Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sprint DSL's Security Hole Easy As 1,2,3,4

Posted by timothy on from the oh-didn't-you-catch-that dept.

An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.

3 of 373 comments (clear)

  1. Re:Home users by taliver · · Score: 5, Informative

    Not really a problem.

    Lots of switches and other equipment comes with hardware passwords. When these are lost, you can call the company and get a password by reading off a serial number identifier off of the equipment. When you enter that password, the machine is reset and all information previously on it is gone.

    That would be good enough for most users in any event.

    --

    I demand a million helicopters and a DOLLAR!

  2. Re:Not Sprint's fault... (RTFA) by Anonymous Coward · · Score: 5, Informative
    From the article:
    Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.
    Now, who's fault isn't it again?
  3. My ZyXEL 600 had this problem... by VValdo · · Score: 5, Informative

    First thing I did with my ZyXEL Prestige 600 is change that damned default password.

    To do this, at least on my 600:

    1. Telnet in (make sure you have vt100). On my LAN, the Zyxel is set at 192.168.1.1 -- I don't know how Sprint has it.
    2. Use the default 1234 password, and then hit return to log in.
    3. At the menu, type "23" and return. 23 is the option for the "System Password" page.
    4. Now type the old and new password (twice) using the TAB key to skip fields. Don't pick something obvious.
    5. Go down to where it says "Enter here to CONFIRM or ESC to CANCEL" and hit ENTER/RETURN to save your new password. (You may be asked to confirm that you want to do this.)
    6. When you get back to the main menu, exit your telnet session by typing "99".
    7. Try telnetting in again using 1234 and make sure it doesn't work. Now try to use your new password.
    8. Profit.

    I'm guessing that if these aren't the exact instructions for the later Prestiges, it'll be pretty close.

    Even better than changing passwords is to disable remote login from outside the local network. (I hear this is the default on new Prestige modems). Or, depending on how insecure your LAN is, you can assign particular IPs permission to get in and block all others. This is accomplished using a "filter", just like a w/ a firewall.

    To block incoming telnet sessions on the WAN, check out this page. This page also offers a "probe" you can use to discover vulnerable modems.

    Finally, check this list for common default passwords. This is an important page, so check it for any equipment you might be using.

    W

    --
    -------------------
    This is my SIG. There are many like it, but this one is mine.