Slashdot Mirror
Sprint DSL's Security Hole Easy As 1,2,3,4
An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.
Yeah.. but 90% of home users cant remeber their email password, do you really want them changing the password on the hardware... It comes with the default password, its impractical for the isp to change them all, and should the user change it, then forget it, its a hour long tech support call to fix it. Replace user, press any key to continue.
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch? They didn't even tell people HOW to change the password.
So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?
I read the internet for the articles.
I work for an ISP. Lots and lots of equipment comes with widely known default passwords. We have always considered it our resonsiblity to our customers to change the default password on any piece of equipment they buy from us. Things like this are exactly why national ISP's will NEVER have customer service that compares favorably to a local ISP.
-- Sent from a computer.
They know the IP addresses of all the modems. Create a db with a random string assigned to each IP, then write a script to change the passwords (of all of the ones have the default password) in one fell swoop. They'll have the db of passwords if they need to login for maintenance. The customer doesn't even have to know about it. Any admin can do this trivially. Instead, they are just going to lamely post instructions on their web site, which probably 1% of customers are going to read. Am I missing something?
erm yes it is.
I've had DSL for over a year and this is the first I hear about my modem even HAVING a password. For what?
And I'm in the upper n-th percentile of computer litteracy. Unless verizon and sprint differ significantly in how they do DSL, there's no WAY that Sprint's customers would have even known this password existed.
Wired found that more than 90% of the modems they polled were using that default password
Isn't this wrong?
Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.
When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.
They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.
I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.
Anyone care to comment?
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Spammers set up NAT to re-direct incoming port 33 traffic to AOL mail server on port 25. This way, they can still spam via a port25 blocked dial-up. Just telnet to the rooted router on port 33 and you are auto-majicly sent to AOL's mail server. Spam away!
Michael Loves Me!
Just set the password to the last 4 digits of the serial number of the modem. No need to remember, easy to find for the users, not so easy for the hackers.
Sprint just laid off several thousand employees from its HQ here locally. My guess is the staff that runs the abuse@ account were the first to go.
My question is, why are these things even listening on the external interface? I set one of these boxes up for a friend recently, and I couldn't find a single way to block tftp/telnet/http from the outside. What's worse, is that these modems are quite clearly running Netgear firmware, which by default doesn't not allow conections externally So, someone at either ZyXEL or Sprint actively decided that these boxes should allow administrative control from anywhere.
"The guide is definitive, reality is frequently inaccurate."
Use of the default password has been going on since time immemorial. Apparently Richard Feynmann who worked on the Manhatten Project (which developped the first atom bomb) had a reputation as an expert safecracker because very few people on the project changed the combination of the safes from the way it had been programmed at the factory.
Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.
Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!