Slashdot Mirror
Verizon Changing Users Router Passwords
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
I always have fun when I find abusive hosts on my site using the default login information. I log in and FUBAR up their settings and reboot their router.
Maybe they were able to access your router because the password was still password1 ?
Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.
Did you see what happens if you try to go to port 4567 from an outside host?
[QUOTE] What security measures does Verizon have to protect that port from unauthorized access?[/QUOTE]
Making sure people don't have the password of password1.
You had kept your password as password1, yet are complaining about Verizon being able to change your password?
Seems like an easy solution to me. If you have to have their router for the FiOS Tv just put the router behind whatever you replace it with. There is a good guide on how to do this on the dd-wrt website.
You're lucky Verizon changed your password before someone else did.
if you had changed the password yourself, this wouldn't have happened.
What ? Me, worry ?
Every broadband provider has access to the modems connected to their network to perform maintenance and updates as necessary. It's part of the fine print you agreed to. If you didn't want them getting into your router configuration you should have changed the default password.
I am becoming gerund, destroyer of verbs.
Perhaps you should have changed the password yourself when you got the router; instead of whining about Verizon trying to fix it for you?
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.
Your hair look like poop, Bob! - Wanker.
I'm assuming that by "and it had actually been changed" you mean that they changed, not that you did before them. If you had the password left as it's initial value, they set this for you, and the change they made did the same, just to a more secure value. If they changed your password even though you had already done it, my apologies, as that ain't right. I would hope that if you changed your password to a custom value, they have no way to change anything on your router.
If you don't want them to access the router, change the bloody password. Like you should have done 3 years ago!
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Get used to this. What you think is yours is not. A disturbing trend where there seems to be no end in sight.
A slashvertisement for stupidity?
Your router was set to the default password after 3 YEARS and you're claiming to be upset that Verizon secured it for you? Are you kidding me? I'm all for letting people wallow in their own stupidity and ignorance, but come on buddy. They did you a favor. In all seriousness, they shouldn't have left it default in the first place. It should have been set to your serial number from the factory.
PS your a complete dipshit IMHO
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
It doesnt matter what his password was, they broke into his router illegally
Lazy Fuck receives router with password set to password1
Lazy Fuck doesn't change it for THREE fucking years
ISP decides to secure router for Lazy Fuck since Lazy Fuck evidently cannot
ISP Emails Lazy Fuck with new password
ISP changes password so Lazy Fuck doesn't get wtfpwn3d
Lazy Fuck whines like a petulant little schoolgirl
How did this retard even find slashdot, let alone create an account and post?
lazy fuck could be lit on fire next to a pool and he'd burn to death.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Verizon does him a favor by changing his password and he complains about it. Maybe he'd prefer having his router hacked or something. What a dipshit.
When I got fios 2 years ago, I noticed the port. In the end I just swapped the router with my WRT54G-TM /w Tomato Firmware after the verizon tech left.
-
You're still at fault for leaving your password at the default, but verizon should not have control over the router you own.
Pro tip: If the router is "yours", you might want to set a password for it that only you know.
Has there ever been a dumber article on /.? I think this is a strong candidate for winning the contest.
You see? You see? Your stupid minds! Stupid! Stupid!
...If you did not change the default username/password. I am on FIOS, and this was done within 20 minutes after the installer left.
However, it is commonly known among the FIOS community at dslreports.com that port 4567 is indeed open to the outside, even when you have remote administration disabled. It is believed that this port is used by Verizon to push firmware upgrades to the hardware. The port can be closed by making a firewall rule to block traffic to the port.
Further inspection reveals that they also wiped the router's logs. The router is supposed to leg settings changes. The last stuff it has before my first login after the password change is from July 2007, even though there used to be stuff there from last time I went in.
And MS shouldn't be able to fix my computer either, *I* own this unpatched, vulnerable machine!!
It's because the router is Verizon property and they probably have access to it no matter what your password is?
Actually, I've never used FiOS but I've always assumed that the routers remained property of Verizon, same as the set-top-boxes for television do. If someone can prove this, one way or another, I'd like to know.
P.S., on another note, has anyone tried to port a free router distro to the Westell 9100EM routers specially made for Verizon as FiOS routers and MoCA gateways. It seems Westell released the Linux-based firmware source which, although I've not looked at it, is probably the same Linux firmware that Verizon ships these things with, except without Verizon's branding and webapp look-n'-feel. I'm surprised that no-one has tried to port another Linux distro to it, but I guess that if Verizon owns the routers, the customers with the know-how won't bother trying.
Everyone thinks you're an idiot!
If I had been the Verizon techie I would have changed the password to dumbf@ck
hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
If you can read this, it means that I bothered to log in.
You're lazy about security and you complain when someone actually tries to improve it because you haven't been bothered in 3 years to do it yourself.
Life must be terrible for you if this is the most you have to complain about.
Your worried about their level of access when you left it with the default password?
Change the thing yourself. DUH.
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
Really?
How is this worth a Slashdot article?
Verizon owns the routers. They supplied it, and the router is simply on load while you purchase their services so that you can access them. And they always have the right to adjust your system settings. That router provides access to their network at your home. They are simply trying to prevent anyone other than who lives in your household from using their network without paying.
All I see is:
if you were first instead of *********, you would not have had any trouble. I had lots of trouble deciphering the summary, though...
We all know the new password is either: password2 or admin2 now.
How sad.
You may be correct, but my Verizon-provided Actiontec router has non-deletable port forwards to the router and the cable boxes on our network. And despite having the firmware updater set to "do not check for updates" the firmware has upgraded itself twice. So Verizon has some kind of backdoor that can at least upgrade a pushed firmware.
I like Verizon and like the idea of them protecting from stupid passwords, but they do control their end user's router. If users don't like it or suffer from the NAT table overflow issue on some actiontecs, you can put in another router. There are instructions on how because there can be some issues with the cable boxes in some MOCA configs over coax.
It's been well known for years that Verizon has a backdoor into all of the Actiontec routers that they deploy (even if the user changes the admin password, so go easy on the OP). If you're lucky enough to live in a condo complex or somewhere else where they use VDSL to provide internet access (instead of coax or the lesser-used ethernet), you don't have to use the Actiontec router, and can use something else as your Internet-facing device. My co-worker was pretty peeved when he called Verizon tech support one day and they told him that "it looks like you have wireless turned off."
Does this mean that router passwords are stored plaintext, or did the hash match up with the one for password1? If there's anything to draw from this story, it's that we should probably check how the passwords are being stored. Some people use similar passwords for unimportant things(Both my routers and my desktop all use the same password), while still using secure ones for important things. Yes, yes, if it's all local and people are stealing the password then I probably have bigger issues then that, but still, it could be a weaker link in the chain, which is never good.
I have Fios myself ... when I got the install done a few years back, I had my own router ready for the tech to use. When he showed up with the Actiontec, I remarked to him "Oh, I didn't know you guys were giving me a free router with my service." His reply was right along the lines of "We're not giving you a router, we're letting you use this one."
So, the way I see it ... Verizon changed the password in their router that they placed in your house. You could always .... get your own router.
No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
This is by far the worst post I have ever seen on Slashdot! " I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!" What the hell? The password was a known default one that left your router accessible and they closed that hole. Sounds like Verizon actually took a positive action. Please take this post to Digg where I would expect to see such drivel.
At least you knew your password! Sky in the UK ship out Netgear routers and don't tell you the password. I "brute-forced" it in about three attempts, but that's not the point (in fact, perhaps it is, since it was something like "admin" and "sky"!).
The worst part was that we later complained about speed issues on the line and they got back to us saying "sorry, we seem to be having problems accessing your router". Erm, yeah, that'd kinda be the point - I don't want my router open and available with any backdoors on the Internet!
Most routers do not allow remote administration unless you specifically enable it. If it was disabled; he shouldn't have a problem with a bad password. The router "shouldn't" allow anyone to log in remotely.
Unfortunately, we all know that not enabling something doesn't always mean it can't be accessed and he should be kicked off the internet for being ignorant.
-SaNo
Comcast and AT&T have access to routers that they supplied as well. This isn't limited to Verizon.
AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.
This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.
I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.
You left your router using the default password they assigned to it.
It was a default password, so of course they know it, other people know it too (who you should trust less than your ISP), and of course they can connect to it, if you can. In fact, they can require you provide them management access to the router, or opt to disconnect your service instead.
Basically, Verizon is doing you a big favor and you're being persnickety. Verizon's actions are intelligent, your actions are negligent, and your response is absolutely atrocious.
As an ISP, they should of course know the publicly reachable IP addresses of your router, and they should take reasonable steps to secure their network without excessively intruding upon their users.
You are responsible for your router, but so is your ISP. There is a shared responsibility here.
They assigned the password, so they know it, and can change it, until you change it.
I believe it is your responsibility to change it, and if you fail, they have justification in taking steps.
Changing your password for you is the least disruptive thing they can do.. serial number is not that secure, anyways... they could have instead opted to disconnect you, and wait for you to call in from a cell phone and receive instructions to change your router password and call back to be reconnected to FiOS.
Thank you for looking out for me and my security. I realise you didn't have to go to all that trouble - both to help save me from myself and to actually send me email to keep me aware. I can see that you are definitely on top of your customer support processes, and I promise not to call you with stoopid questions that I could easily answer for myself if I just opened the manual,
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
In honor of the movie Dinner for Schmucks Is Slashdot holding a contest for stupid submissions? Come on, I have a device on the internet with the default password and someone changed it. Please thank the nice ISP and go back to watching reruns of Gilligan's Island on Hulu. Nothing to see here, move along.
they can do what they want to stuff they own.
THEY are not allowed to update my modem OR router unless i give permission
and thats why they call it UPDATING YOUR FIRMWARE IN THE TOOLS SECTION.
regardless this poster is a complete noob, technically however what verizon did do was agaisnt most laws even if it had hte best interest at heart
ITS like a hacker breaking into YOUR website and leaving you a note he updated all your software that was vulnerable.
ITS STILL AGAINST THE LAW
The router that you have is Verizon supplied. Does that mean it comes with your service or that you are renting it? In that case technically it's not "your" router. It's theirs and they can change it if they wish. In most rental/lease agreements there are clauses that allow the owner to modify, inspect, replace, remove, etc the equipment. If you bought the router, that's another story. They shouldn't have done it but it's not the end of the world.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Did they only change password1 and admin1? What about such winners as admin, password, 123456, and default?
I've got Verizon FioS (well, Frontier now). I don't own my 9100, I seriously doubt you own the Verizon-supplied Actiontec. I'm on my third provider (fourth you count Frontier now that they've taken over FioS), and every single one of them wants the modem back when I disconnect.
I've got fresh new mod points, but unfortunately not enough to +1 everyone who said, "you're an idiot". But I think it's the first time I've ever seen almost unanimous agreement on /.
http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.
On the one hand you have a company that is protecting morons like you from malicious attacks and helping to secure your router and connection. Now they could have left this all be fine, but I wonder how would you have enjoyed this little scenario?
1. Hacker accesses your router remotely or via a malicous website because YOU never changed your password from the default.
2. Your DNS addresses are changed to use one of their DNS servers
3. You attempt to go to what you believe is a secure website, perhaps your banks website
4. The hackers DNS server redirects you to a spoof website that looks just like yours
5. You enter your information thinking its your banks website, instead you just gave them your bank information
Verizon just protected you because YOU were too lazy to protect yourself. THEY are looking after YOU, and yet all YOU can do is whine and complain because how dare they access the equipment you are leasing from them.
And for the record, you DO own any router you buy whether or not that was purchased from a third party or your ISP. However, when you buy from the ISP there is a "Support" clause that you buy into as well. They might be protected by that if the clause was infinite provided his contract with them has been constant.
Sand's overrated... it's just tiny little rocks.
So... pretty much any router sold by a telco is set up for remote management via the TR-069 spec. Even if you had already changed the password, they can still get in; it's something far different that accessing the admin interface through the WAN and almost certainly buried in their TOS.
I worked on a Qwest DSL connection for a friend and replaced their POS Actiontec with something more functional. When it came time to switch packages to a higher speed, the connection simply stopped working. Apparently Qwest changes the routers PPPoE information remotely when you upgrade to a higher speed and not having their equipment in place caused that to fail.
So, if you don't want them to screw with your settings, don't buy their crappy hardware and acknowledge that it may break as a result.
Even people that believe in pre-destiny look both ways before crossing the street.
I have Verizon FIOS as well, and if the poster is referring to the modem/wifi router combo unit that comes with the service (and which has a default password of 'password1'), he in incorrect in believing that he owns the unit. The unit comes with FIOS service and is on loan from Verizon.
Further, they are changing the password to protect the owner from his own idiocy. I would have a problem with them keeping tabs on traffic or making changes to any other setting, but it looks like this change actually does benefit customers. The email notification email sent out with the password change made their intentions clear.
All in all, this seems to have been carried out properly.
After three years, they changed the password to something you could easily find just by looking at the device.
I would have changed the password to something totally random, and made you sit through four hours of voice menus on the phone to figure out what the new one was, for fear you would change it back.
Verizon deserves a medal for restraint on this one.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Dude, this is what a firewall is for! Just put one between the line and your Actiontec rou... oh, wait. Hmmm.
Where I work this is referred to as the infamous ID-ten-T issue!
The Matrix is real... but I'm only visiting!
That would be the security used by the TR-069 spec for CPE remote management. If implemented correctly by hardware manufacturer and service provider, it's almost certainly more secure than any of the computers you have connected to the internet, even if you're not the kind of person that leaves a default password set on their router...
Seriously, having the default admin password set has been a bad idea with routers for a very long time. Think along the lines of a webpage doing a redirect attempt to the local gateway address with different providers default router passwords and then changing a setting like your DNS server...
Sound unrealistic? Already happened on a large scale years ago. Didn't work if you had changed your password or at least had a unique one in place like the device serial number.
So rest assured that what they did has actually increased the security of your network and has left no gaping hole in it's place.
Even people that believe in pre-destiny look both ways before crossing the street.
If? Did you friggin' say "if"? It's not a conditional. He left his password as "password1" for three friggin' years. This is just much ado about nothing in a way Shakespeare couldn't have imagined. OMFG I am a careless clueless luser who never changed my routers password from the default and Verizon pointed it out for me and made me more secure! I am outraged! How dare they!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I used to work for a router maker that used the mac as the s/n#. Not sure how common this is but if the is the case with actiontec then verizon may be making it worse.
For administrating a router that you obviously were neglecting. You own the equipment, but they obviously provided you with a valuable service.
“Common sense is not so common.” — Voltaire
You are assuming that admin access was indeed properly disabled. In forming your conclusion you are taking the word of someone who never changed their default router password, and is now complaining that Verizon finally did the responsible thing and informed him of the egregious error. You might want to think about this a bit more ...
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Freedom means also the freedom of being stupid!
While that is a weak password, it doesn't matter. Using port 4567, any Verizon employee can change your password and do essentially whatever they want. Regardless of the fact he has a weak password or not.. That's the problem here.
Yah, I have a Verizon Actiontec router on my network at home too. But I don't trust Verizon at all, why I have a second router between theirs and my network. This protects me from Verizon and doubly from the outside world.
am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them.
He owns the router, they don't. He doesn't lease it.
Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
Yeah... Verizon LEASES all their equipment to you. They still own it all. TV Boxes, Routers, etc. This is why they asked for their Set Top Box back when I updated to their HD package.
They have the right to tinker with their own product. Frankly, they did you a favor.
Looks to me like that thing is a modem + router, not just a router. Cable companies always have access to modems. They use that to test lines, for example. Access to your router may also make sense if they actually help you with your network.
Most people who leave the default password on their router probably need help from their ISP. Since this thing is a wireless router as well, it's probably fairly easy to get onto your internal network, so leaving the default password around was pretty careless.
If you don't like them getting into your network, put your own router in front of their modem+router combo or ask them for just a modem.
On the whole, I think Verizon did the right thing.
I used to work for a call center that did the tech support for Verizon DSL. We had an internal system that's responsible for line testing, and this system also let us push changes equipment we've provided. Most agents didn't know how to use the functionality of this system, but it's almost required, because some customers aren't able to change the settings with or without our help. "We need you to reset your modem. Hold down the little button on the back. You can't find it? You don't know how a button works? Fine, just let me do it from here." To OP, it's a modem that happens to have a router, not just your router. You may own the equipment, but it's still connecting to the Verizon Network, and since Verizon provided the equipment, they're going to make sure that they can make it work if you fraked it up.
.. how can you claim to care about this incident if you never even bothered to change the password in the first place? What should your router manufacturer have done? You closely remind me of some old lady who is never satisfied with the state of afairs, but never willing to do anything about it either. Posting your story is the ultimate low I have seen Slashdot go so far. F**k off!
You sound just like someone who got a DWI and is whining about how unfair it is. You got "Busted" - deal with it.
I think Verizon did you a favor and I am 99.999% sure that their conduct is allowed under their Terms of Service.
That said, I would have done things differently. I would have redirected you to a page telling you exactly what you need to do to regain access. I don't like doing things like changing the user's router settings or passwords. I figure if you have to do the work maybe you will remember it a bit better.
Verizon did you a favor; STFU and get over it.
Though my ISP is Qwest. I assigned a password they should not of known, yet they're still able to configure the modem remotely. I'm guessing they have a different "backdoor" method of accessing the modem/router(it runs Busybox).
Enlightenment is the elimination of that which is unnecessary.
If I were to leave my house and forget to close the front door, why would I bitch at someone for closing and locking it for me?
Verizon has set this as a policy, but the Actiontec routers themselves aren't any different. If you reset one of them, the username is still admin and the password goes back to password1.
If you don't want Verizon getting all up in your shit, get a third-party router. They'll all work (provided you use a MoCA router if you're MoCA). Technically, if your Actiontec were set as "unmanaged" they would require permission to change or view router settings, but that's more of a scout's pledge than anything.
When I was working for them, I always got a kick of of looking at the router's DHCP table and saying stuff like, "Oh, you've got an XBOX, you play a lot of games?" Front line tech support can't do everything to the router remotely, but it's a feeling of power in an environment where you're otherwise powerless.
I don't believe in time. It's a grand conspiracy designed to sell watches.
Anyone stupid enough to have the default password on anything, deserves to be hacked.
Having that port open like that, aint that more a security risk having the being able to connect to remote web admin then it is having a weak password?
A car analogy may apply. If you see someone's unlocked car in the parking lot, do you open the door and push the lock down and close the door, or do you ignore the vulnerability the owner has left? What if the lot was the rental company's and you temporarily parked their rented car unlocked? Would the company be within its rights to lock it for you?
Pertinent question: who owns the router in question? Apparently you, so, yeah, I'd probably gripe a little bit. On the other hand, they did you a HUGE favor unless you meant to leave it vulnerable. They told you what they did, so I don't see much grounds to be outraged. I do wonder why Verizon didn't send you a paper mail note warning you of the problem and that if you didn't protest they would change it as of date X, but I suppose that message could have been intercepted. Secure first, then notify might be the only safe procedure.
Heck, you could always change it back to "password1" if you really wanted to. "Thank you, but I wanted my car doors unlocked." That would show them!
PS: I sure hope you changed the password from the serial number.
The "regulated monopoly" of the phone lines was actually a huge success story for the United States. While we were building a coast-to-coast, 100% compatible and interoperable, relatively inexpensive telephone system, most other countries that had competition in that market ended up with multiple incompatible systems. In many cases you could not call your neighbor down the street, because he was on a different phone system that didn't play nice with yours. There were huge redundant mazes of wires overhead, belonging to different companies and systems, and completely incompatible switching systems. Often they operated at very different voltages and current.
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
Yes I agree instead Verizon should simply let any and everyone's routers get hacked, then their customer service should be responsible for fixing all those peoples routers right? GIVE ME A BREAK they fixed a security problem with your router, it just so happens that the security problem was YOU! Get over it, and if you don't want them to have access change your password...
Your surmise of a back door appears to be correct. This back door remains open even if you disable remote management of the router, and it does not even require knowledge of the admin password you choose. Here's a post detailing how to disable the port 4567 back door using telnet to the router http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456
I guess fiber to the house works differently in your area. Here, the telco equipment finishes at the optical switch, which has 8 cat6 ports. My router/firewall is on one of them feeding the "safe" network, another feeds the "unsafe" network (for work PCs used at home, since the VPN requires some ports which I will not open on our router), and another feeds the IPTV decoder. The telco has access to their optical switch where bandwidth limits can be enforced, but does not have access to my router, which I bought elsewhere.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
... can't change the password on my router ... because it is MY router. Hint: it's not password1 or the serial number.
now we need to go OSS in diesel cars
... something like a combination of the serial number, MAC address, and account number. That would make it a bit harder to brute force iterate over all the possible values.
now we need to go OSS in diesel cars
1) Leasing routers happens, especially if it's a modem-router, which is becoming more and more common.
2) Even if you own your modem, as a condition of service the telcos will typically insist on enough control of your equipment to manage "their side" of the connection. The same goes for cable-tv and cable-internet providers who let you use your own modems and cable boxes.
As far as #2 goes though, they typically "enforce" it by simply blackholing any device which doesn't give them the control they need. If you want your device to work you get to choose whether to keep being their customer on their terms or look for service elsewhere.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is about Verizon accessing the router config from outside the LAN even though this access has been disabled in the router config. He now is wondering who else might be able to access that backdoor port. Got it?
On second thought, let's not go to Camelot. It is a silly place.
In order for Verizon to make the change, they had to either 1) access another device on his network and access it from the LAN side, or 2) access it from the WAN side.
#1 is illegal without authorization.
He disabled access from the WAN side, which means if Verizon found a way to access it from the WAN side it was clearly unauthorized and therefore illegal.
Either way, we can argue all day and all night whether Verizon's actions were moral or not, but unless his terms of service clearly authorize Verizon's actions, they were likely technically criminal offenses.
One thing Verizon could have done is announce to all its customers that as of their next contract renewal, they are required to affirm that their network is secure from outside attack AND that any devices they have that are directly connected to Verizon's network, such as their "main" router, are secure from attack from inside of their network. Furthermore, they can require that such customers periodically run Verizon-supplied pen-test programs against their "border router" from the inside and have it send back a "pass/fail" notice to Verizon or, for companies and individuals that refused to do this or who could not for legal reasons, that they buy liability insurance to cover losses to Verizon should their network be compromised in a way that costs Verizon money. They might lose a lot of customers if they did this, but it would be within their legal rights to do so.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
t-com (t-mobile) in Croatia has an ACS (auto-configuration system) from which they can alter password remotly or assist user if he/she doesnt know how to configure router...
A UK citizen who used a similar backdoor (typed the default password) to get into a US computer
As has previously been pointed out, the FIOS ToS http://www.verizon.net/policies/popups/tos_popup.asp section on "Monitoring of Network Performance by Verizon" explicitly says:
You agree to permit us to access your computer and Equipment and to monitor, adjust and record such data, profiles and settings for the purpose of providing the Service.
So not only does the ToS say that you give Verizon permission to change the settings of the Actiontec router, they also say that you give Verizon permission to change the settings on your own home computer as well as record any data they find on it!
After having read the FIOS ToS, I can safely say they're scummier than even Comcast ... and that takes hard work.
If you let your network provider install equipment and let that equipment have unfeathered access to your private network, you are crazy.
Always put DSL modem/router from network vendors (and the like) outside your own firewall.
Don't mix and match network access and security device, unless you don't care of your privacy.
pretty mutch all isp branded roughters have this abilty. when i gave a windstream installer my old 2wire that was branded for there isp they where able to change the password remotely. not the rougher password its self but the login info into the isp. even thow i kept telling the installer thats why its not login in and we need to update that info he wound up giving up and calling the isp and they updated the info remotely unnecessary step . being i knew i had to do the same thing and knew how to get to those settings myself.
What's your serial number?
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!
YOU allowed the technician access to your router during setup.
YOU allowed him to set the administrative password.
YOU allowed him to set the router options such that someone could remote logon.
YOU are the one who DID NOT change the password once he was done!
YOU are at fault.
Verizon is merely covering YOUR ass (and, let's be honest, theirs too) because you allowed the setting of a shitty, insecure password and did JACK SHIT to change it to something more secure IN A THREE YEAR TIMESPAN!
If you didn't want Verizon, or anyone BUT YOU to get into the router, YOU SHOULD HAVE CHANGED THE FUCKING PASSWORD YOU WHINY ASSHOLE DOUCHEBAG!
Chas - The one, the only.
THANK GOD!!!
You log into it by going to 192.168.1.1 when you are obviously on the local network. To do any administration on the router you enter your primary e-mail address/password. You may be able to change this, I'm not sure[you can obviously change it I mean change it to something distinct]. I think it might be used to authenticate the router to the network so it might have to be your e-mail password. Then there is the wireless password which is just 10 random hex digits. Buried in the menus there is something called 'Remote administration' which when you bring it up mine says disabled with a blank password. If the default had been something other than blank I never would have noticed, because when I administer the router that isn't the password that I'll be asked for.
The router in question might be completely different, but I think some of the posters are being overly harsh to the OP.
I have FiOS and received an email from Verizon stating that they identified my router as having the default password and went and changed it for me.
The only problem is that I DID change my password (and the username) to something unique. When I tried to use my unique identifiers, I could not get in. When I used the password that Verizon set, I used the unique username that I had established. I changed the password back to what I set it before. If it changes again, I will be a bit upset.
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
1 - Your EULA/TOS/Contract/Whatever that you agreed to in order to get service allows them.
2 - You are using *their* network, *their* resources, so to deny them access to the device hanging off their wire is ludicrous in the first place.
3- You left it at the default, you are lucky some kid didn't do it instead and really hose you.
Same reasons phone carriers don't like you mucking around with cell phones as you pose a risk to their network.
---- Booth was a patriot ----
Your ISP is often going to have special access to the terminating device on your network. They are, after all, your ISP. They control the data coming in to your house. They also have an interest in keeping their network secure. So for administration and security purposes, yes they can probably access the device they give you.
This is the case with my cable modem. My ISP can get at it from their end and ping it, ask it for status and so on. The modem doesn't have any public IP address, it operates as a simple bridge. However it does have a management IP, one on my end one on their end, that can be gotten in to. Their IP only they can access, I can't get at it from the inside.
They don't have management on anything else, of course, any of the devices I own are all mine. However the cable modem is the demarcation unit effectively, where their network ends and mine begins. As such they can access it.
Good job using so much caps dude. Calm down. Yelling doesn't make you look good. There's two ways to look at this:
- Verizon is doing people a favor by securing their routers a little more
- Verizon has a backdoor
FYI the option to backdoor isn't set by the tech per-se. The tech runs a program that executes several scripts. Whether the default firmware for these devices has this option on by default OR if the script does it I am not sure of. But it's normal practice for them to have this setup as is. The issue at hand is that they have a way back into your router. My guess is that, for the most part, it's there for maintenance, status checking (i.e. do you have an actual internet connection) or password resetting if the user forgets it. POSSIBLY for data monitoring, but I'm not going to say that's true, nor am I going to rule it out.
But Jesus, next time don't use such harsh words. Try thinking first.
Pancakes. Oh I blew it.
They have access. DOCSIS works such that the modem requests a configuration from the cable end of things when it turns on. So they have access, no matter what. It is required to be that way by the DOCSIS standard. Even if it is your property, it is still their device, from a network standpoint. That Ethernet jack is the demarc point here where their network ends and yours begins. Even if you own the cable modem it is still "theirs" from a network standpoint and thus they'll maintain control of it.
For reference port 4567 is listening on the OUTSIDE interface...the side that faces the internet. This came to my attention some time ago when I decided to switch from Comcast to Verizon. I did a tad bit of research when I was in between jobs and kept a blog on my adventures with port 4567....that CAN'T BE DISABLED. There are ways to keep verizon from spying on you and illegally entering your computer network. My blog posts are here: http://robot5five.blogspot.com/2009_07_01_archive.html Cracking the password hash was trivial, although it took me a little time until I found several other folks had already done it.
... but if Verizon finds that your password is something simple like 'password1' and changes it to something a bit more obscure, it doesn't necessarily mean that they can get into a properly secured router where the owner has changed the password on their own.
Or do they actually have a backdoor?
Have gnu, will travel.
I can't tell you how many times I've logged into a Wireless access point while somewhere else, only to find that I can login to the router and dink around with the settings.
In fact I've changed settings and updated the firmware (dangerous!) over the weak wifi link before too. Let me tell you something...
The fact that the default settings were there, means that other people (neighbors) might not realize they are using their neighbors wifi, instead of their own, and can trash the other guys router, even by accident.
Any router I came across that was using default settings, I'd kick everyone off the router, erase the access log, change the password, and then when I was done with it, have it reboot.
ProTip: If you live in a Apartment building, or near one, or near a hotel. FFS enable encryption on your router and change the passwords. Hotel users will jack your connection without even a second thought.
What a thread!
50+ comments all screaming "LOLZ! YOU IZ TARD NOT CHANGE PASSWORD! THAT HOW TEH HAXZ0RZ GET IN! GET OFF MY INTARWEBZ! LOLZ!" and apparently not a single one of them knew about the TR-069 protocol "backdoor", it seems most of them didn't even know the OP was referring to the LAN-side password or understand what that means.
Followed by who knows how many mods +1 Funnying every one of those comments (or -1 Trolling those trying to genuinely answer.)
And not one of those commenters, not a single fucking one, read the rest of the thread and realised that they just learned something they didn't know before, and posted a retraction.
And not one of the mods, not a single fucking one, read the rest of the thread and realised that they too just learned something they didn't know before, and posted to undo their mods.
And the great thing is, every single last motherfucking one of them will do the exact same thing tomorrow.
Glorious.
I love you all.
Science is all about firing a drunk pig out of a cannon just to see what happens.
You didn't specify which password Verizon supposedly changed, but from the context in your message I'm guessing it was your router's administrative password.
Ownership shouldn't matter. Knowledge of your router's administrative password does matter. If you were too lazy or clueless to change that password before the tech who installed it got to his/her truck, you got better than you deserved. You should go immediately to your email program and write a nice thank you note to Verizon for doing a security sweep for a WiFi router administrative password vulnerability recently (2010-7-21) announced (by Seismic) on behalf of its customers. In particular danger are routers with no administrative password set (or ones set to known values used by technicians installing routers, like "password1"). A complete fix for this vulnerability will require firmware updates to the affected routers. But, making sure you have a strong administrative password activated is a good stop-gap measure. And, given the timing, I would bet this stop-gap protection is what Verizon was trying to provide for its customers.
One "Aw, Shit!" is worth 100 "Ata boys!"
I could tell you stories about Verizon and its unethical conduct
that would make you think the KGB is a branch of the United Way.
Suffice it to say that if they were the last fucking ISP or cell provider on
earth, I'd avoid them.
1) Since it's 'your' router, maybe you should have secured it better, I bet you didn't even know its password. They actually did you a favor, this is the same logic as hackers hacking into systems to discover their security holes. 2) I'd really like to see most of the Verizon FIOS customers configure 'their' Verizon FIOS router. Please quit whining, and be thankful they changed the default password instead of some cracker changing the router's DNS settings and ruined your life.
TOP DSLR Cameras Reviews of the top DSLRs
http://www.networkworld.com/community/node/57070
#
Cisco backdoor still open
IBM researcher at Black Hat says opening for Feds exposes us
By Cisco Subnet on Wed, 02/03/10 - 5:33pm.
The "backdoors" that Cisco and other networking companies implement in their routers and switches for lawful intercept are front and center again at this week's Black Hat security conference. A few years ago, they were cause celebre in some VoIP wiretapping arguments and court rulings.
This time, an IBM researcher told Black Hat conference attendees that these openings can still expose information about us to hackers and allow them to "watch" our Internet activity. Backdoors are implemented in routers and switches so law enforcement officials can track the Internet communications and activity of an individual or individuals under surveillance. They are required by law to be incorporated in devices manufactured by networking companies and sold to ISPs.
In this report from Forbes, IBM Internet Security Systems researcher Tom Cross demonstrated how easily the backdoor in Cisco IOS can be exploited by hackers. When they gain access to a Cisco router, they are not blocked after multiple failed access attempts nor is an alert sent to an administrator. Any data collected through the backdoor can be sent to anywhere -- not just merely to an authorized user, Forbes reports.
What's more, an ISP is not able to perform an audit trail on whoever tried to gain access to a router through the backdoor - that nuance was intended to keep ISP employees from detecting the intercept and inadvertently tipping off the individual under surveillance. But according to IBM's Cross, any authorized employee can use it for unauthorized surveillance of users and those privacy violations cannot be tracked by the ISP.
Cisco said it is aware of Cross's assertions and is taking them under consideration. To Cisco's credit, it is the only networking company that makes its lawful intercept architecture public, according to the recommendations of the IETF, the Forbes story states. Other companies do not, which means they may be susceptible to the same security flaws, or worse.
###
Elsewhere in Torland...
"Just use Tor!" cried Frodo.
"It's no use" hummed Gandalf as he presented Frodo with a scroll.
"ExcludeNodes has been ruined, OH NO!" Frodo frowned and moaned.
"It's true" Gandalf declared, waving his long pipe,
"You can't put on Tor anymore without this corruption."
"But, the Torwraiths didn't..."
"No, no, of course not. Or are you saying it could've been..."
"An inside job?"
Gandalf took a long draw from his pipe before finishing,
"Stranger things have happened."
Frodo and Gandalf both stared at each other in silence before exchanging
long and heavy laughs.
Outside the window, the bushes stirred.
Gandalf cleaned out his pipe as he sighed,
"We'll ignore that and say it was a misguided burglar attempt tomorrow."
Silence, followed by a roar of laughter.
The unknown in the bushes outside did not contribute to the conversation.
yep, no matter how many times you type password1, it will show to us as *********
coding is life
"They told me I was gullible ... and I believed them!"
The ironing is delicious.
I don't think email is reliable enough for a change like this.
Stephan
http://stephan.sugarmotor.org
LEBELAL TIMMEH! xD
seriously, how do manage to type a sentence?
so when malicious people put urls like https://admin:password1@192.168.0.1/admin?blahblahba and access your router externally via your internal network, you're fine with that? awesome.
With dodgy browsers cross-site-scripting would even allow http posts to be sent to your router to do things like enable external administration, change your firewall settings, expose your local pc's and then attempt to exploit them.
Just because you disable external admin interfaces doesn't mean people can't exploit your local network machines to access the internal admin interface if it has an insecure password.
Was this even worth the space in slashdot? Seriously, it seems that you actually want to ask if you have the right to sue Verizon for intrudeing into your Router. Only in America you can be sued for helping people.
you needed 3 years to figure out that port 4567 is open? you still had the default password set? OMG.
no, this never happened to me cause i care about (my) security.
There are already a load of posts whining about moderation here.
It doesn't bother me when they make changes as long as I get the new password. Comcast changed mine and refused to give me the new one and I cannot talk to the router any more to ask it if it is healthy. That makes me mad.
if you're paying a monthly fee for your modem and/or router.. you are renting it from them and THEY own it, NOT YOU. so they can go in and modify its settings all they want. don't like it? TOUGH. buy your own hardware (it's usually cheaper in the long run anyway).
(note that some customer-owned equipment, such as cable modems, can still be modified and/or updated by the provider)
I pointed out the total lack of security with such a password years ago while I was complaining that the FIOS install program managed to delete Safari bookmarks. People in the Verizon newsgroup laughed at me for caring about such a thing.
What are the odds that:
1) This was a completely automated process that makes the changes
or
2) A sub-(sub-)contractor was given access to your system make the changes?
Because we're not just talking about Verizon access. And not just a one-time deal. They'll be back again, and send you a nice e-mail to tell you you're off the island because they couldn't update your system.
I can't believe you were dumb enough to admit you left the password at the default. Then you had the guts to complain about it? Wow. New levels dude.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
Verizon has been deploying less-secure wireless routers for years. The SSID and WEP Key are broadcast and very easy to find. Check out this post: http://gigamike.wordpress.com/2008/05/06/verizons-false-sense-of-security-with-fios-installations/
> should not have any way to get into my router and change the settings
normally they don't if you disable remote host connections to your router from the outside, they usually don't not add back doors from the factory...maybe that is more you not being smart enough to a) change the password some guy set up for you 3 years ago, and b) configure your router properly to make sure you have no unknown connections going on, usually mac address filter, and ip range filter, and also wpa2 encryption, depending the age of the router or firmware upgrade.
When FIOS installed my router, the tech changed the password from Password1 and didn't tell me he had done it, or what the new password is. I contacted Verizon about it and they just told me to reset the router to factory settings. I haven't done it because I frankly don't trust their advice and am concerned that something vital to connectivity will be reset. Opinions? Should I bit the bullet and reset the router (I would like to make a few changes like unpublishing my wireless access point)?
No sig? Sigh...
The only reason Verizon decided to to this was because of an article recently published that details a vulnerability the ActionTec routers are susceptible to. Now while this is a good proactive idea, I am somewhat upset because I personally changed the default password on my router the day I saw this article, but even still Verizon decided to change it for me after the fact. Not a huge issue, I just had to go check the number on the router itself, login and change it back to what I wanted, but I don't like that they did this.
What the hunter2 are you talking about?
Changing the password would not have helped, VZ has access to the ActionTec via port 4567, which can't be blocked using the ActionTec's firewall.
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
I have a feeling the same thing has happened to me. I noticed a week ago that I was no longer able to log into my router. I was planning on trying to reset the router to default settings just so I could get back into it to administer my network. If a notice was sent about the change, I'm sure it was sent to the verizon.net e-mail address attached to the account, which I don't have access to, and my roommate (whose name is on the bill) never checks.
This action by Verizon is very irritating, to say the least.
I sat through the talk about this exploit at DefCon, called "Hacking Millions of Home Routers" or something like that. What was discussed during that talk includes a method for accessing the _LAN_ side of the router by an external attacker. A live demo showed the presenter using the exact same default password "password1" with his published tool. Many posters have argued that Verizon was out of line for using their backdoor port to do password modifications, but given the choice between getting 0wned by either your ISP or some Russian or Chinese hackers, I'd take the devil I know.
The good news is that according to the DefCon talk, changing from the default password makes the attack much more difficult. Perhaps a dead-tree mailer would have been preferable to many, but with exploits being released to so many people at once, quick action is the best course, IMHO.
I wonder if Verizon can actually read the password, or if they can only see if it has been changed or not?
Given that many people re-use a single password, or perhaps a few..... a verizon employee with access to those routers could most likely access tons of facebook, bank, and other accounts.
it seems logical that a ISP can and should be able to connect .. umm .. allows access to/thru their ... are equal legal options. :D
to the access device, that
network. BUT then there is a threat to the independent international
access-device manufacturer.
i think anyone should be able to hock-up any (standard-conforming)
device to the ISPs network (that's why they have standards), but
that people who want to use a ISP provided device, which has a build-in
backdoor (which will not be used for nefarious uses (but potentially
represents a land-mine dangling from the phone line)) that allows remote
administration
-
TR-69 does offer "plausible dependability" should they catch you doing
illegal stuff.
-
i changed my TR-69 enabled router to a non TR-69-enabled one. works fine
-
a firewall that is configurable from the outside does sound a bit odd.
It's not "breaking into" a router since you've not bothered to change the password, so they just walked through the door you never closed behind them.
That's actually a good analogy. If a neighbour notices that you left your front door wide open with the keys in it and they lock the door and put the keys through the letter box can you sue them for it - of course not! (at least I hope not, although who can tell nowadays...)