Slashdot Mirror
Verizon Changing Users Router Passwords
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
Maybe they were able to access your router because the password was still password1 ?
Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.
You had kept your password as password1, yet are complaining about Verizon being able to change your password?
if you had changed the password yourself, this wouldn't have happened.
What ? Me, worry ?
Every broadband provider has access to the modems connected to their network to perform maintenance and updates as necessary. It's part of the fine print you agreed to. If you didn't want them getting into your router configuration you should have changed the default password.
I am becoming gerund, destroyer of verbs.
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.
Your hair look like poop, Bob! - Wanker.
If you don't want them to access the router, change the bloody password. Like you should have done 3 years ago!
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Your router was set to the default password after 3 YEARS and you're claiming to be upset that Verizon secured it for you? Are you kidding me? I'm all for letting people wallow in their own stupidity and ignorance, but come on buddy. They did you a favor. In all seriousness, they shouldn't have left it default in the first place. It should have been set to your serial number from the factory.
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
It doesnt matter what his password was, they broke into his router illegally
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
Really?
How is this worth a Slashdot article?
Most routers do not allow remote administration unless you specifically enable it. If it was disabled; he shouldn't have a problem with a bad password. The router "shouldn't" allow anyone to log in remotely.
Unfortunately, we all know that not enabling something doesn't always mean it can't be accessed and he should be kicked off the internet for being ignorant.
-SaNo
they can do what they want to stuff they own.
THEY are not allowed to update my modem OR router unless i give permission
and thats why they call it UPDATING YOUR FIRMWARE IN THE TOOLS SECTION.
regardless this poster is a complete noob, technically however what verizon did do was agaisnt most laws even if it had hte best interest at heart
ITS like a hacker breaking into YOUR website and leaving you a note he updated all your software that was vulnerable.
ITS STILL AGAINST THE LAW
Then you're to blame threefold: 1) By your own admission, you let a noob stand in for you: If you'd cared to have it done correctly, you should have scheduled the installation around your availability so as to ensure that it met your requirements. 2) You apparently didn't do anything to correct matters afterwards, despite the fact that it wasn't to your satisfaction, and 3) Now you're whining about it on Slashdot.
Fourfold, if you expected anything other than what happened... and fivefold, if you expect to get any sympathy here for it.
I know it's harsh, but Timothy should never have accepted your submission. IMO, he threw you under the bus, and I am sorry for that.
My advice? First, change the password on your router, ASAP. Secondly, call Verizon, and inquire about changing from coax to Ethernet. Worst case they can't/won't, but you'll at least know.
Regards,
dj
If? Did you friggin' say "if"? It's not a conditional. He left his password as "password1" for three friggin' years. This is just much ado about nothing in a way Shakespeare couldn't have imagined. OMFG I am a careless clueless luser who never changed my routers password from the default and Verizon pointed it out for me and made me more secure! I am outraged! How dare they!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The "regulated monopoly" of the phone lines was actually a huge success story for the United States. While we were building a coast-to-coast, 100% compatible and interoperable, relatively inexpensive telephone system, most other countries that had competition in that market ended up with multiple incompatible systems. In many cases you could not call your neighbor down the street, because he was on a different phone system that didn't play nice with yours. There were huge redundant mazes of wires overhead, belonging to different companies and systems, and completely incompatible switching systems. Often they operated at very different voltages and current.
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
YOU allowed the technician access to your router during setup.
YOU allowed him to set the administrative password.
YOU allowed him to set the router options such that someone could remote logon.
YOU are the one who DID NOT change the password once he was done!
YOU are at fault.
Verizon is merely covering YOUR ass (and, let's be honest, theirs too) because you allowed the setting of a shitty, insecure password and did JACK SHIT to change it to something more secure IN A THREE YEAR TIMESPAN!
If you didn't want Verizon, or anyone BUT YOU to get into the router, YOU SHOULD HAVE CHANGED THE FUCKING PASSWORD YOU WHINY ASSHOLE DOUCHEBAG!
Chas - The one, the only.
THANK GOD!!!
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.
Good job using so much caps dude. Calm down. Yelling doesn't make you look good. There's two ways to look at this:
- Verizon is doing people a favor by securing their routers a little more
- Verizon has a backdoor
FYI the option to backdoor isn't set by the tech per-se. The tech runs a program that executes several scripts. Whether the default firmware for these devices has this option on by default OR if the script does it I am not sure of. But it's normal practice for them to have this setup as is. The issue at hand is that they have a way back into your router. My guess is that, for the most part, it's there for maintenance, status checking (i.e. do you have an actual internet connection) or password resetting if the user forgets it. POSSIBLY for data monitoring, but I'm not going to say that's true, nor am I going to rule it out.
But Jesus, next time don't use such harsh words. Try thinking first.
Pancakes. Oh I blew it.
For reference port 4567 is listening on the OUTSIDE interface...the side that faces the internet. This came to my attention some time ago when I decided to switch from Comcast to Verizon. I did a tad bit of research when I was in between jobs and kept a blog on my adventures with port 4567....that CAN'T BE DISABLED. There are ways to keep verizon from spying on you and illegally entering your computer network. My blog posts are here: http://robot5five.blogspot.com/2009_07_01_archive.html Cracking the password hash was trivial, although it took me a little time until I found several other folks had already done it.
You didn't specify which password Verizon supposedly changed, but from the context in your message I'm guessing it was your router's administrative password.
Ownership shouldn't matter. Knowledge of your router's administrative password does matter. If you were too lazy or clueless to change that password before the tech who installed it got to his/her truck, you got better than you deserved. You should go immediately to your email program and write a nice thank you note to Verizon for doing a security sweep for a WiFi router administrative password vulnerability recently (2010-7-21) announced (by Seismic) on behalf of its customers. In particular danger are routers with no administrative password set (or ones set to known values used by technicians installing routers, like "password1"). A complete fix for this vulnerability will require firmware updates to the affected routers. But, making sure you have a strong administrative password activated is a good stop-gap measure. And, given the timing, I would bet this stop-gap protection is what Verizon was trying to provide for its customers.
One "Aw, Shit!" is worth 100 "Ata boys!"
1) Since it's 'your' router, maybe you should have secured it better, I bet you didn't even know its password. They actually did you a favor, this is the same logic as hackers hacking into systems to discover their security holes. 2) I'd really like to see most of the Verizon FIOS customers configure 'their' Verizon FIOS router. Please quit whining, and be thankful they changed the default password instead of some cracker changing the router's DNS settings and ruined your life.
TOP DSLR Cameras Reviews of the top DSLRs