Slashdot Mirror
Verizon Changing Users Router Passwords
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
You are correct about the fine print, though. They reserve the right to update their software on my equipment (including computers). The simple solution there is not installing their software in the first place.
AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.
This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.
I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.
http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.
What part of "I own the router, not them" do you not understand?
That goes for you too, mods!
I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.
The real "Libtards" are the Libertarians!
If that were the whole story then it would be end of thread. Verizon changed the LAN side password remotely using their backdoor to the system. The backdoor uses a completely different authentication system. The only time the LAN side access password is useful is if you're already on the network, at which point there are probably more pressing security issues.
If you read the ToS (for VZ Fios, Even Cox Cable has a similar provision) by agreeing to service, you authorize them to access your equipment.
See here: http://www.verizon.net/policies/popups/tos_popup.asp
Search for "Monitoring of Network Performance by Verizon"
I soooo wish there was more competition for broadband in the states :(
Why aren't you encrypting your e-mail?
I used to work for a call center that did the tech support for Verizon DSL. We had an internal system that's responsible for line testing, and this system also let us push changes equipment we've provided. Most agents didn't know how to use the functionality of this system, but it's almost required, because some customers aren't able to change the settings with or without our help. "We need you to reset your modem. Hold down the little button on the back. You can't find it? You don't know how a button works? Fine, just let me do it from here." To OP, it's a modem that happens to have a router, not just your router. You may own the equipment, but it's still connecting to the Verizon Network, and since Verizon provided the equipment, they're going to make sure that they can make it work if you fraked it up.
I have fios and I have gone to my own software router running in a VM. But before I completely dumped the actiontec (which is really nice hardware for a router, but not all the well supported by alternative firmwares due to actiontec being asses about the GPL for a really long time), I noticed traffic on that port. After only cursory investigation, the impression I got was that the router was "phoning home" to verizon. That's how it got firmware updates and, I presume in this case, the password was changed. That "phoning home" behavior was something that creeped me out because I have no idea what it's reporting or what changes might be made, so it's what goosed me to start looking into alternative firmwares and eventually go the VM route instead.
When information is power, privacy is freedom.
Administrative access was not used for this. His actiontec, along with most other telco distributed CPEs use the TR-69 remote administration spec to allow for reconfiguration of services, firmware updates and other crap that used to require a technician to be sent out.
Which is why they changed his password from the default to a unique one. Even with remote access disabled, a default password on your router is a risk. see Pharming
Telcos are typically behind IBM and God on how many lawyers they have on staff. I'll eat my fucking shoe if it's not explicitly laid out in the TOS for FIOS that they can and will access the router for remote configuration changes, particularly for security reasons.
There is a backdoor to allow changes in configuration that are usually, but not always, related to connectivity and function of the actual connection to the provider - the minutiae that even a field tech doesn't want to have to waste time with.
Are we that sure it wasn't in that contract he signed?
A properly implemented TR-69 system is going to be more secure than any machine this guy is running on his network, guaranteed. The administration server address cannot be changed from the user accessible interfaces, the connection is initiated from the CPE to that server instead of the reverse and there are multiple layers of verification and encryption in use before anything is actually allowed to be updated or changed.
Even people that believe in pre-destiny look both ways before crossing the street.
What are you all on about? He said he disabled administrative access from outside.
He disabled the user visible administrative interface.
Google for tr69 and you'll be enlightened.
In my router it's impossible to disable, however in some normally hidden menu I could modify the "call home" url, rendering it ineffective.
Interesting.. When we first got FiOS, they were only doing Internet & Phone (TV came 2 years later), and handing out D-Link routers. Since I work for a network manufacturer, the first thing I did was swap it out for a real firewall. 2 years later, they started doing TV in our area, they brought out an Actiontec, wanting to replace my firewall with theirs. Fortunately, I came upon a solution that worked perfectly, and doesn't involve using their router directly (shocked the installers that came out to do our TV install). I've got the Ethernet WAN port of their router plugged into an isolated zone on my firewall (where my Guest WLAN also lives), with the cable wire still connected (so the cable boxes can get guide data). This isolated zone has access to the Internet only, nothing on my "regular" network at all. Works like a champ. Get your FiOS Internet delivered over Cat5 if you can get the installer to do it, then hook up the router that way. The cable boxes don't seem to mind 2 layers of NAT, so I see no reason not to deploy like this.
The unsig!
I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."
Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?
Bad analogy, since this is leased equipment from Verizon, it's more like you rent an apartment and the landlord changes the busted up locks on your door or performs other various maintenance on their property for you. If you haven't rented before, I can tell you that is quite normal.
That password was owned by Verizon. He should have changed it to 'own' it, but he didn't.
This situation is like: you go into the shop, pay for some item but leave it on the counter.
The vendor notices it, runs out of the shop and hands it to you, again.
You scream a hissy fit that the vendor dared to touch YOUR ware.
He should have learned from this lesson and not be a dick and post this on Slashdot.
Patents Drive Free Software as Hurricanes Drive Construction Industry