Slashdot Mirror
Verizon Changing Users Router Passwords
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
Maybe they were able to access your router because the password was still password1 ?
Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.
You had kept your password as password1, yet are complaining about Verizon being able to change your password?
Every broadband provider has access to the modems connected to their network to perform maintenance and updates as necessary. It's part of the fine print you agreed to. If you didn't want them getting into your router configuration you should have changed the default password.
I am becoming gerund, destroyer of verbs.
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.
Your hair look like poop, Bob! - Wanker.
If you don't want them to access the router, change the bloody password. Like you should have done 3 years ago!
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Your router was set to the default password after 3 YEARS and you're claiming to be upset that Verizon secured it for you? Are you kidding me? I'm all for letting people wallow in their own stupidity and ignorance, but come on buddy. They did you a favor. In all seriousness, they shouldn't have left it default in the first place. It should have been set to your serial number from the factory.
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
It doesnt matter what his password was, they broke into his router illegally
Lazy Fuck receives router with password set to password1
Lazy Fuck doesn't change it for THREE fucking years
ISP decides to secure router for Lazy Fuck since Lazy Fuck evidently cannot
ISP Emails Lazy Fuck with new password
ISP changes password so Lazy Fuck doesn't get wtfpwn3d
Lazy Fuck whines like a petulant little schoolgirl
How did this retard even find slashdot, let alone create an account and post?
lazy fuck could be lit on fire next to a pool and he'd burn to death.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
It's because the router is Verizon property and they probably have access to it no matter what your password is?
Actually, I've never used FiOS but I've always assumed that the routers remained property of Verizon, same as the set-top-boxes for television do. If someone can prove this, one way or another, I'd like to know.
P.S., on another note, has anyone tried to port a free router distro to the Westell 9100EM routers specially made for Verizon as FiOS routers and MoCA gateways. It seems Westell released the Linux-based firmware source which, although I've not looked at it, is probably the same Linux firmware that Verizon ships these things with, except without Verizon's branding and webapp look-n'-feel. I'm surprised that no-one has tried to port another Linux distro to it, but I guess that if Verizon owns the routers, the customers with the know-how won't bother trying.
hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
If you can read this, it means that I bothered to log in.
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
All I see is:
if you were first instead of *********, you would not have had any trouble. I had lots of trouble deciphering the summary, though...
At least you knew your password! Sky in the UK ship out Netgear routers and don't tell you the password. I "brute-forced" it in about three attempts, but that's not the point (in fact, perhaps it is, since it was something like "admin" and "sky"!).
The worst part was that we later complained about speed issues on the line and they got back to us saying "sorry, we seem to be having problems accessing your router". Erm, yeah, that'd kinda be the point - I don't want my router open and available with any backdoors on the Internet!
Most routers do not allow remote administration unless you specifically enable it. If it was disabled; he shouldn't have a problem with a bad password. The router "shouldn't" allow anyone to log in remotely.
Unfortunately, we all know that not enabling something doesn't always mean it can't be accessed and he should be kicked off the internet for being ignorant.
-SaNo
Comcast and AT&T have access to routers that they supplied as well. This isn't limited to Verizon.
AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.
This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.
I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.
Wait a minute... Giligan's Island is on Hulu?! Awesome! Best... Thread... Ever...
http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.
In other words it's part of the ISP-Owned CPE. This is typical of customers purchasing leased line services.
And the OP naively assumed that the equipment being in their house automatically transferred legal ownership of it?
The ISP usually owns the router, and everything after the Telco demarcation up to the customer's cable, which is referred to as "CPE" (Customer-Premises Equipment)
This is useful to the ISP for various reasons, it can assist with troubleshooting. It can enable the ISP to implement end-to-end QoS, and implement traffic engineering / access restrictions (such as spoof prevention or anti-malware port 25 blocking), before the packet even goes to the ISP's distribution/aggregation router.
After three years, they changed the password to something you could easily find just by looking at the device.
I would have changed the password to something totally random, and made you sit through four hours of voice menus on the phone to figure out what the new one was, for fear you would change it back.
Verizon deserves a medal for restraint on this one.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Then you're to blame threefold: 1) By your own admission, you let a noob stand in for you: If you'd cared to have it done correctly, you should have scheduled the installation around your availability so as to ensure that it met your requirements. 2) You apparently didn't do anything to correct matters afterwards, despite the fact that it wasn't to your satisfaction, and 3) Now you're whining about it on Slashdot.
Fourfold, if you expected anything other than what happened... and fivefold, if you expect to get any sympathy here for it.
I know it's harsh, but Timothy should never have accepted your submission. IMO, he threw you under the bus, and I am sorry for that.
My advice? First, change the password on your router, ASAP. Secondly, call Verizon, and inquire about changing from coax to Ethernet. Worst case they can't/won't, but you'll at least know.
Regards,
dj
That would be the security used by the TR-069 spec for CPE remote management. If implemented correctly by hardware manufacturer and service provider, it's almost certainly more secure than any of the computers you have connected to the internet, even if you're not the kind of person that leaves a default password set on their router...
Seriously, having the default admin password set has been a bad idea with routers for a very long time. Think along the lines of a webpage doing a redirect attempt to the local gateway address with different providers default router passwords and then changing a setting like your DNS server...
Sound unrealistic? Already happened on a large scale years ago. Didn't work if you had changed your password or at least had a unique one in place like the device serial number.
So rest assured that what they did has actually increased the security of your network and has left no gaping hole in it's place.
Even people that believe in pre-destiny look both ways before crossing the street.
am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them.
He owns the router, they don't. He doesn't lease it.
Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
I used to work for a call center that did the tech support for Verizon DSL. We had an internal system that's responsible for line testing, and this system also let us push changes equipment we've provided. Most agents didn't know how to use the functionality of this system, but it's almost required, because some customers aren't able to change the settings with or without our help. "We need you to reset your modem. Hold down the little button on the back. You can't find it? You don't know how a button works? Fine, just let me do it from here." To OP, it's a modem that happens to have a router, not just your router. You may own the equipment, but it's still connecting to the Verizon Network, and since Verizon provided the equipment, they're going to make sure that they can make it work if you fraked it up.
The "regulated monopoly" of the phone lines was actually a huge success story for the United States. While we were building a coast-to-coast, 100% compatible and interoperable, relatively inexpensive telephone system, most other countries that had competition in that market ended up with multiple incompatible systems. In many cases you could not call your neighbor down the street, because he was on a different phone system that didn't play nice with yours. There were huge redundant mazes of wires overhead, belonging to different companies and systems, and completely incompatible switching systems. Often they operated at very different voltages and current.
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
Every ActionTec router from Verizon that i've encountered (a dozen or so) had remote administrative access disabled by default.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
1) Leasing routers happens, especially if it's a modem-router, which is becoming more and more common.
2) Even if you own your modem, as a condition of service the telcos will typically insist on enough control of your equipment to manage "their side" of the connection. The same goes for cable-tv and cable-internet providers who let you use your own modems and cable boxes.
As far as #2 goes though, they typically "enforce" it by simply blackholing any device which doesn't give them the control they need. If you want your device to work you get to choose whether to keep being their customer on their terms or look for service elsewhere.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
if you had changed the password yourself, this wouldn't have happened.
I like how the fourth, fifth, tenth, whatever, redundant post saying this same sentiment STILL gets modded insightful. You know, mods, we DO have a '-1 Redundant' mod.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.
Good job using so much caps dude. Calm down. Yelling doesn't make you look good. There's two ways to look at this:
- Verizon is doing people a favor by securing their routers a little more
- Verizon has a backdoor
FYI the option to backdoor isn't set by the tech per-se. The tech runs a program that executes several scripts. Whether the default firmware for these devices has this option on by default OR if the script does it I am not sure of. But it's normal practice for them to have this setup as is. The issue at hand is that they have a way back into your router. My guess is that, for the most part, it's there for maintenance, status checking (i.e. do you have an actual internet connection) or password resetting if the user forgets it. POSSIBLY for data monitoring, but I'm not going to say that's true, nor am I going to rule it out.
But Jesus, next time don't use such harsh words. Try thinking first.
Pancakes. Oh I blew it.
For reference port 4567 is listening on the OUTSIDE interface...the side that faces the internet. This came to my attention some time ago when I decided to switch from Comcast to Verizon. I did a tad bit of research when I was in between jobs and kept a blog on my adventures with port 4567....that CAN'T BE DISABLED. There are ways to keep verizon from spying on you and illegally entering your computer network. My blog posts are here: http://robot5five.blogspot.com/2009_07_01_archive.html Cracking the password hash was trivial, although it took me a little time until I found several other folks had already done it.
You didn't specify which password Verizon supposedly changed, but from the context in your message I'm guessing it was your router's administrative password.
Ownership shouldn't matter. Knowledge of your router's administrative password does matter. If you were too lazy or clueless to change that password before the tech who installed it got to his/her truck, you got better than you deserved. You should go immediately to your email program and write a nice thank you note to Verizon for doing a security sweep for a WiFi router administrative password vulnerability recently (2010-7-21) announced (by Seismic) on behalf of its customers. In particular danger are routers with no administrative password set (or ones set to known values used by technicians installing routers, like "password1"). A complete fix for this vulnerability will require firmware updates to the affected routers. But, making sure you have a strong administrative password activated is a good stop-gap measure. And, given the timing, I would bet this stop-gap protection is what Verizon was trying to provide for its customers.
One "Aw, Shit!" is worth 100 "Ata boys!"
1) Since it's 'your' router, maybe you should have secured it better, I bet you didn't even know its password. They actually did you a favor, this is the same logic as hackers hacking into systems to discover their security holes. 2) I'd really like to see most of the Verizon FIOS customers configure 'their' Verizon FIOS router. Please quit whining, and be thankful they changed the default password instead of some cracker changing the router's DNS settings and ruined your life.
TOP DSLR Cameras Reviews of the top DSLRs
Mmm. I suggest working out in the call center trenches for a few months before you call anything a tier 1 agent does a "power trip."
On the other hand, good for you, with your router.
I don't believe in time. It's a grand conspiracy designed to sell watches.