Slashdot Mirror
Verizon Changing Users Router Passwords
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
Maybe they were able to access your router because the password was still password1 ?
Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.
You had kept your password as password1, yet are complaining about Verizon being able to change your password?
Every broadband provider has access to the modems connected to their network to perform maintenance and updates as necessary. It's part of the fine print you agreed to. If you didn't want them getting into your router configuration you should have changed the default password.
I am becoming gerund, destroyer of verbs.
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.
Your hair look like poop, Bob! - Wanker.
If you don't want them to access the router, change the bloody password. Like you should have done 3 years ago!
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Your router was set to the default password after 3 YEARS and you're claiming to be upset that Verizon secured it for you? Are you kidding me? I'm all for letting people wallow in their own stupidity and ignorance, but come on buddy. They did you a favor. In all seriousness, they shouldn't have left it default in the first place. It should have been set to your serial number from the factory.
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
Lazy Fuck receives router with password set to password1
Lazy Fuck doesn't change it for THREE fucking years
ISP decides to secure router for Lazy Fuck since Lazy Fuck evidently cannot
ISP Emails Lazy Fuck with new password
ISP changes password so Lazy Fuck doesn't get wtfpwn3d
Lazy Fuck whines like a petulant little schoolgirl
How did this retard even find slashdot, let alone create an account and post?
lazy fuck could be lit on fire next to a pool and he'd burn to death.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
If you can read this, it means that I bothered to log in.
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
All I see is:
if you were first instead of *********, you would not have had any trouble. I had lots of trouble deciphering the summary, though...
At least you knew your password! Sky in the UK ship out Netgear routers and don't tell you the password. I "brute-forced" it in about three attempts, but that's not the point (in fact, perhaps it is, since it was something like "admin" and "sky"!).
The worst part was that we later complained about speed issues on the line and they got back to us saying "sorry, we seem to be having problems accessing your router". Erm, yeah, that'd kinda be the point - I don't want my router open and available with any backdoors on the Internet!
AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.
This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.
I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.
http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.
Yes, I do. And have. However, if an update borks my connection, I'm shit out of luck as far as support from them is concerned. (I made a point of looking at my TOS when I did the update to make sure they couldn't kick me off for doing it).
"This calls for a very special blend of psychology and extreme violence" - Vyvyan "The Young Ones"
After three years, they changed the password to something you could easily find just by looking at the device.
I would have changed the password to something totally random, and made you sit through four hours of voice menus on the phone to figure out what the new one was, for fear you would change it back.
Verizon deserves a medal for restraint on this one.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What part of "I own the router, not them" do you not understand?
That goes for you too, mods!
I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.
The real "Libtards" are the Libertarians!
am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them.
He owns the router, they don't. He doesn't lease it.
Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
I used to work for a call center that did the tech support for Verizon DSL. We had an internal system that's responsible for line testing, and this system also let us push changes equipment we've provided. Most agents didn't know how to use the functionality of this system, but it's almost required, because some customers aren't able to change the settings with or without our help. "We need you to reset your modem. Hold down the little button on the back. You can't find it? You don't know how a button works? Fine, just let me do it from here." To OP, it's a modem that happens to have a router, not just your router. You may own the equipment, but it's still connecting to the Verizon Network, and since Verizon provided the equipment, they're going to make sure that they can make it work if you fraked it up.
The "regulated monopoly" of the phone lines was actually a huge success story for the United States. While we were building a coast-to-coast, 100% compatible and interoperable, relatively inexpensive telephone system, most other countries that had competition in that market ended up with multiple incompatible systems. In many cases you could not call your neighbor down the street, because he was on a different phone system that didn't play nice with yours. There were huge redundant mazes of wires overhead, belonging to different companies and systems, and completely incompatible switching systems. Often they operated at very different voltages and current.
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
Every ActionTec router from Verizon that i've encountered (a dozen or so) had remote administrative access disabled by default.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.
For reference port 4567 is listening on the OUTSIDE interface...the side that faces the internet. This came to my attention some time ago when I decided to switch from Comcast to Verizon. I did a tad bit of research when I was in between jobs and kept a blog on my adventures with port 4567....that CAN'T BE DISABLED. There are ways to keep verizon from spying on you and illegally entering your computer network. My blog posts are here: http://robot5five.blogspot.com/2009_07_01_archive.html Cracking the password hash was trivial, although it took me a little time until I found several other folks had already done it.
He does have a problem with a bad password, there are some fairly clever javascript attacks that target exactly this situation, remote admin disabled and all.
The web browser is tricked to connect to a default router address (like 10.0.0.1) with a default login (admin/password1) and changes whatever settings it wants, perhaps just opening remote administration. Because the connection to the router comes from the local PC this isn't "remote" administration. There are few enough possible combinations that you can brute force the default login really easily and enough people with default set ups to make it very worth while.
If Verizon has all of their customers with the same router, the same network setup and the same password... it would be negligent not to do everything they could to help protect their customers.