Slashdot Mirror
Sprint DSL's Security Hole Easy As 1,2,3,4
An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.
Time to change the combo on the luggage again.
The biggest security hole is not buffer overflows, ICMP packet manipulation, or poorly written software.
The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.
You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
Colonel Sandurz: "1-2-3-4-5."
Skroob: "1-2-3-4-5?"
Sandurz: "Yes."
Skroob: "That's amazing! I've got the same combination on my luggage!"
Who needs a social engineer to get the password, when we have the fine folks at Sprint around.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
Yeah.. but 90% of home users cant remeber their email password, do you really want them changing the password on the hardware... It comes with the default password, its impractical for the isp to change them all, and should the user change it, then forget it, its a hour long tech support call to fix it. Replace user, press any key to continue.
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
This is Sprint, the ISP who doesn't do a thing about hackers originating from their domain.
I don't know how many times in the past I've tracked hackers at work to Sprint's networks.
Getting a reply or action from Sprint Security is non-existent. I guess it takes an article published in 'Wired' to get action from them.
Sprint and Prodigy are renown for not working with customers in addressing secuity issues.
Dolemite
_________________________________
Save the World! Use a Quote!
Can j00 0wnz0r me now? g0000d!
How does it really matter what the default password was? If the default password was -8*k|-- it would still be just as easy to gain access to. The flaw is in not requiring the user to change it.
Whale
Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.
They recommend you change it, but don't mention how? (It is listed in the modem manual, which is apparently not provided by Sprint.)
Oh, even better... In February they plan on shipping modems with this disabled. In February. Not now.
This has been around for a while. I wonder how many users have actually been affected.
ZyXel should set it so the password is randomized by default. That way, it might not be possible for the user to get in, but at least it will be more secure. For boosted security, they could make it re-randomize the password every hour.
Jason
ProfQuotes
How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch? They didn't even tell people HOW to change the password.
So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?
I read the internet for the articles.
I work for an ISP. Lots and lots of equipment comes with widely known default passwords. We have always considered it our resonsiblity to our customers to change the default password on any piece of equipment they buy from us. Things like this are exactly why national ISP's will NEVER have customer service that compares favorably to a local ISP.
-- Sent from a computer.
Sprint needs to let these people know how to do that then. More importantly, they need to get the point across that customers "NEED" to do this. For example, when a customer signs up give them a piece of paper explaining how to do it, leave a blank so they can write the password down, and explain that the paper needs to be protected, or someone can steal their e-mail. If I give a child a loaded gun, and don't tell him not to pull the trigger, IT WILL BE MY FAULT. (I hate to use that comparison, but I think it gets the point across) Just my opinion.
Can all fish swim?
They know the IP addresses of all the modems. Create a db with a random string assigned to each IP, then write a script to change the passwords (of all of the ones have the default password) in one fell swoop. They'll have the db of passwords if they need to login for maintenance. The customer doesn't even have to know about it. Any admin can do this trivially. Instead, they are just going to lamely post instructions on their web site, which probably 1% of customers are going to read. Am I missing something?
Its your job as an ISP to supply a service. Part of that service would be protecting your customer from being hacked by :
1) turning off remote administration [it just helps their tech support be lazy anyways]
2) have the password for their equipment match their normal account password (or a randomly generated password created when the DSL is setup and logged into their account information)
3) at least explaining in the manual, after its all setup, do steps a,b,c to change the password after the account is functional for security reasons
I understand that people are computer dumb but I'm car dumb and I'd appreciate a mechanic telling me that when I retrieve my car from the shop, to make sure I fill up all the fluids in car.
Get paid to code OSS
Why is it that ppl will spend a fortune securing their homes and cars and leave their computers wide open? Unfortunatly all these stories wind up on the tech sites but Joe six pack only reads the sports section of the newspaper.
erm yes it is.
I've had DSL for over a year and this is the first I hear about my modem even HAVING a password. For what?
And I'm in the upper n-th percentile of computer litteracy. Unless verizon and sprint differ significantly in how they do DSL, there's no WAY that Sprint's customers would have even known this password existed.
Ok, so would you rather have wired not tell you that your modem is unprotected? If I were a sprint user, I would not be mad at wired, I would be pleased. I'd rather have wired hack my modem and tell me about it than some random script kiddie hack it and break into my email account.
Jobless, and too smart for my own good, i'm tempted to try and find some routers. Just tempted, I never do bad stuff like comprimise others networks.
Why didn't sprint fix this quietly and quickly though? It seems to me it would have been easy just to write a script to go to each modem, change the password to something random, store it somewhere safe like a customer info database and been done with it.
Now that it's been published on wired, and worse yet here, the exploit is going to be used by many people who want to just break in because they are "bored"
As someone who just (10 seconds ago) changed the default password on their DSL router, I'm actually rather surprised. I had assumed (wrongly, I guess) that the routers would only allow telnet sessions from IP addresses that it manages (via NAT i.e 192.68.x.x..).
Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?
When I signed up for US Worst's (now Qwest/MSN) DSL about four years ago, the Cisco 675 modem they were shipping came with a default password. You could telnet in to the modem from over the internet, reconfigure it so that the user couldn't connect to the web and then change the admin password so they couldn't fix it! >:) To make it even easier, all the DSL IPs had hostnames containing "dsl", so a simple DNS zone transfer saved having to scan for the modems/routers.
To only allow remote access once the password had been changed by the user.
I have been doing xDSL installs for a few years and I have noticed a strange thing...
All of your big boy companies have crappy passwords. PacBell (now SBC say their commercials) I have found to be the worst... When I notify the customer they all have the same reaction *blank_look*what password*/blank_look*.
In contrast some of the smaller xDSL providers seem to be more on the ball with these things.
I usually change the password and write down the password and network info then tape it to the top of the modem with my company tech support number. What really gets me mad is the big boy providers never even bother to tell their clients about the need to change the password... I mean how goddamn hard is it to tell em that.
One more thing... one more luggage joke and I'm going to have to kill someone...
Vidomi Killer media player and network distributed video encoder.
I always thought it was spelled Skoorb, whitch is Brooks (as in Mel) backwards...
Maybe you missed it cause it was only posted once.
Has the same exact issue. All of the Caymen & Efficient routers are usually setup with the default password. Which by a quick google search, is easily obtainable.
This only applies to business customers who ordered the router option instead of a bridge.
Your security is only as good as your dumbest user.
A buddy of mine and I have been uttering those words for years.
Wired found that more than 90% of the modems they polled were using that default password
Isn't this wrong?
Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.
When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.
They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.
I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.
Anyone care to comment?
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
I don't care what their intentions are. If they logged into one of my devices I would do all I could to dig up a law they could be prosecuted under and I'd make sure all the proper Federal agencies got wind of it. I did NOT give them permission to access my network. It would have been suficient to take Sprint's word for it and post the story. There was no need to go snooping where they don't belong.
Spammers set up NAT to re-direct incoming port 33 traffic to AOL mail server on port 25. This way, they can still spam via a port25 blocked dial-up. Just telnet to the rooted router on port 33 and you are auto-majicly sent to AOL's mail server. Spam away!
Michael Loves Me!
what if the DSL provider installed the modem for you? is it then their responsibility to change the password? how about to at least prompt you to change it, maybe verify before they leave that you've changed it?
Free Webmail
I quickly found this problem on my Sprint DSL, and checked a few other addresses "near" mine to see if I had just overlooked something during setup where I was supposed to change the password, and found that most modems were wide open. I informated Sprint, and here was their response:
:-/
Thank you for your recent e-mail. I appreciate the opportunity to address your inquiry.
You have reached local password reset only. Please contact your local telephone company for further assistance.
We appreciate your business. If we can be of further assistance concerning
your Sprint service, please visit us at http://www.sprint.com, or you may email us at customer.servicenet@mail.sprint.com.
Aside from the total lack of security by default, and their insistance on routing everything from the Seattle area through Fort Worth, which is 100ms away on Sprintlink, they have been pretty good.
Just set the password to the last 4 digits of the serial number of the modem. No need to remember, easy to find for the users, not so easy for the hackers.
If you have PPPoE software on your OS, you can put the modem in bridging mode, and then it won't have an IP address, and so won't be remotely administratable from the WAN side. (It still takes 192.168.1.1 on the LAN side, so you can still administrate locally).
Surprisingly (at least, I was surprised...I had expected Sprint to be one of those providers that doesn't tell you much), on Sprint's support site, they have detailed instructions for switching to bridging mode, both for people with dynamic IP and those with static IP. (Look under the section on configuring for use with game consoles).
as I gaze at my brand new ZyXEL Prestige 645 DSL bridge that arrived a mere two weeks ago with my DirectTV -> Speakeasy DSL transition.
and I wonder...
They don't mention that the telnet interface is by default only accessible from the inside of the network.
Interestingly, we just conducted a non-scientific survey for a class project about passwords that people use. This included things like luggage, email, voicemail, etc., from your typical teenaged high schooler.
:p
Results collected:
30% used 123 or abc equivalent depending on length*
19% used their name or combo (like JDoe or JohnD)
16% used a date or part of (not b-day)
9% used their birthday (or part of)
6% used their name backwards
5% used a pet name
15% other**
* 63% of the people who used 123(4) used it on their luggage.
** 3% of this other was something like "asdf" or "qwerty" or "jkl;" (presumably for computer related passwords). other also included stuff like phone numbers, names of other people, street addresses, and just some checked the box 'other' with no explanation.
100% used a xx-xx-xx type numerical combination for their lockers. not including those who jam theirs always open
How are people supposed to change a password that they don't even know exists? If you install on Windows using the install CD from Sprint, the existence of that password is hidden. The install program deals with configuring the modem.
Now, who's fault isn't it again?
I'm using a Zyxel 645r router supplied by my local mom & pop DSL provider. Sprint provides the DSL connection but they are my internet provider. Yes they did change the default password and they even support Linux, but I'm digressing.
As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.
So did Sprint disable the filter and not change the password? That would be rather strange...
Linksys has similarly easy password in their Gateways/Routers/Firewalls. No username and password is "admin". These routers are configurable remotely too - thank god that feature is off by default. I seem to recall them having a serious overflow bug too that would allow exploitation anyway.
Random is the New Order.
Use of the default password has been going on since time immemorial. Apparently Richard Feynmann who worked on the Manhatten Project (which developped the first atom bomb) had a reputation as an expert safecracker because very few people on the project changed the combination of the safes from the way it had been programmed at the factory.
Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.
Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!
"...each time you build one, you need to go in and adjust it for a new password..." Those are salient points. I guess a better point is, what was stopping Sprint from *forcing* users to change their passwords before their first login? If hooking up DSL is like I think it is, wouldn't a tech have to walk them through the initial setup? Could they not choose an alternate password then?
~D:
I just had Spring DSL installed at my house YESTERDAY. I asked the tech about login info, user manual, etc for the Zyxel modem so I could get in & configure it, change admin logins, etc - his response was, "Oh, you don't need to do that, it's preconfigured already." So apparently their techs don't believe there's a need to secure them??
Greaaaaaaaaat.
I did NOT give them permission to access my network.
Your network? You're the one accessing Sprint's network. Does the modem even belong to you? I was under the impression that DSL customers leased modems.
It would have been suficient to take Sprint's word for it and post the story. There was no need to go snooping where they don't belong.
Um, are you familiar with the phrase "investigative journalism"? If they had heard about this default passowrd from some other source, and Sprint had issued a denial, would it have been sufficient to take Sprint's word for it?
First thing I did with my ZyXEL Prestige 600 is change that damned default password.
To do this, at least on my 600:
1. Telnet in (make sure you have vt100). On my LAN, the Zyxel is set at 192.168.1.1 -- I don't know how Sprint has it.
2. Use the default 1234 password, and then hit return to log in.
3. At the menu, type "23" and return. 23 is the option for the "System Password" page.
4. Now type the old and new password (twice) using the TAB key to skip fields. Don't pick something obvious.
5. Go down to where it says "Enter here to CONFIRM or ESC to CANCEL" and hit ENTER/RETURN to save your new password. (You may be asked to confirm that you want to do this.)
6. When you get back to the main menu, exit your telnet session by typing "99".
7. Try telnetting in again using 1234 and make sure it doesn't work. Now try to use your new password.
8. Profit.
I'm guessing that if these aren't the exact instructions for the later Prestiges, it'll be pretty close.
Even better than changing passwords is to disable remote login from outside the local network. (I hear this is the default on new Prestige modems). Or, depending on how insecure your LAN is, you can assign particular IPs permission to get in and block all others. This is accomplished using a "filter", just like a w/ a firewall.
To block incoming telnet sessions on the WAN, check out this page. This page also offers a "probe" you can use to discover vulnerable modems.
Finally, check this list for common default passwords. This is an important page, so check it for any equipment you might be using.
W
-------------------
This is my SIG. There are many like it, but this one is mine.
What are you smoking....and can I have some?
Disclaimer: I work with Cisco equipment most of the time. I also have worked with long-haul telecommunications gear like Fore Systems ATM, ADNX/Promina, and other gear.
First, having a 'master code' would be dumb. The master code would get out quickly and then you would have people shutting down equipment remotely. Even having a password based on the serial number of a specific peice of equipment would create a logistical nightmare.
Most of the equipment I have seen has a console port and a reset switch. If you reboot the equipment, you have about 15 to 30 seconds where you can drop in a break code. The break code will not clear the memory, but it does boot in a clean mode where you can reset passwords or make config changes.
I'd rather you do it wrong, than for me to have to do it at all.
how exactly do you come to the conclusion that your ISP was "keeping an eye on you"? I mean, what evidence did you see...
.....we... ...are.... .watching. ..you..... [100%]
% wget http://some.site.out.there/foo
--15:23:09-- http://some.site.out.there/
=> `foo'
Connecting to 1.2.3.4:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 666 [text/html]
0K ->
They refused to let customers have the DSL modem password, so that they wouldn't screw it up. While waiting on hold for oh, about 3 hours, to get a tech to fix one of their screw ups, I downloaded the manual. I figured out how to fix the problem, and then, just for grins, tried the factory password. It worked. I fixed the problem. About that time the tech answered. I told him how I fixed the problem. He asked me not to change the password, as it was their policy to leave them *all* at the factory default so that they could easily acess them. They had actually thought about the problem, and made an active management decision to require fsck'ed up security. Sheesh.
>Believe it or not, "polling" modems by checking their passwords is hacking
And testing the doorknob on every store on your street is multiple sets of felony B & E, right?
This is why the police wait for the burglar to actually _enter_ the house before charging them (well, actually, if they don't like they guy, they'll wait 'till he exits with an armload of swag), just like they wait for a hacker to _do_ something before charging them with a crime.
If you don't want anyone testing your lock, don't have one in a place they can test it.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
...damned if we don't!
So, let me get this straight. If I do not access my DSL/Cablemodem and change the settings, it's my fault for having a unsecure system. Yet, if I do access my DSL/Cablemodem and change the settings, I can expect the FBI to come barreling through my front door with guns drawn?
Nice.
I remember when society used to have common sense. I miss those days.
WWJD?
JWRTFM!
Why is it that people always say "Richard Feynmann, on of the guys on the Manhatten Project"?
I propose we say instead:
"Richard Feynmann, a guy who achieved much more than working on the Manhatten Project"
- or just ignore me.
and at cox.net (cable) formly @home the default password for all email and web services is password
its not like this type of stuff is uncommon.