Slashdot Mirror
Verizon Changing Users Router Passwords
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
Maybe they were able to access your router because the password was still password1 ?
Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.
You had kept your password as password1, yet are complaining about Verizon being able to change your password?
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
There is no particular reason to suspect that changing the password would alter their level of access.
On most consumer routers, "the password" is what controls access to the dinky webserver serving the configuration interface, on port 80, LAN side only. According to TFS, Verizon's pet routers have something listening to port 4567, WAN side. There is no particular reason to believe(and, indeed, reason to disbelieve) that the password controlling access to the port 80 web interface and the access control mechanism on the port 4567 WAN management interface are at all connected. Assuming they aren't total morons, I'd imagine that they would use some flavor of keypair auth for that one.
We would need somebody to grab the firmware for the router in question and have a look to actually settle the issue.
The "regulated monopoly" of the phone lines was actually a huge success story for the United States. While we were building a coast-to-coast, 100% compatible and interoperable, relatively inexpensive telephone system, most other countries that had competition in that market ended up with multiple incompatible systems. In many cases you could not call your neighbor down the street, because he was on a different phone system that didn't play nice with yours. There were huge redundant mazes of wires overhead, belonging to different companies and systems, and completely incompatible switching systems. Often they operated at very different voltages and current.
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
I don't have access to one of these routers to check; but googling around for "port 4567 verizon" returns all sorts of hits, the gist of which is that this "feature" is on by default and cannot be turned off. In what I imagine is an oversight on Verizon's part, it is apparently possible to set a firewall rule that blocks that port, which is the closest you can get to disabling it in the default firmware.
As for what it is capable of, reports suggest that it can be used for firmware updates, and TFS suggests that it can see(and change) password hashes on the system. If it can do that, it seems reasonable to assume that it can probably access the entire local filesystem on the device. Further, if it can update the firmware, Verizon could always push a firmware update giving their remote management interface any powers that it currently lacks.
In addition to unnervingly paternalistic, but more or less benign, firmware updating and password securing; it isn't exactly tinfoil-hat territory to postulate that it might be used for market research(number of devices/household, manufacturers, determined by MAC, of those devices, etc.)
I would assume, though, that any heavy network monitoring/secret sinister CALEA/NSL stuff probably isn't handled on the router. Verizon, being your ISP, controls the other end of the connection(and, unless you take specific steps to the contrary, is your DNS provider), so they hardly need to build any serious spying power into their routers(especially since that would raise BOM cost for a device that they order millions of, and expose their sinister program to anybody with some basic linux hacking chops who either downloads and disassembles the firmware, or snags a used router on ebay, or signs up and investigates his own router(and, given that techies are more than usually interested in high-speed internet, the odds are very good of this happening). Therefore, I would expect that this management interface offers an upsettingly comprehensive set of functions for controlling the router and accessing its filesystem; but contains no overtly sinister embedded logic. Any of that that exists would be closer to the center of the network.
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.