Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sprint DSL's Security Hole Easy As 1,2,3,4

Posted by timothy on from the oh-didn't-you-catch-that dept.

An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.

21 of 373 comments (clear)

  1. Shit by Anonymous Coward · · Score: 5, Funny

    Time to change the combo on the luggage again.

  2. As I've always said by Amsterdam+Vallon · · Score: 5, Insightful

    The biggest security hole is not buffer overflows, ICMP packet manipulation, or poorly written software.

    The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.

    You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.

    --

    Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
  3. Home users by Ogrez · · Score: 5, Interesting

    Yeah.. but 90% of home users cant remeber their email password, do you really want them changing the password on the hardware... It comes with the default password, its impractical for the isp to change them all, and should the user change it, then forget it, its a hour long tech support call to fix it. Replace user, press any key to continue.

    --


    Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
    1. Re:Home users by taliver · · Score: 5, Informative

      Not really a problem.

      Lots of switches and other equipment comes with hardware passwords. When these are lost, you can call the company and get a password by reading off a serial number identifier off of the equipment. When you enter that password, the machine is reset and all information previously on it is gone.

      That would be good enough for most users in any event.

      --

      I demand a million helicopters and a DOLLAR!

    2. Re:Home users by Angry+White+Guy · · Score: 5, Insightful

      I hate to inform you, but the outlook holes are Microsoft's fault! They are the ones who programmed the executable handlers to not check what type of file was there (whether it be an exe posing as a pif file, or a screensaver).

      --
      You think that I'm crazy, you should see this guy!
  4. New Sprint Ad by Lord_Slepnir · · Score: 5, Funny

    Can j00 0wnz0r me now? g0000d!

  5. 1234 by qoncept · · Score: 5, Insightful

    How does it really matter what the default password was? If the default password was -8*k|-- it would still be just as easy to gain access to. The flaw is in not requiring the user to change it.

    --
    Whale
    1. Re:1234 by SlashdotLemming · · Score: 5, Insightful

      The flaw is in not requiring the user to change it.

      The flaw IS requiring the user to change it. Why is remote administration even enabled by default?

      Ignorant users should always be protected, while those in the know should have power. The feature should be disabled by default, and if someone knows it exists and wants to use it, they should be able to do so.

  6. How are they supposed to know? by jandrese · · Score: 5, Interesting

    How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch? They didn't even tell people HOW to change the password.

    So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?

    --

    I read the internet for the articles.
  7. Re:Not Sprint's fault... by rmadmin · · Score: 5, Insightful

    Sprint needs to let these people know how to do that then. More importantly, they need to get the point across that customers "NEED" to do this. For example, when a customer signs up give them a piece of paper explaining how to do it, leave a blank so they can write the password down, and explain that the paper needs to be protected, or someone can steal their e-mail. If I give a child a loaded gun, and don't tell him not to pull the trigger, IT WILL BE MY FAULT. (I hate to use that comparison, but I think it gets the point across) Just my opinion.

    --


    Can all fish swim?
  8. What is the big deal for Sprint to fix this? by ortholattice · · Score: 5, Interesting

    They know the IP addresses of all the modems. Create a db with a random string assigned to each IP, then write a script to change the passwords (of all of the ones have the default password) in one fell swoop. They'll have the db of passwords if they need to login for maintenance. The customer doesn't even have to know about it. Any admin can do this trivially. Instead, they are just going to lamely post instructions on their web site, which probably 1% of customers are going to read. Am I missing something?

  9. Re:Not Sprint's fault... by Beatbyte · · Score: 5, Insightful

    Its your job as an ISP to supply a service. Part of that service would be protecting your customer from being hacked by :

    1) turning off remote administration [it just helps their tech support be lazy anyways]

    2) have the password for their equipment match their normal account password (or a randomly generated password created when the DSL is setup and logged into their account information)

    3) at least explaining in the manual, after its all setup, do steps a,b,c to change the password after the account is functional for security reasons

    I understand that people are computer dumb but I'm car dumb and I'd appreciate a mechanic telling me that when I retrieve my car from the shop, to make sure I fill up all the fluids in car.

    --
    Get paid to code OSS
  10. Re:Not Sprint's fault... by jovlinger · · Score: 5, Interesting

    erm yes it is.

    I've had DSL for over a year and this is the first I hear about my modem even HAVING a password. For what?

    And I'm in the upper n-th percentile of computer litteracy. Unless verizon and sprint differ significantly in how they do DSL, there's no WAY that Sprint's customers would have even known this password existed.

  11. Re:Totally unprofessional by dytin · · Score: 5, Insightful

    Ok, so would you rather have wired not tell you that your modem is unprotected? If I were a sprint user, I would not be mad at wired, I would be pleased. I'd rather have wired hack my modem and tell me about it than some random script kiddie hack it and break into my email account.

  12. Zyxel's fault? by dcavens · · Score: 5, Insightful

    As someone who just (10 seconds ago) changed the default password on their DSL router, I'm actually rather surprised. I had assumed (wrongly, I guess) that the routers would only allow telnet sessions from IP addresses that it manages (via NAT i.e 192.68.x.x..).

    Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?

  13. Spammers Love 'Em! by The+Turd+Report · · Score: 5, Interesting

    Spammers set up NAT to re-direct incoming port 33 traffic to AOL mail server on port 25. This way, they can still spam via a port25 blocked dial-up. Just telnet to the rooted router on port 33 and you are auto-majicly sent to AOL's mail server. Spam away!

    --
    Michael Loves Me!
  14. Re:Not Sprint's fault... (RTFA) by Anonymous Coward · · Score: 5, Informative
    From the article:
    Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.
    Now, who's fault isn't it again?
  15. Re:This is a suprise to everyone? by Zaknafein500 · · Score: 5, Interesting

    Sprint just laid off several thousand employees from its HQ here locally. My guess is the staff that runs the abuse@ account were the first to go.

    My question is, why are these things even listening on the external interface? I set one of these boxes up for a friend recently, and I couldn't find a single way to block tftp/telnet/http from the outside. What's worse, is that these modems are quite clearly running Netgear firmware, which by default doesn't not allow conections externally So, someone at either ZyXEL or Sprint actively decided that these boxes should allow administrative control from anywhere.

    --

    "The guide is definitive, reality is frequently inaccurate."
  16. Not Zyxel's fault by Doogman · · Score: 5, Insightful

    I'm using a Zyxel 645r router supplied by my local mom & pop DSL provider. Sprint provides the DSL connection but they are my internet provider. Yes they did change the default password and they even support Linux, but I'm digressing.

    As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.

    So did Sprint disable the filter and not change the password? That would be rather strange...

  17. This is nothing new by estate · · Score: 5, Interesting

    Use of the default password has been going on since time immemorial. Apparently Richard Feynmann who worked on the Manhatten Project (which developped the first atom bomb) had a reputation as an expert safecracker because very few people on the project changed the combination of the safes from the way it had been programmed at the factory.

    Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.

    Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!

  18. My ZyXEL 600 had this problem... by VValdo · · Score: 5, Informative

    First thing I did with my ZyXEL Prestige 600 is change that damned default password.

    To do this, at least on my 600:

    1. Telnet in (make sure you have vt100). On my LAN, the Zyxel is set at 192.168.1.1 -- I don't know how Sprint has it.
    2. Use the default 1234 password, and then hit return to log in.
    3. At the menu, type "23" and return. 23 is the option for the "System Password" page.
    4. Now type the old and new password (twice) using the TAB key to skip fields. Don't pick something obvious.
    5. Go down to where it says "Enter here to CONFIRM or ESC to CANCEL" and hit ENTER/RETURN to save your new password. (You may be asked to confirm that you want to do this.)
    6. When you get back to the main menu, exit your telnet session by typing "99".
    7. Try telnetting in again using 1234 and make sure it doesn't work. Now try to use your new password.
    8. Profit.

    I'm guessing that if these aren't the exact instructions for the later Prestiges, it'll be pretty close.

    Even better than changing passwords is to disable remote login from outside the local network. (I hear this is the default on new Prestige modems). Or, depending on how insecure your LAN is, you can assign particular IPs permission to get in and block all others. This is accomplished using a "filter", just like a w/ a firewall.

    To block incoming telnet sessions on the WAN, check out this page. This page also offers a "probe" you can use to discover vulnerable modems.

    Finally, check this list for common default passwords. This is an important page, so check it for any equipment you might be using.

    W

    --
    -------------------
    This is my SIG. There are many like it, but this one is mine.