port25 blocked dial-up. Just telnet to the rooted router on port 33 and you are auto-majicly sent to AOL's mail server. Spam away!
Michael Loves Me!
Disallow remote administration. Mabye this is different, but my Router (and cable modem for that matter), can only be accessed by the inside. I have changed the default password, but the fact that it is admin/admin is fine, as long as no one gets into my network.
How come sprint allows access on both adapters (LAN + WAN)??
Time to change the password on my ICQ!
...what are we fightin' 4?
Don't ask me I don't give a damn.
Next stop is big Bagdad.
Read the article. They polled users of these DSL modems.
db
Cig:
ôô
And i would not use them for maintenance...
I'm supposed to change a password they never told me about for my protection.
I'm not supposed to change any other config files though, that's hacking and stealing.
I'm ~comfused~?
First of all access to admin from a public IP is bad...just bad. In that case I would be setup to ssh into my linuxbox and then telnet to the router. My setup is actually a bit different, my router requires a web interface from the private side so I use ssh and vnc throught my linux box, using Wake-on-lan to startup my windows box and VNC through the linux box to access the router setup through IE on my windows box. If you follow that or just the first meathod if telnet works on your router the only key is a good password on ssh on the inside box....which if you know your setting up to access from the outside you should have a good password. And those not smart enough to do that won't need to and hence no port forwarding for ssh to work at all.
LinuxWorx
Spelling errors are intentional as are gramatical error
I quickly found this problem on my Sprint DSL, and checked a few other addresses "near" mine to see if I had just overlooked something during setup where I was supposed to change the password, and found that most modems were wide open. I informated Sprint, and here was their response:
:-/
Thank you for your recent e-mail. I appreciate the opportunity to address your inquiry.
You have reached local password reset only. Please contact your local telephone company for further assistance.
We appreciate your business. If we can be of further assistance concerning
your Sprint service, please visit us at http://www.sprint.com, or you may email us at customer.servicenet@mail.sprint.com.
Aside from the total lack of security by default, and their insistance on routing everything from the Seattle area through Fort Worth, which is 100ms away on Sprintlink, they have been pretty good.
Captain: What happen ? Mechanic: Somebody set up us the Sprint DSL. Operator: We get no signal. Captain: What ! Cats: How are you gentlemen !! Cats: All your files are belong to us. Cats: HA HA HA HA ....
Just set the password to the last 4 digits of the serial number of the modem. No need to remember, easy to find for the users, not so easy for the hackers.
"Your /. discussion of security, and how to bypass it, on our modems is a violation of the Digital Millenium Copyright Act (DMCA). Please remove this discussion from your forums or we will be forced to take legal action."
I'm just waiting for this to show up.
Phoenix
Well there is this article... Remote Root Exploit in CVS http://developers.slashdot.org/article.pl?sid=03/0 1/21/1752251&mode=thread
Posted three days ago.
Go out and get sailing!
If you have PPPoE software on your OS, you can put the modem in bridging mode, and then it won't have an IP address, and so won't be remotely administratable from the WAN side. (It still takes 192.168.1.1 on the LAN side, so you can still administrate locally).
Surprisingly (at least, I was surprised...I had expected Sprint to be one of those providers that doesn't tell you much), on Sprint's support site, they have detailed instructions for switching to bridging mode, both for people with dynamic IP and those with static IP. (Look under the section on configuring for use with game consoles).
as I gaze at my brand new ZyXEL Prestige 645 DSL bridge that arrived a mere two weeks ago with my DirectTV -> Speakeasy DSL transition.
and I wonder...
I have one of these routers in Switzerland, and at least I changed the password to something slightly better... But I remember trying to access the administration interface from the outside, and I couldn't get in. I don't remember if there was a setting for allowing administrative access from the DSL interface, though.
So why are all these routers "vulnerable"? Mine isn't....
Maan
...not yet :-)
db
Cig:
ôô
It's much easier for the company since they know all the IP addresses. You would have to figure them out in some much more tedious way.
Everyone is used to having their hub/router with a password on it, and in the manual one of the first things it says to change is the password. If a cable engineer installed a cable modem, though, I would not immidiately think 'oh this thing is gonna have a password' and rush off and change it. This is coming from a slashdot member - joe hardware-illiterate may not even realise that the darn thing has a password, let alone that the admin interface is publically accessable to anyone who wants to try their luck with 1234. I saw another post further up that said they didnt know it had an interface at all - this is worring.
They don't mention that the telnet interface is by default only accessible from the inside of the network.
Interestingly, we just conducted a non-scientific survey for a class project about passwords that people use. This included things like luggage, email, voicemail, etc., from your typical teenaged high schooler.
:p
Results collected:
30% used 123 or abc equivalent depending on length*
19% used their name or combo (like JDoe or JohnD)
16% used a date or part of (not b-day)
9% used their birthday (or part of)
6% used their name backwards
5% used a pet name
15% other**
* 63% of the people who used 123(4) used it on their luggage.
** 3% of this other was something like "asdf" or "qwerty" or "jkl;" (presumably for computer related passwords). other also included stuff like phone numbers, names of other people, street addresses, and just some checked the box 'other' with no explanation.
100% used a xx-xx-xx type numerical combination for their lockers. not including those who jam theirs always open
Now, who's fault isn't it again?
Isn't it great how the second post can be modded redundant?
Tuus crepidae innexilis sunt.
People NEVER, as a group, take that extra step.
They ALWAYS take the dumb, easy way. How do you think Bill Gates made all his money?
It's Christmas everyday with BitTorrent.
I'm using a Zyxel 645r router supplied by my local mom & pop DSL provider. Sprint provides the DSL connection but they are my internet provider. Yes they did change the default password and they even support Linux, but I'm digressing.
As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.
So did Sprint disable the filter and not change the password? That would be rather strange...
If it is, you just violated the DMCA by publishing an encrypted password. Off to jail for you can be as easy as: 1-2-3-4.
what percentage of those people changed the password TO 1234 at some point, but that it just happens to also be the default.
Linksys has similarly easy password in their Gateways/Routers/Firewalls. No username and password is "admin". These routers are configurable remotely too - thank god that feature is off by default. I seem to recall them having a serious overflow bug too that would allow exploitation anyway.
Random is the New Order.
Use of the default password has been going on since time immemorial. Apparently Richard Feynmann who worked on the Manhatten Project (which developped the first atom bomb) had a reputation as an expert safecracker because very few people on the project changed the combination of the safes from the way it had been programmed at the factory.
Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.
Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!
Obviously the Sprint techs would need to be able to access this box remotely so they would need those interfaces open. Additionally if they're like cable modems then there is some provisioning software d/l's that may go on occasionally.
There are definitely ways that they could improve that like using certs and trusted IP ranges, but they probably went for the easiest route instead.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Windows 2000 site goes over two years without a reboot
This month is the first time that a Windows 2000 site has appeared in the 50 top sites which have the longest period of time since last reboot. www.byteandswitch.com has been running continuously since November 2000. When we first started graphing web servers uptime in the summer of 2000, many people were skeptical that a Windows machine would ever make the top 50. Perceptions change, and although two years is exceptional, several Windows 2000 sites have run for more than a year without a reboot. In the hosting industry, Microsoft partners Interliant and Divine each have sites that have not been rebooted in over a year, while Microsoft has also run several of its own sites for over a year between reboots.
-- These MS sites have to be prime targets for crackers. --
All Zyxel mode/routers being shipped in my country come with a red warning page explaining that the first thing to do one the user is connected is to change the password of their modem/router.
Covad uses modems by the same manufacturer with the same default password.
waaahhh! I made an ass out of myself and someone noticed!
Suck it up.
You attacked Slashdot with your post, which was without fact. If you're so concerned about Slashdot noticing things, then shouldn't you hold yourself to the same standards and at least do a keyword search to see if there WAS an article before assuming that there wasn't? That's like whining because the newspapers only ran a story once. I can't even remember the last time I saw the same (print) publication run a story twice.
I have a fujitsu speed port modem, do these have the same problem????
"I bow to no man" - Riddick
I just had Spring DSL installed at my house YESTERDAY. I asked the tech about login info, user manual, etc for the Zyxel modem so I could get in & configure it, change admin logins, etc - his response was, "Oh, you don't need to do that, it's preconfigured already." So apparently their techs don't believe there's a need to secure them??
Greaaaaaaaaat.
Has anyone bothered to check the Terms of Service for Sprint's DSL? Chances are changing settings on the modem is against them. Every time I've read one of these there is always a provision against modifing settings, prime examples being caps on cable modems. The fact that they are trying to pin this on the user is yet another instance of corporations wanting to be paid for a service that they will only provide when forced to do so, and then poorly.
First thing I did with my ZyXEL Prestige 600 is change that damned default password.
To do this, at least on my 600:
1. Telnet in (make sure you have vt100). On my LAN, the Zyxel is set at 192.168.1.1 -- I don't know how Sprint has it.
2. Use the default 1234 password, and then hit return to log in.
3. At the menu, type "23" and return. 23 is the option for the "System Password" page.
4. Now type the old and new password (twice) using the TAB key to skip fields. Don't pick something obvious.
5. Go down to where it says "Enter here to CONFIRM or ESC to CANCEL" and hit ENTER/RETURN to save your new password. (You may be asked to confirm that you want to do this.)
6. When you get back to the main menu, exit your telnet session by typing "99".
7. Try telnetting in again using 1234 and make sure it doesn't work. Now try to use your new password.
8. Profit.
I'm guessing that if these aren't the exact instructions for the later Prestiges, it'll be pretty close.
Even better than changing passwords is to disable remote login from outside the local network. (I hear this is the default on new Prestige modems). Or, depending on how insecure your LAN is, you can assign particular IPs permission to get in and block all others. This is accomplished using a "filter", just like a w/ a firewall.
To block incoming telnet sessions on the WAN, check out this page. This page also offers a "probe" you can use to discover vulnerable modems.
Finally, check this list for common default passwords. This is an important page, so check it for any equipment you might be using.
W
-------------------
This is my SIG. There are many like it, but this one is mine.
Come on, leaving the default passwords on ANYTHING connected to your PC....You are STUPID and deserve what will inevitably happen.
I noticed it had telnet disabled, and ssh enabled. I couldn't even hit SSH locally or from the Internet. I had to do it from one of my ISP's internal IPs (they have a shell box.)
Why are these devices accepting admin connections from the WAN port by default. That's just plain nuts!
...that although Sprint provides my physical DSL, I actually use a different ISP. I bought a 'dumb' modem from ebay, and am very glad I did. Web interface for a simple bridge? No thanks.
The local DSL monopoly here in Puerto Rico, (PRTCDSL) uses those same modems. I got them pretty early on, and, indeed, the modem was set to 1234. First thing I did was change that to as long and complex a password as I could, especially after I relazied that I could basically go into any other DSL user's Zyxel and not only find out their username and email, but change their internal modem settings, so that, for example, all their ports were blocked, their DNS numbers were wrong, and basically just make their connection unusable. I also urged all my acquaintances who had the service to switch their passwords. nealry 2 years later, PRTCDSL is finally changing this.. the modems now arrive preconfigured with a password that they don't tell their clients. It's pretty much a very closely kept secret inside the company, they don't tell it to anyone. If you want to change any of your DSL settings, you have to call their Tech Support nd have someone do it for you. However, I'm pretty sure that it's the same 'secret' password on *all* the new modems.. so, if someone finds out what that password is and lets it spread, we'll have the same problem as before, except worse, because the home users won't be able to go in and change the passwords themselves'cause they're locked out.
"Two things are infinite: the universe, and human stupidity. And I'm not sure about the first one." - Albert Einstein
What are you smoking....and can I have some?
Disclaimer: I work with Cisco equipment most of the time. I also have worked with long-haul telecommunications gear like Fore Systems ATM, ADNX/Promina, and other gear.
First, having a 'master code' would be dumb. The master code would get out quickly and then you would have people shutting down equipment remotely. Even having a password based on the serial number of a specific peice of equipment would create a logistical nightmare.
Most of the equipment I have seen has a console port and a reset switch. If you reboot the equipment, you have about 15 to 30 seconds where you can drop in a break code. The break code will not clear the memory, but it does boot in a clean mode where you can reset passwords or make config changes.
I'd rather you do it wrong, than for me to have to do it at all.
Ok, there is default password on ZyXEL *DSL equipment, but in order to access ZyXEL device you need telnet access to it (or SNMP).
:).
SPRINT should firewall outgoing telnet connections to their DSL customers with ZyXEL and end of story.
Last time I checked, those ZyXEL devices had no SSH port enabled
how exactly do you come to the conclusion that your ISP was "keeping an eye on you"? I mean, what evidence did you see...
.....we... ...are.... .watching. ..you..... [100%]
% wget http://some.site.out.there/foo
--15:23:09-- http://some.site.out.there/
=> `foo'
Connecting to 1.2.3.4:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 666 [text/html]
0K ->
Hahaha.... the 0wner got 0wned.... Anyway, keep trying :) Style of the troll was good, research is just the easy work, you will get there!
nmap -sP xxx.yyy.*.*
Voila! A loooot of IP address to play with...
Why did parent get modded as "Troll"?
Giving the same default password to all your customers and then not forcing them to change it, not even showing them how to change it, is ignorant and careless. A company that has been in the tech business as long as Sprint should have known this.
~D:
So who is you local mom&pop DSL provider? C'mon, give a good company some publicity here! I'm in the UK, makes no difference to me but I just like to see smal companies given a chance....
Feel that power? That's mah MOUSING FINGER
They refused to let customers have the DSL modem password, so that they wouldn't screw it up. While waiting on hold for oh, about 3 hours, to get a tech to fix one of their screw ups, I downloaded the manual. I figured out how to fix the problem, and then, just for grins, tried the factory password. It worked. I fixed the problem. About that time the tech answered. I told him how I fixed the problem. He asked me not to change the password, as it was their policy to leave them *all* at the factory default so that they could easily acess them. They had actually thought about the problem, and made an active management decision to require fsck'ed up security. Sheesh.
I had one of those modems when I tried to set up my earthlink dsl I used to have. (Went with verizon because earthlink couldn't get their sh*t together over several months...) It had the exact same default password...but the interesting thing was how earthlink dealt with me. I telnetted into my modem a number of times to try to see what was going wrong with my connection etc., and went I told the tech support people about it they griped at me as I apparently wasn't supposed to do that...when that is the only way to change the PW. (And the modem comes with instructions in REALLY fine print that tells you how to do it.)
Pretty crappy.
i saw this almost 2 weeks ago with cayman dsl routers at http://www.pivx.com/kristovich/adv/mk003/
seems to be about the same thing
This is the sadest thing i have ever heard of in the security world. I would expect at least a password that is different for each modem. I do not know how Sprint overlooked this but lets hope it does not happen again.
4 numerical digits... So it would take 9999 tries to guess the password?
That's not very secure if you ask me.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I know this is flaimbait, but any security breach could be a serious problem, social engineering or not.
void
...damned if we don't!
So, let me get this straight. If I do not access my DSL/Cablemodem and change the settings, it's my fault for having a unsecure system. Yet, if I do access my DSL/Cablemodem and change the settings, I can expect the FBI to come barreling through my front door with guns drawn?
Nice.
I remember when society used to have common sense. I miss those days.
WWJD?
JWRTFM!
No, actually we handed out papers with check boxes on them and asked people to check what kind of passwords they use. Like, for email do you use ()1234, ()your name, ()pet's name, ()other. We had many options as to not influence or make people settle for a "best fit answer". Like that is how we did it. I forget exactally the details, my partner did the questionaire. It was also anonymous and people turned the papers into a box so you couldn't tell who submitted what.
Come on, we aren't that stupid. If we asked:
Name ______________
Email password _____________
Who really would have responded? I may be in high school and that makes you feel superior, but I am not that dumb. And neither are the people we surveyed. I think that you would find the average high schooler more computer (and password) savy than the average person Mr. Mitnick queried.
99% of owners of linksys routers haven't changed the password away from 'admin'.
99% of owners of wireless networks haven't bothered to add any sort of access control.
What else is new?
A Minesweeper clone that doesn't suck
Why is it that people always say "Richard Feynmann, on of the guys on the Manhatten Project"?
I propose we say instead:
"Richard Feynmann, a guy who achieved much more than working on the Manhatten Project"
- or just ignore me.
According to a bugtraq post, uploading a dummy rom file with a valid size will automatically render the box unusable (reboots itself, can't do anything but upload a new valid firmware thru serial port using x-modem).
Now, some script kiddie will do a massive DoS against the users, and some Sprint sysadmin will go nuts discovering the whole mess they're now in.
G'd luck to the QA department overthere.
have you been defaced today?
on their consumer routers. admin/1234. If you dont change it, its your ass.
Peter
www.alphalinux.org
Yeah, I feel sorry for you, since the only way you can really be safe from nested posting is to get first post, but even then you might get a -1 redundant score!
I have Earthlink DSL which came with a ZyXEL 645m and after seeing this story I checked my modem. For over a year I've had the combination to the air supply on Princess Vespa's planet as the password for my modem. How was I supposed to know there was even one to begin with? None of my other modems have ever had one (phone, cable or DSL). I guess next time I'll RTFM a little more closely.
Well check out This website for many common passwords..
From the site:
"NOTE: This listing is only provided as a resource to network administrators and security professionals. It is also meant to remind people that a serious problem exists when people configure a network or a computer system and do not change these passwords. The manufacturers of the listed devices, software or systems are not to blame for this problem, and we are not trying to discredit them or their products. A default login is a means for an end user of a product to complete the initial setup of the device or system. Most manufacturers strongly recommend their end users change these logins and passwords for security reasons."
Silence Bossy Meat Creatures!
Sprint posted at its DSL support site today some instructions on how to disable remote management in the ZyXel P645 modem. They are available in PDF here
In a nutshell, they instruct you to use the unit's system management software to turn on some filters that block incoming port 80, 21, 23, and 69.
Really securing these routers was the responsibility of the people who bought them from Sprint. That said I am sure Sprint did nothing to advise these people of the importance of changing their passwords to something secure. Generally anything vaguely technical or security related is hard to get past an ISP's marketing division. They believe such information scares away potential customers.
That's the funniest post I've ever read with a subject of "Shit".
25% Funny, 25% Insightful, 25% Informative, 25% Troll
I've got a Fujitsu DSL modem. Not even aware if there is an admin interface to it. Anyone know?
unless you are using MSN on a qwest line, you have to buy the cpe from them. you can't get out of it. if you have a closet full of 678 dsl modems from past hookups, they will be sending out the current intel or actiontec unit if it looks in the records like a new install. no way out. it will be on your next bill.
you have to read ALL the small print, or hassle the sales person until you get the information, no matter what service you're getting.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I changed the password the first day I got my 642M, a little over a year ago. A quick search on google provided the password.
And this may be of intrest. Not too long ago I switched to a static IP, but it wouldn't work.
Trying the provided software, and updates, on a Windows box, and it *still* wouldn't work.
After days of talking to the tech support monkeys one finally suggested removing all the software are simply setting it as the proxy.
This didn't work, either.
What I had to do was log in, and access a *hidden* menu, to set up a static bridge.
When you start off with a static, it's pre configed would be my best guess.
I couldn't find anything about on Sprints site, Earthlinks, or Zyxels, and the tech support drones didn't believe me. Thank goodness I had been curious beforehand.
Just log in, and try random menu numbers, there's 4-5 IIRC.
1234 has been the default password on every piece of zyxel equipment i have worked with/used/0wned.
I once had an account with ISP image.dk (later worldonline.dk, now tiscali.dk) and they supplied zyxel equipment themselves, you could scan their entire IP range and log into hundreds of ISDN routers with the password 1234. easy as 1234 indeed!
"System/manager" is one of the default accounts. [...] another is "sys/change_on_install"
You where just caught redhanded by providing instructions to circumvent security measures on a device...
(I hope the humor impared get it...)
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Firstly, I use Covad as my DSL provider and I have the CPE that is mentioned (645). The difference is that Covad was smart enough to ship the 645M which is hardwired as bridge only and not as a router. The 645R is the router version (not mentioned in the Wired article and not even denoted on the hardware itself). The router that Covad sends its business and SOHO customers is configured better and comes with better docs.
Secondly, Sprint didn't include documentation on how to change the password (or even tell you to change it). They sent out a router to ALL of their customers when a bridge is sufficient, AND they didn't include documentation to help those people for whom a full router is overkill.
I think they should be a little more interested in their customer by at least providing docs, if not actually understanding their customer's needs.
IANAL, but I play one on
in bridge only mode, the 645 can't be telnetted into at all. so the bridge mode (which can be set on the router version) is safe regardless of passwords.
IANAL, but I play one on
and at cox.net (cable) formly @home the default password for all email and web services is password
its not like this type of stuff is uncommon.
when i had my dsl from qwest/msn i had sum crappy arescom modem the most u could do with it is see your ip network ip and connection stats and u could only access it from your local/networked pc. there was no security risk since there was no way to login to the modem only risk was nonupdated os / no firewall
Read it here if you're too impatient to wait for the dupe.
Read it here if you're too impatient to wait for the dupe.
Read it here if you're too impatient to wait for the dupe.
Read it here if you're too impatient to wait for the dupe.
IMHO the dependence on passwords, any password, even the 8+ character, alphanumeric and special character passwords never written never given out to anyone under threat of death are NOT the best way to secure ANYTHING! I thought the /. crowd would at least have more well-thought ideas like some smart card technology. RSA SecurID has some good products, we use their keyfobs that have a randomly generated 6-digit number that is used in conjunction with a 4-digit PIN and while this isn't perfect and is not "free" (like traditional passwords) we are very confident in the protection of our data. Isn't anyone working on an inexpensive SMart Card or embedded Proximity Card that we can slip under our fingernails? Come on /.'ers!
"skate the web"
Troll, no, flamebait maybe, but if the poster the comment was for wasn't such a /. bashing ass it would have never been needed.
all your modem are belong to us!
The moderation system is for the sole benefit of the reader, not the poster, so the effect on a poster's karma is not taken into account when moderating a post.
Now, who's fault isn't it again?
The owners.
Whoa - who has all the mod points anyway? Every post in this thread got modded down... Anyone who would bother to look would notice the posting times on the replies were all so close that probably nobody replying even realized that somebody else was already in the process of doing the same. Time to do some metamoderation - I'm sure I'll hit at least one of these mods...
/. reader that your posting was factually incorrect?
Perhaps the reason you got 13 replies in 10 minutes was because it was obvious to any regular
Why would Sprint change the defualt factory settings of the BIOS? To my knowledge the Zyxel 645R comes with remote mgmt already disabled. At least that is how my Sprint modem came configured. Second, who would not change their password as soon as configed? Then again how many wireless routers can we get access on?
There are just too many passwords to keep track of. Hell, I even forgot that my password to my DSL modem was 1234. But, to all you script kiddies I changed my password so don't even come poking around where you are definatly not wanted.
if congress were to provide legislation that ensure that tech companies have the same liability and accountability as most other industries - they would actually put some effort in prevention.
Consider that someone sues macdonalds successfully for the hot coffee they ordered burning them, yet if you use technology and get totally burned, it's your own fault.
something is awry in the legal system
"Omnis tuus capsa sunt inesse nos"
About a year and a half ago I started working for a DSL ISP that shall remain unnamed. Well, on my first day their they were having problems with customers going dark because someone was systematically hacking into the DSL routers at the customer premises and trashing the configs on them so no one could remote into them any more.
Of course that was possible because the morons at this company had the same manufacturer default password on all their customer DSL routers.
The solution? Some quick Expect script writing skill and a little perl and I had a script that walked every customer router, logged in, changed the password (different one for EACH customer, kept in a MySQL database for support to lookup). Took about 5 hours for the script to run its course locking down all the remaining vulnerable customers.
Of course I doubt anyone at that part of Sprint even has ever heard of Expect scripting so they probably see themselves as hopelessly screwed and unable to affect such a huge change quickly.
You do know, judging by your uid, that probably equates to about 2.3 posts per day, every day since your account was created. Yep, I'd better back away from the computer. Veeeeerrrryyy slowly. Man, you look dumb. At least this thread appears to have gotten bitchslapped. That's exciting.