Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon Changing Users Router Passwords

Posted by timothy on from the has-this-happened-to-you? dept.

Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"

10 of 545 comments (clear)

  1. uhhh by buddyglass · · Score: 5, Insightful

    Maybe they were able to access your router because the password was still password1 ?

    1. Re:uhhh by cosm · · Score: 5, Insightful

      End of thread. No further comments are necessary.

      --
      'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
    2. Re:uhhh by complacence · · Score: 5, Insightful

      What are you all on about? He said he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.

      If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.

      Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?

      Why is there an open forced access port/back door?
      Is that ok without telling the owner?
      What security is in place that entities besides Verizon can't access it?

    3. Re:uhhh by gparent · · Score: 5, Insightful

      If they can access the router when administrative access is disabled, what makes you think they cannot bypass the password system anyway?

    4. Re:uhhh by harlows_monkeys · · Score: 5, Insightful

      A UK citizen who used a similar backdoor (typed the default password) to get into a US computer is now being raked-over-the-coals and threatened with exportation & 20 years imprisonment by the current administration. If it wasn't okay for him to enter a privately-owned computer, why it is okay for Verizon to enter a privately-owned router?

      Did Verizon leave threatening messages promising continued disruption? Did Verizon attempt to conceal their activity by deleting log files? Was Verizon attempting to gain access to the user's private data?

      The answer to all of these is "no", making this totally different from the McKinnon case. (And these are just the things McKinnon admits to. He's alleged to have been much more destructive).

      Also, the router is connected to Verizon's network, and was set up by Verizon for the customer. Even if the customer owns the router, it is is quite likely there is a contract between the customer and Verizon allowing them to access it for administrative purposes. Did McKinnon have a contract with the owners of the 96 or so computers he hacked? Were they on a network he owned and using a service he provided?

    5. Re:uhhh by Roger+W+Moore · · Score: 5, Insightful

      He said [slashdot.org] he disabled administrative access from outside.

      Given the level of competence he has displayed I frankly suspect that he failed to do that correctly or, if he did, he probably ended up blocking access from outside the ISP subnet.

      Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere.

      He probably did - there is usually some clause somewhere where you agree to let them take action to prevent security breaches or some such. Failing that there is always a clause which lets them disconnect incorrectly configured hardware which poses a risk to the network which this arguably does. So would you advocate disconnecting the router and sending letter that customers have to reconfigure the default password before it will be allowed to reconnect? It's hard to see how anyone can complain about their actions. There is no private data stored on the router nor did they change any setting beyond the minimum needed to secure it. This is the sort of thing that a sysadmin does for you and that people usually say "thank you" for.

  2. Then change your password by Anonymous Coward · · Score: 5, Insightful

    Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.

  3. This is News for Nerds, Stuff That Matters?!? by djlowe · · Score: 5, Insightful
    Hi,

    I checked and it actually had been changed.

    OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?

    I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!

    No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.

    I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"

    I imagine they at least understand the importance of password security, where you apparently did not.

    You're not a nerd, this isn't news that matters... slow day, Timothy?

    Regards,

    dj

  4. Re:Ummm...try changing the password! by fuzzyfuzzyfungus · · Score: 5, Insightful

    There is no particular reason to suspect that changing the password would alter their level of access.

    On most consumer routers, "the password" is what controls access to the dinky webserver serving the configuration interface, on port 80, LAN side only. According to TFS, Verizon's pet routers have something listening to port 4567, WAN side. There is no particular reason to believe(and, indeed, reason to disbelieve) that the password controlling access to the port 80 web interface and the access control mechanism on the port 4567 WAN management interface are at all connected. Assuming they aren't total morons, I'd imagine that they would use some flavor of keypair auth for that one.

    We would need somebody to grab the firmware for the router in question and have a look to actually settle the issue.

  5. Re:Ummm...try changing the password! by fuzzyfuzzyfungus · · Score: 5, Insightful

    I don't have access to one of these routers to check; but googling around for "port 4567 verizon" returns all sorts of hits, the gist of which is that this "feature" is on by default and cannot be turned off. In what I imagine is an oversight on Verizon's part, it is apparently possible to set a firewall rule that blocks that port, which is the closest you can get to disabling it in the default firmware.

    As for what it is capable of, reports suggest that it can be used for firmware updates, and TFS suggests that it can see(and change) password hashes on the system. If it can do that, it seems reasonable to assume that it can probably access the entire local filesystem on the device. Further, if it can update the firmware, Verizon could always push a firmware update giving their remote management interface any powers that it currently lacks.

    In addition to unnervingly paternalistic, but more or less benign, firmware updating and password securing; it isn't exactly tinfoil-hat territory to postulate that it might be used for market research(number of devices/household, manufacturers, determined by MAC, of those devices, etc.)

    I would assume, though, that any heavy network monitoring/secret sinister CALEA/NSL stuff probably isn't handled on the router. Verizon, being your ISP, controls the other end of the connection(and, unless you take specific steps to the contrary, is your DNS provider), so they hardly need to build any serious spying power into their routers(especially since that would raise BOM cost for a device that they order millions of, and expose their sinister program to anybody with some basic linux hacking chops who either downloads and disassembles the firmware, or snags a used router on ebay, or signs up and investigates his own router(and, given that techies are more than usually interested in high-speed internet, the odds are very good of this happening). Therefore, I would expect that this management interface offers an upsettingly comprehensive set of functions for controlling the router and accessing its filesystem; but contains no overtly sinister embedded logic. Any of that that exists would be closer to the center of the network.