Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon Changing Users Router Passwords

Posted by timothy on from the has-this-happened-to-you? dept.

Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"

20 of 545 comments (clear)

  1. uhhh by buddyglass · · Score: 5, Insightful

    Maybe they were able to access your router because the password was still password1 ?

    1. Re:uhhh by cosm · · Score: 5, Insightful

      End of thread. No further comments are necessary.

      --
      'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
    2. Re:uhhh by complacence · · Score: 5, Insightful

      What are you all on about? He said he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.

      If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.

      Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?

      Why is there an open forced access port/back door?
      Is that ok without telling the owner?
      What security is in place that entities besides Verizon can't access it?

    3. Re:uhhh by gparent · · Score: 5, Insightful

      If they can access the router when administrative access is disabled, what makes you think they cannot bypass the password system anyway?

    4. Re:uhhh by harlows_monkeys · · Score: 5, Insightful

      A UK citizen who used a similar backdoor (typed the default password) to get into a US computer is now being raked-over-the-coals and threatened with exportation & 20 years imprisonment by the current administration. If it wasn't okay for him to enter a privately-owned computer, why it is okay for Verizon to enter a privately-owned router?

      Did Verizon leave threatening messages promising continued disruption? Did Verizon attempt to conceal their activity by deleting log files? Was Verizon attempting to gain access to the user's private data?

      The answer to all of these is "no", making this totally different from the McKinnon case. (And these are just the things McKinnon admits to. He's alleged to have been much more destructive).

      Also, the router is connected to Verizon's network, and was set up by Verizon for the customer. Even if the customer owns the router, it is is quite likely there is a contract between the customer and Verizon allowing them to access it for administrative purposes. Did McKinnon have a contract with the owners of the 96 or so computers he hacked? Were they on a network he owned and using a service he provided?

    5. Re:uhhh by Roger+W+Moore · · Score: 5, Insightful

      He said [slashdot.org] he disabled administrative access from outside.

      Given the level of competence he has displayed I frankly suspect that he failed to do that correctly or, if he did, he probably ended up blocking access from outside the ISP subnet.

      Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere.

      He probably did - there is usually some clause somewhere where you agree to let them take action to prevent security breaches or some such. Failing that there is always a clause which lets them disconnect incorrectly configured hardware which poses a risk to the network which this arguably does. So would you advocate disconnecting the router and sending letter that customers have to reconfigure the default password before it will be allowed to reconnect? It's hard to see how anyone can complain about their actions. There is no private data stored on the router nor did they change any setting beyond the minimum needed to secure it. This is the sort of thing that a sysadmin does for you and that people usually say "thank you" for.

    6. Re:uhhh by Anti_Climax · · Score: 5, Informative

      What are you all on about? He said [slashdot.org] he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.

      Administrative access was not used for this. His actiontec, along with most other telco distributed CPEs use the TR-69 remote administration spec to allow for reconfiguration of services, firmware updates and other crap that used to require a technician to be sent out.

      If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.

      Which is why they changed his password from the default to a unique one. Even with remote access disabled, a default password on your router is a risk. see Pharming

      Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?

      Telcos are typically behind IBM and God on how many lawyers they have on staff. I'll eat my fucking shoe if it's not explicitly laid out in the TOS for FIOS that they can and will access the router for remote configuration changes, particularly for security reasons.

      Why is there an open forced access port/back door?

      There is a backdoor to allow changes in configuration that are usually, but not always, related to connectivity and function of the actual connection to the provider - the minutiae that even a field tech doesn't want to have to waste time with.

      Is that ok without telling the owner?

      Are we that sure it wasn't in that contract he signed?

      What security is in place that entities besides Verizon can't access it?

      A properly implemented TR-69 system is going to be more secure than any machine this guy is running on his network, guaranteed. The administration server address cannot be changed from the user accessible interfaces, the connection is initiated from the CPE to that server instead of the reverse and there are multiple layers of verification and encryption in use before anything is actually allowed to be updated or changed.

      --
      Even people that believe in pre-destiny look both ways before crossing the street.
    7. Re:uhhh by luca · · Score: 5, Informative

      What are you all on about? He said he disabled administrative access from outside.

      He disabled the user visible administrative interface.

      Google for tr69 and you'll be enlightened.

      In my router it's impossible to disable, however in some normally hidden menu I could modify the "call home" url, rendering it ineffective.

    8. Re:uhhh by Anonymous Coward · · Score: 5, Funny

      and thank you Verizon for stopping by and diddling my wife, I was previously unaware of how unsatisfied she was.

    9. Re:uhhh by surferx0 · · Score: 5, Informative

      I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."

      Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?

      Bad analogy, since this is leased equipment from Verizon, it's more like you rent an apartment and the landlord changes the busted up locks on your door or performs other various maintenance on their property for you. If you haven't rented before, I can tell you that is quite normal.

  2. Then change your password by Anonymous Coward · · Score: 5, Insightful

    Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.

  3. Easier way to find out new password by spartacus_prime · · Score: 5, Funny

    hey, if you type in your pw, it will show as stars
    <Cthon98> ********* see!
    <AzureDiamond> hunter2
    <AzureDiamond> doesnt look like stars to me
    <Cthon98> <AzureDiamond> *******
    <Cthon98> thats what I see
    <AzureDiamond> oh, really?
    <Cthon98> Absolutely
    <AzureDiamond> you can go hunter2 my hunter2-ing hunter2
    <AzureDiamond> haha, does that look funny to you?
    <Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
    <AzureDiamond> thats neat, I didnt know IRC did that
    <Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
    <AzureDiamond> awesome!
    <AzureDiamond> wait, how do you know my pw?
    <Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
    <AzureDiamond> oh, ok.

    --
    If you can read this, it means that I bothered to log in.
  4. This is News for Nerds, Stuff That Matters?!? by djlowe · · Score: 5, Insightful
    Hi,

    I checked and it actually had been changed.

    OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?

    I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!

    No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.

    I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"

    I imagine they at least understand the importance of password security, where you apparently did not.

    You're not a nerd, this isn't news that matters... slow day, Timothy?

    Regards,

    dj

  5. Re:Perhaps a little cheese with that whine? by thestuckmud · · Score: 5, Informative
    My provider allows third party modems. Absent a conspiracy between manufacturers and providers, there is no way they can force updates on my equipment.

    You are correct about the fine print, though. They reserve the right to update their software on my equipment (including computers). The simple solution there is not installing their software in the first place.

  6. Erm.... TR-069, anyone? by jimicus · · Score: 5, Informative

    AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.

    This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.

    I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.

  7. Re:Ummm...try changing the password! by fuzzyfuzzyfungus · · Score: 5, Insightful

    There is no particular reason to suspect that changing the password would alter their level of access.

    On most consumer routers, "the password" is what controls access to the dinky webserver serving the configuration interface, on port 80, LAN side only. According to TFS, Verizon's pet routers have something listening to port 4567, WAN side. There is no particular reason to believe(and, indeed, reason to disbelieve) that the password controlling access to the port 80 web interface and the access control mechanism on the port 4567 WAN management interface are at all connected. Assuming they aren't total morons, I'd imagine that they would use some flavor of keypair auth for that one.

    We would need somebody to grab the firmware for the router in question and have a look to actually settle the issue.

  8. How to disable the backdoor by duppyconqueror · · Score: 5, Informative

    http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.

  9. They were kinder than you deserved by SuperKendall · · Score: 5, Funny

    After three years, they changed the password to something you could easily find just by looking at the device.

    I would have changed the password to something totally random, and made you sit through four hours of voice menus on the phone to figure out what the new one was, for fear you would change it back.

    Verizon deserves a medal for restraint on this one.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  10. Re:unauthorized access is unauthorized by whoever57 · · Score: 5, Informative

    No, they entered a router which they lease to him with the intention of making their network more secure

    What part of "I own the router, not them" do you not understand?

    That goes for you too, mods!



    I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.

    --
    The real "Libtards" are the Libertarians!
  11. Re:Ummm...try changing the password! by fuzzyfuzzyfungus · · Score: 5, Insightful

    I don't have access to one of these routers to check; but googling around for "port 4567 verizon" returns all sorts of hits, the gist of which is that this "feature" is on by default and cannot be turned off. In what I imagine is an oversight on Verizon's part, it is apparently possible to set a firewall rule that blocks that port, which is the closest you can get to disabling it in the default firmware.

    As for what it is capable of, reports suggest that it can be used for firmware updates, and TFS suggests that it can see(and change) password hashes on the system. If it can do that, it seems reasonable to assume that it can probably access the entire local filesystem on the device. Further, if it can update the firmware, Verizon could always push a firmware update giving their remote management interface any powers that it currently lacks.

    In addition to unnervingly paternalistic, but more or less benign, firmware updating and password securing; it isn't exactly tinfoil-hat territory to postulate that it might be used for market research(number of devices/household, manufacturers, determined by MAC, of those devices, etc.)

    I would assume, though, that any heavy network monitoring/secret sinister CALEA/NSL stuff probably isn't handled on the router. Verizon, being your ISP, controls the other end of the connection(and, unless you take specific steps to the contrary, is your DNS provider), so they hardly need to build any serious spying power into their routers(especially since that would raise BOM cost for a device that they order millions of, and expose their sinister program to anybody with some basic linux hacking chops who either downloads and disassembles the firmware, or snags a used router on ebay, or signs up and investigates his own router(and, given that techies are more than usually interested in high-speed internet, the odds are very good of this happening). Therefore, I would expect that this management interface offers an upsettingly comprehensive set of functions for controlling the router and accessing its filesystem; but contains no overtly sinister embedded logic. Any of that that exists would be closer to the center of the network.