Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sprint DSL's Security Hole Easy As 1,2,3,4

Posted by timothy on from the oh-didn't-you-catch-that dept.

An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.

9 of 373 comments (clear)

  1. As I've always said by Amsterdam+Vallon · · Score: 5, Insightful

    The biggest security hole is not buffer overflows, ICMP packet manipulation, or poorly written software.

    The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.

    You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.

    --

    Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
  2. 1234 by qoncept · · Score: 5, Insightful

    How does it really matter what the default password was? If the default password was -8*k|-- it would still be just as easy to gain access to. The flaw is in not requiring the user to change it.

    --
    Whale
    1. Re:1234 by SlashdotLemming · · Score: 5, Insightful

      The flaw is in not requiring the user to change it.

      The flaw IS requiring the user to change it. Why is remote administration even enabled by default?

      Ignorant users should always be protected, while those in the know should have power. The feature should be disabled by default, and if someone knows it exists and wants to use it, they should be able to do so.

  3. Re:Not Sprint's fault... by rmadmin · · Score: 5, Insightful

    Sprint needs to let these people know how to do that then. More importantly, they need to get the point across that customers "NEED" to do this. For example, when a customer signs up give them a piece of paper explaining how to do it, leave a blank so they can write the password down, and explain that the paper needs to be protected, or someone can steal their e-mail. If I give a child a loaded gun, and don't tell him not to pull the trigger, IT WILL BE MY FAULT. (I hate to use that comparison, but I think it gets the point across) Just my opinion.

    --


    Can all fish swim?
  4. Re:Not Sprint's fault... by Beatbyte · · Score: 5, Insightful

    Its your job as an ISP to supply a service. Part of that service would be protecting your customer from being hacked by :

    1) turning off remote administration [it just helps their tech support be lazy anyways]

    2) have the password for their equipment match their normal account password (or a randomly generated password created when the DSL is setup and logged into their account information)

    3) at least explaining in the manual, after its all setup, do steps a,b,c to change the password after the account is functional for security reasons

    I understand that people are computer dumb but I'm car dumb and I'd appreciate a mechanic telling me that when I retrieve my car from the shop, to make sure I fill up all the fluids in car.

    --
    Get paid to code OSS
  5. Re:Totally unprofessional by dytin · · Score: 5, Insightful

    Ok, so would you rather have wired not tell you that your modem is unprotected? If I were a sprint user, I would not be mad at wired, I would be pleased. I'd rather have wired hack my modem and tell me about it than some random script kiddie hack it and break into my email account.

  6. Zyxel's fault? by dcavens · · Score: 5, Insightful

    As someone who just (10 seconds ago) changed the default password on their DSL router, I'm actually rather surprised. I had assumed (wrongly, I guess) that the routers would only allow telnet sessions from IP addresses that it manages (via NAT i.e 192.68.x.x..).

    Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?

  7. Re:Home users by Angry+White+Guy · · Score: 5, Insightful

    I hate to inform you, but the outlook holes are Microsoft's fault! They are the ones who programmed the executable handlers to not check what type of file was there (whether it be an exe posing as a pif file, or a screensaver).

    --
    You think that I'm crazy, you should see this guy!
  8. Not Zyxel's fault by Doogman · · Score: 5, Insightful

    I'm using a Zyxel 645r router supplied by my local mom & pop DSL provider. Sprint provides the DSL connection but they are my internet provider. Yes they did change the default password and they even support Linux, but I'm digressing.

    As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.

    So did Sprint disable the filter and not change the password? That would be rather strange...