Sprint DSL's Security Hole Easy As 1,2,3,4

An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.

As I've always said

[Amsterdam+Vallon]

The biggest security hole is not buffer overflows, ICMP packet manipulation, or poorly written software.

The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.

You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.

Re:As I've always said

[pjrc]

people will always be stupid. You can't change that.

Default setup and settings don't need to (be stupid). That can be changed.

Re:As I've always said

[CliffH]

I think the scariest part about all of this is, most telcos, telecoms, ISPs, anyone who offers these services, will have one password for all. This is not an isolated case by a long shot and at the very least, customers who have their broadband installed should be made aware that their equipment:
1) Does have a password
2) This is your password and you should change it
3) Here are the instructions to change the password or alternatively I/we can do this for you
4) Once I/we leave here, it is your responsibilty to look after your equipment unless you have a specifc contract with us stating otherwise (managed IP networks, Frame Relay, yada yada)

Now, we all know that the contracts will absolve the ISP/Telco of any harm caused by this and we all know how well people read those contracts . A simple, "Here's the deal" would suffice and make sure it is one sheet of paper in easy to understand language that all involved can reference.

Ok, enough ranting.

Re:As I've always said

[arkanes]

They might not get away 100% on this one - I don't have Sprint, but my experience with broadband ISPs and Telco's in general leads me to think that they, like most of the others, think of the modem as belonging to them (which, in some cases it probably does, since they lease them), and they insist on retaining control over it - many of them even get very grumpy if you reset the password on it, to the point of cancelling your service.

Ah ha. From the Sprint DSL website: "Modem remains the property of Sprint and must be returned to Sprint if FastConnect DSL service is discontinued."

I can't find a copy of thier user agreement on the website (I really hate companies that don't let you see that until AFTER you're mostly commited to buying. How am I supposed to make a decision if they won't tell me thier policies?) but I suspect that (unless they changed it right before this became public) that it's standard boilerplate, which wouldn't include anything about the customer having to maintain those modems.

Not Sprint's fault...

[bmh5c]

As much as I don't like Sprint, it's not their fault that people aren't changing the default password. If people don't change it, it's their own fault if they get burned.

Re:Not Sprint's fault...

[rmadmin]

Sprint needs to let these people know how to do that then. More importantly, they need to get the point across that customers "NEED" to do this. For example, when a customer signs up give them a piece of paper explaining how to do it, leave a blank so they can write the password down, and explain that the paper needs to be protected, or someone can steal their e-mail. If I give a child a loaded gun, and don't tell him not to pull the trigger, IT WILL BE MY FAULT. (I hate to use that comparison, but I think it gets the point across) Just my opinion.

Re:Not Sprint's fault...

[Beatbyte]

Its your job as an ISP to supply a service. Part of that service would be protecting your customer from being hacked by :

1) turning off remote administration [it just helps their tech support be lazy anyways]

2) have the password for their equipment match their normal account password (or a randomly generated password created when the DSL is setup and logged into their account information)

3) at least explaining in the manual, after its all setup, do steps a,b,c to change the password after the account is functional for security reasons

I understand that people are computer dumb but I'm car dumb and I'd appreciate a mechanic telling me that when I retrieve my car from the shop, to make sure I fill up all the fluids in car.

Re:Not Sprint's fault...

Who looks for a password to change in THEIR MODEM???

This is fucking insane and absolute negligence. I wouldn't think that my modem would have a password. My account, yes. My email, yes. My computer, yes. But MY MODEM?

Re:Not Sprint's fault...

[harlows_monkeys]

As much as I don't like Sprint, it's not their fault that people aren't changing the default password

How are people supposed to change a password that they don't even know exists? If you install on Windows using the install CD from Sprint, the existence of that password is hidden. The install program deals with configuring the modem.

1234

[qoncept]

How does it really matter what the default password was? If the default password was -8*k|-- it would still be just as easy to gain access to. The flaw is in not requiring the user to change it.

Re:1234

[kiwimate]

The flaw is in not requiring the user to change it.

Sorry, but I disagree. It goes higher than that. This is a piece of equipment provided by Sprint to paying customers in order to facilitate the network service. Therefore, it's incumbent upon Sprint to modify the default password, not the user. The user is paying for a complete service, and as such should have a reasonable expectation of at least moderate safeguards in place, particularly given the well-known dangers of a permanent Internet connection.

By the way, just to point something out: lots of other hardware/software comes with default passwords. Remember the SQL Server worm a few months ago? (Sorry, can't recall the name of the worm.) It could only get in if you didn't change the default sa password away from blank. It's not just MS, either -- Sybase has exactly the same default logon name and password, and Oracle has a default logon name of system with a default password of manager.

However, that's a different situation -- a company buys a database server with the expectation of having to perform post-purchase configuration. Did you sign up for DSL or cable service, get a modem as part of the package, and expect to have to perform some final configuration?

Re:1234

[SlashdotLemming]

The flaw is in not requiring the user to change it.

The flaw IS requiring the user to change it. Why is remote administration even enabled by default?

Ignorant users should always be protected, while those in the know should have power. The feature should be disabled by default, and if someone knows it exists and wants to use it, they should be able to do so.

Total negligence by sprint.

[guido1]

"We recommend that customers change the (administrative) password to increase security..." said Sprint FastConnect spokeswoman Laura Tigges.

Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.

They recommend you change it, but don't mention how? (It is listed in the modem manual, which is apparently not provided by Sprint.)

Oh, even better... In February they plan on shipping modems with this disabled. In February. Not now.

• On the other hand...

This has been around for a while. I wonder how many users have actually been affected.

security

[phantomwolph]

Why is it that ppl will spend a fortune securing their homes and cars and leave their computers wide open? Unfortunatly all these stories wind up on the tech sites but Joe six pack only reads the sports section of the newspaper.

Re:Totally unprofessional

[dytin]

Ok, so would you rather have wired not tell you that your modem is unprotected? If I were a sprint user, I would not be mad at wired, I would be pleased. I'd rather have wired hack my modem and tell me about it than some random script kiddie hack it and break into my email account.

Why didn't sprint fix this quickly?

[t0qer]

Jobless, and too smart for my own good, i'm tempted to try and find some routers. Just tempted, I never do bad stuff like comprimise others networks.

Why didn't sprint fix this quietly and quickly though? It seems to me it would have been easy just to write a script to go to each modem, change the password to something random, store it somewhere safe like a customer info database and been done with it.

Now that it's been published on wired, and worse yet here, the exploit is going to be used by many people who want to just break in because they are "bored"

Zyxel's fault?

[dcavens]

As someone who just (10 seconds ago) changed the default password on their DSL router, I'm actually rather surprised. I had assumed (wrongly, I guess) that the routers would only allow telnet sessions from IP addresses that it manages (via NAT i.e 192.68.x.x..).

Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?

Re:What is the big deal for Sprint to fix this?

[tomhudson]

But remember, if they can do it, so can any script kiddie by polling blocks of ip addresses. Lock out both sprint and the user :-)

as the saying goes

[natefanaro]

Your security is only as good as your dumbest user.

A buddy of mine and I have been uttering those words for years.

Re:Totally unprofessional

[silicon_synapse]

I don't care what their intentions are. If they logged into one of my devices I would do all I could to dig up a law they could be prosecuted under and I'd make sure all the proper Federal agencies got wind of it. I did NOT give them permission to access my network. It would have been suficient to take Sprint's word for it and post the story. There was no need to go snooping where they don't belong.

Re:How are they supposed to know?

[Falconpro10k]

Well, you make it so they HAVE to change the password to gain internet connectivity This comes from a security paranoid linux user who also likes OpenBSD

Note that this is only a problem in routing mode

[harlows_monkeys]

Note that if you put the modem into bridging mode, you don't have this problem. Unfortunately, most people probably leave it in routing mode, because the modem then handles PPPoE and provides access to your computer via DHCP and NAT.

If you have PPPoE software on your OS, you can put the modem in bridging mode, and then it won't have an IP address, and so won't be remotely administratable from the WAN side. (It still takes 192.168.1.1 on the LAN side, so you can still administrate locally).

Surprisingly (at least, I was surprised...I had expected Sprint to be one of those providers that doesn't tell you much), on Sprint's support site, they have detailed instructions for switching to bridging mode, both for people with dynamic IP and those with static IP. (Look under the section on configuring for use with game consoles).

Re:Home users

[Angry+White+Guy]

I hate to inform you, but the outlook holes are Microsoft's fault! They are the ones who programmed the executable handlers to not check what type of file was there (whether it be an exe posing as a pif file, or a screensaver).

Not Zyxel's fault

[Doogman]

I'm using a Zyxel 645r router supplied by my local mom & pop DSL provider. Sprint provides the DSL connection but they are my internet provider. Yes they did change the default password and they even support Linux, but I'm digressing.

As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.

So did Sprint disable the filter and not change the password? That would be rather strange...

Linksys has a similar problem

[Drakonian]

Linksys has similarly easy password in their Gateways/Routers/Firewalls. No username and password is "admin". These routers are configurable remotely too - thank god that feature is off by default. I seem to recall them having a serious overflow bug too that would allow exploitation anyway.

Re:Wired is polling modems?

[suwain_2]

Portscanning isn't illegal, per se. It's like loitering. It's not illegal unless theres a sign that says 'no loitering'.

It's not illegal, and I adamantly support people's right to portscan people. However, a better analogy would be if the loitering was being done late at night in a neighborhood that was victim to a number of break-ins at night: It's not illegal, and there could be *entirely* legitimate reasons for doing it, but it's obviously going to look like you're trying to break in. (Off-topic: You can't really hang a "No portscannning" sign on your server)

What Wired did was either (depending on how you interpret the phrase "polled"):
- tried logging into people's routers with this password (blatant 'cracking')
- sent out a "poll" (as in a Slashdot Poll) to its readers asking Sprint customers to check their router and report back to Wired

In one case, I'd like to see more outrage, dropped subscriptions, and police involvement -- the fact that they're a respected magazine in no way gives them the attempt to try to crack routers en masse. On the other hand, if it's the second type of "poll," we're making a massive deal out of nothing. :)

Smoking?

[Bios_Hakr]

What are you smoking....and can I have some?

Disclaimer: I work with Cisco equipment most of the time. I also have worked with long-haul telecommunications gear like Fore Systems ATM, ADNX/Promina, and other gear.

First, having a 'master code' would be dumb. The master code would get out quickly and then you would have people shutting down equipment remotely. Even having a password based on the serial number of a specific peice of equipment would create a logistical nightmare.

Most of the equipment I have seen has a console port and a reset switch. If you reboot the equipment, you have about 15 to 30 seconds where you can drop in a break code. The break code will not clear the memory, but it does boot in a clean mode where you can reset passwords or make config changes.

Damned if we do...

[gizmonic]

...damned if we don't!

So, let me get this straight. If I do not access my DSL/Cablemodem and change the settings, it's my fault for having a unsecure system. Yet, if I do access my DSL/Cablemodem and change the settings, I can expect the FBI to come barreling through my front door with guns drawn?

Nice.

I remember when society used to have common sense. I miss those days.

Surely You're Joking, Mr. Estate!.

[/Idiot\]

Why is it that people always say "Richard Feynmann, on of the guys on the Manhatten Project"?

I propose we say instead:
"Richard Feynmann, a guy who achieved much more than working on the Manhatten Project"

- or just ignore me.