Slashdot Mirror
Verizon Changing Users Router Passwords
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
Maybe they were able to access your router because the password was still password1 ?
Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.
You had kept your password as password1, yet are complaining about Verizon being able to change your password?
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
Lazy Fuck receives router with password set to password1
Lazy Fuck doesn't change it for THREE fucking years
ISP decides to secure router for Lazy Fuck since Lazy Fuck evidently cannot
ISP Emails Lazy Fuck with new password
ISP changes password so Lazy Fuck doesn't get wtfpwn3d
Lazy Fuck whines like a petulant little schoolgirl
How did this retard even find slashdot, let alone create an account and post?
lazy fuck could be lit on fire next to a pool and he'd burn to death.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
If you can read this, it means that I bothered to log in.
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
All I see is:
if you were first instead of *********, you would not have had any trouble. I had lots of trouble deciphering the summary, though...
You are correct about the fine print, though. They reserve the right to update their software on my equipment (including computers). The simple solution there is not installing their software in the first place.
AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.
This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.
I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.
There is no particular reason to suspect that changing the password would alter their level of access.
On most consumer routers, "the password" is what controls access to the dinky webserver serving the configuration interface, on port 80, LAN side only. According to TFS, Verizon's pet routers have something listening to port 4567, WAN side. There is no particular reason to believe(and, indeed, reason to disbelieve) that the password controlling access to the port 80 web interface and the access control mechanism on the port 4567 WAN management interface are at all connected. Assuming they aren't total morons, I'd imagine that they would use some flavor of keypair auth for that one.
We would need somebody to grab the firmware for the router in question and have a look to actually settle the issue.
http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.
After three years, they changed the password to something you could easily find just by looking at the device.
I would have changed the password to something totally random, and made you sit through four hours of voice menus on the phone to figure out what the new one was, for fear you would change it back.
Verizon deserves a medal for restraint on this one.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What part of "I own the router, not them" do you not understand?
That goes for you too, mods!
I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.
The real "Libtards" are the Libertarians!
I used to work for a call center that did the tech support for Verizon DSL. We had an internal system that's responsible for line testing, and this system also let us push changes equipment we've provided. Most agents didn't know how to use the functionality of this system, but it's almost required, because some customers aren't able to change the settings with or without our help. "We need you to reset your modem. Hold down the little button on the back. You can't find it? You don't know how a button works? Fine, just let me do it from here." To OP, it's a modem that happens to have a router, not just your router. You may own the equipment, but it's still connecting to the Verizon Network, and since Verizon provided the equipment, they're going to make sure that they can make it work if you fraked it up.
The "regulated monopoly" of the phone lines was actually a huge success story for the United States. While we were building a coast-to-coast, 100% compatible and interoperable, relatively inexpensive telephone system, most other countries that had competition in that market ended up with multiple incompatible systems. In many cases you could not call your neighbor down the street, because he was on a different phone system that didn't play nice with yours. There were huge redundant mazes of wires overhead, belonging to different companies and systems, and completely incompatible switching systems. Often they operated at very different voltages and current.
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
I don't have access to one of these routers to check; but googling around for "port 4567 verizon" returns all sorts of hits, the gist of which is that this "feature" is on by default and cannot be turned off. In what I imagine is an oversight on Verizon's part, it is apparently possible to set a firewall rule that blocks that port, which is the closest you can get to disabling it in the default firmware.
As for what it is capable of, reports suggest that it can be used for firmware updates, and TFS suggests that it can see(and change) password hashes on the system. If it can do that, it seems reasonable to assume that it can probably access the entire local filesystem on the device. Further, if it can update the firmware, Verizon could always push a firmware update giving their remote management interface any powers that it currently lacks.
In addition to unnervingly paternalistic, but more or less benign, firmware updating and password securing; it isn't exactly tinfoil-hat territory to postulate that it might be used for market research(number of devices/household, manufacturers, determined by MAC, of those devices, etc.)
I would assume, though, that any heavy network monitoring/secret sinister CALEA/NSL stuff probably isn't handled on the router. Verizon, being your ISP, controls the other end of the connection(and, unless you take specific steps to the contrary, is your DNS provider), so they hardly need to build any serious spying power into their routers(especially since that would raise BOM cost for a device that they order millions of, and expose their sinister program to anybody with some basic linux hacking chops who either downloads and disassembles the firmware, or snags a used router on ebay, or signs up and investigates his own router(and, given that techies are more than usually interested in high-speed internet, the odds are very good of this happening). Therefore, I would expect that this management interface offers an upsettingly comprehensive set of functions for controlling the router and accessing its filesystem; but contains no overtly sinister embedded logic. Any of that that exists would be closer to the center of the network.
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.