Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australia's Biggest Telco Sold Routers With Hardcoded Passwords

Posted by Unknown on from the who-released-the-debug-build dept.

mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."

123 of 154 comments (clear)

  1. Comcast routers by onix · · Score: 5, Informative

    Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

    1. Re:Comcast routers by Anonymous Coward · · Score: 3, Informative

      All of them using the exact same SSID and WPA (hardcoded) or each device has it's unique SSID and WPA hardcoded, big diff there.

    2. Re:Comcast routers by __aaltlg1547 · · Score: 4, Insightful

      Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

      That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?

    3. Re:Comcast routers by ppanon · · Score: 3, Interesting

      You think that a company that is going to hardcode the SSID/WPA password into firmware updates (instead of keeping your current settings) would go to the trouble of customizing a different firmware file for each user so that they can get a high security hardcoded default? Really?

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
    4. Re:Comcast routers by DarwinSurvivor · · Score: 2

      Shaw does.

    5. Re:Comcast routers by green1 · · Score: 2

      Most residential broadband routers are factory configured with their own unique SSID/WPA key, this information is typed on the sticker on the bottom of the router, and is more or less unique to that specific router. Some companies have a habit of resetting everything to factory defaults when they do firmware upgrades, hence wiping out any custom SSID/WPA key and resetting to the one printed on the bottom of the device.

      Personally I recommend to most customers that if they aren't comfortable messing with the settings on the router on a regular basis they are much better off just using the ones printed on the router. They're mostly as secure as your own settings, and you don't have to worry about what happens if the thing gets reset. It also has the added bonus that when they forget it (and yes, people do regularly forget the ones they set themselves) it is printed right on the bottom of the device.

    6. Re:Comcast routers by wvmarle · · Score: 1

      Average security-illiterate consumer that just wants stuff to work: "I want to connect to my WiFi. Let's check the manual... oh that's network 'mycomcastrouter' and key 'mycomcastkey' as written on a sticker on the bottom of the device. That's easy." Selects network, enters key, connects to his WiFi router, and is happy.

      Note the absence of the "sets up a WiFi password" in the above sequence.

    7. Re:Comcast routers by WaffleMonster · · Score: 4, Interesting

      No one serious about security would use Comcast anyway.

      Like your choice of ISP magically changes the reality of Internet being a fully untrusted and untrustworthy network.

      Always assume your pipe is compromised and use end-to-end security if you care about the confidentiality and integrity of any data you transmit over the Internet.

      I don't know anyone in the tech field that uses them

      LOL I know of many network engineers who work for first and second tier operators who use comcast at home.

      CenturyLink is so reliable that they own the market for professionals. I used Comcast for a while, but the 200+ msec ping made SSH unusable

      YMMV... my pings are about 30ms to google and 20ms when using comcast as a WAN link to our corporate office.

      like everyone else that needs a reliable connection, gave up on them years ago. They don't try and don't care.

      These comments are pointless. If you look for it there will always be someone saying megaco x is horrible because y happened or megaco a is great because b happened. Our personal experiences mean squat. You would be on better footing by citing the results of a customer satisfaction survey.

    8. Re:Comcast routers by Drakonblayde · · Score: 5, Insightful

      Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).

    9. Re:Comcast routers by ziggit · · Score: 1

      It seems to be a regional thing. I've heard of people getting fantastic results from Comcast, while CenturyLink in my home town is so shoddy, you're almost better off using something like a MiFi (And I hate using those with a burning passion).

    10. Re:Comcast routers by Wandering+Voice · · Score: 1

      Yes Century Link cares, only as far as receiving your payment, however. I had Qwest when I first moved into Denver area. A month later, Century Link took over and disregarded the install payment plan we had arranged with Qwest, and received a disconnection notice as our first contact from Century Link.

      I made a payment with the credit card over the phone for $100, and said I can pay the other $30 with my next bill. OK says the CSR, and 10 days later my net and phone are disconnected. Finally finding a payphone, I call and am told that that there was no payment plan agreement and if there was, $100 paid and $30 next cycle is not acceptable, and service will not return until it is paid in full. They also said that phone service should not have been interrupted, but I guess that may have been due to the telco box on my building missing its cover and having a trash bag taped on with electrical tape, which facing west into the wind, the bag is shredded, leaving all wires exposed. A year later, and the box is still vulnerable. Oh, and I am with Comcast now, and have refused to pay Century Link another dime. I'll take the hit on my credit score.

    11. Re:Comcast routers by mattr · · Score: 1

      Wonder why Comcast is not in trouble for hacking if they change the password you set yourself...

    12. Re:Comcast routers by r1348 · · Score: 1

      Funny, last week I updated the firmware of my Fritz!Box and it magically kept all the custom settings I made, including my wireless password...

    13. Re:Comcast routers by ardor · · Score: 1

      What if the router gets upgraded, but since you aren't using WiFi much (perhaps because you only enabled it for your someone else's laptop), you don't notice the SSID and WPA key got reset?

      --
      This sig does not contain any SCO code.
    14. Re:Comcast routers by L4t3r4lu5 · · Score: 1

      Unique != Secure. If the two are in any way related (Key = base 16 encoded SHA1 of SSID + salt, for example) then the key can be broken trivially.

      Basically, I don't trust you (the company) to not be lazy^Wcost-effective in your key generation procedure. There are numerous sites listing tables of default keys for brands of router, ripe for abuse. Those could only have been leaked by an insider (which means you've kept a copy of all of the keys, for some reason) or they weren't truly random, and therefore insecure.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    15. Re:Comcast routers by DNS-and-BIND · · Score: 1

      "Customer CPE"?

      Yeah, I believe you work at Comcast.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    16. Re:Comcast routers by redback · · Score: 1

      ATM Machine

    17. Re:Comcast routers by wvmarle · · Score: 1

      Yes; for the very fact that the user thinks the password protects them, while in reality it's not so much. More and more users these days are aware of the idea of password protecting wifi networks. Routers should simply require the user to set a password (or intentionally open up the network) on first installation - using some kind of setup tool and network cable.

    18. Re:Comcast routers by BrokenHalo · · Score: 1

      I have one of the devices referred to in TFA (since I now live out in the sticks and can't get anything better) and discovered this flaw straight away. Telstra supplies a unique SSID/WPA password on a printed card, but the device also has a generic username/password combo for its own login page.

      The good news here is that this login profile doesn't have sufficient privilege to change much in the way of settings, but it's an ugly situation nonetheless.

    19. Re:Comcast routers by Type44Q · · Score: 1

      Cradlepoint routers each have a unique password encoded in the firmware...

    20. Re:Comcast routers by AmiMoJo · · Score: 1

      That's why Sky did in the UK. Their routers generated the WPA key from the wifi MAC address and the SSID was hard coded, along with the customer's ADSL login details. Totally insecure.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    21. Re:Comcast routers by AmiMoJo · · Score: 1

      Most people don't ever change the password. As long as it is securely generated in the first place that isn't too much of a problem, except that Comcast engineers can probably access your internal network whenever they like.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    22. Re:Comcast routers by bhmit1 · · Score: 1

      Hardcoded initial passwords should never be used for anything other than the first access to a device (after a reset) to configure it with the customers own password and settings. It should also not be usable from any public facing interfaces, but that's a side issue. This is no different from being given a temporary password and told to change it when you first login to a computer or web site.

      Leaving default passwords, even if they are unique per device, exposes the security risk that someone will discover those passwords. With unique passwords, all someone needs to find is the database or printing records used to create all those unique labels, or they can discover an algorithm used to generate the unique passwords. Once hacked, unique passwords provide only marginally better security than identical default passwords, but they create a bigger issue because of the false sense of security they have given users that assume they are secure.

    23. Re:Comcast routers by realityimpaired · · Score: 2

      More likely, they do what Bell Canada does, which is to have the firmware read the serial number and apply an algorithm to that in order to create the default SSID/key on each modem. On the 2Wire modems, the default SSID was always BELL{last 3 digits of s/n}. I never did figure out what the algorithm was for the default key, but it is different on every modem, and on the Sagemcom modems, it's a different algorithm to figure out the default SSID as well.

    24. Re:Comcast routers by jameshofo · · Score: 1

      Well I can't speak to Xfinity, but I know my FIOS router has a hardcoded _default_, but having the ability to change that in the UI does not make the wifi password/key itself hard coded. If you can change it through the software interface it is not by definition hard coded, and yes the article cites "unchangeable default logins".

      --
      Good leaders run toward problems, bad leaders hide from them.
    25. Re:Comcast routers by wed128 · · Score: 1

      Thats how *Comcast's shitty* hardware works.

      FTFY. There are better ways of doing things...

    26. Re:Comcast routers by geminidomino · · Score: 1

      Full disclosure: I am not an engineer Comcast, but a lowly technician. When a firmware update goes through, it resets defaults on everything. Thats how hardware works.

      Reason 0xF21C to never use Comcast as a provider.

    27. Re:Comcast routers by alexandre · · Score: 1

      Not mentionning that Bell forces people to rent a VDSL modem even when they are not their customer! :(

      This is what I've gathered from forums and verified from the latest modem they seem to be shipping for VDSL service:
      http://wiki.reseaulibre.ca/hardware/modem/vdsl/sagemcom/F__64__ST2864/

      If anyone manages to rip Bell's parallel connection from there it'd be nice, though I'm wondering why they are the only one managing the firmware upgrades (and the many backdoors!)

    28. Re:Comcast routers by X0563511 · · Score: 1

      Who says you have to explicitly code it in? It could be derived from the device's S/N or MACs.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    29. Re:Comcast routers by green1 · · Score: 1

      But can this login page be accessed from the WAN side of the device? if so, it's a serious security flaw. If not, it's not that big a deal as you likely already have physical access to the device anyway.

    30. Re:Comcast routers by green1 · · Score: 1

      Possibly, but not necessarily. I have yet to find any way of doing that for the devices we use (I'm not saying it isn't possible, but the searches I've done so far have come up blank)
      And if there is in fact no way to link the 2 (say that the SSID and WPA key truly are randomly generated separately) then how is this still a bad practice?

    31. Re:Comcast routers by bleh-of-the-huns · · Score: 1

      The hard coded default.. is not actually hard coded. The Actiontecs just use the mac address as the default password, and I believe the Serial number as the SSID (I forgot, I have not used it in years, I completely bypassed it with the use of a dlink MOCA adapter to my FBSD firewall.

      --
      I came, I conquered, I coredumped
    32. Re:Comcast routers by StuartHankins · · Score: 1

      If the wifi use is that occasional, why not just turn it off? Seems like just another security hole. Maybe you're using some combo device instead of a separate WAP. Still seems easier to just unplug the WAP when not in use.

    33. Re:Comcast routers by tlhIngan · · Score: 1

      Unique != Secure. If the two are in any way related (Key = base 16 encoded SHA1 of SSID + salt, for example) then the key can be broken trivially.

      Usually the default SSID is based on the WiFi MAC address, while the default password is based on the serial number of the device (which isn't broadcasted over the air, but which the ISP knows since they have to activate it). The serial number is typically the unique ID assigned to the WAN side port...

    34. Re:Comcast routers by cusco · · Score: 1

      In my neighborhood, only three miles from downtown Bellevue, Comcast was the ONLY high speed connection available until last year. When dealing with existing infrastructure in established neighborhoods you frequently don't have much choice.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    35. Re:Comcast routers by canadiannomad · · Score: 1

      No network setup tools... Just if the router isn't configured yet, the network should be "open" but force redirect any page request to the configuration wizard page (maybe with a default password or require serial number or something to prevent accidentally letting someone change settings who shouldn't). That should walk them through setting a password, selecting an SSID, setting a wireless password, and writing it down in the manual..... It isn't high security, but at least those that need that type of walk thru are given a viable option.

      --
      Hmm, the humour and sarcasm seem to have been be lost on you.
    36. Re:Comcast routers by cusco · · Score: 1

      Century Link **IS** Qwest. Some executive decided that changing the name would somehow magically improve revenues, so USWest became Qwest which became Century Link.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    37. Re:Comcast routers by cusco · · Score: 1

      You would be amazed at the number of SECURITY devices which don't even allow you to change the default password, cameras especially. As a policy we recommend to customers that they not purchase Camera X because of this reason, but if that's their company standard that's what we have to install. Even on those which allow password changes none of our competitors change them unless the customer specifically requests it (and not even then if they think the customer won't check). In 90 percent of cases when we have to work on a system that we didn't install we can just look up the default password, log in, and take over the device. Of all the IP security camera vendors, only Axis and Pelco seem to have any concept that a security camera should actually be secure.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    38. Re:Comcast routers by thegameiam · · Score: 1

      My complaint is that the comcast wireless router I was given doesn't let you disable the wireless! I have a much better Apple wireless router, and now this crummy one interferes with it. Grr...

      --
      Need Geek Rock? Try The Franchise!
    39. Re:Comcast routers by mk1004 · · Score: 1

      Actually, it should read "When you're deploying CPE..." CPE = Customer Premises Equipment. It's an acronym used by several telcos, not just Comcrap.

      --
      I can mend the break of day, heal a broken heart, and provide temporary relief to nymphomaniacs.
    40. Re:Comcast routers by BlueBlade · · Score: 1

      A firmware shipping with default settings isn't an example of hardcoded credentials. They're just default, not hardcoded. Hardcoded means that there are credentials that are inside the source code itself and they always work, no matter how the device is configured.

      By definition, if the credentials can be changed by simply configuring the device, they aren't hardcoded.

      --
      Religion is the best example of mass psychosis
  2. Easy fix by Artea · · Score: 2, Interesting

    Chances are this is the remote admin password for easy customer service. The devices are probably just rebranded Netgears or Belkins. Flash the firmware from the Vendor's support site, and clear off the Telstra "customer friendly" version of the firmware and this becomes a non-issue. I recall even manually adding a variable into the url enabled "advanced mode" to change this stuff without flashing the firmware.

    1. Re:Easy fix by Artea · · Score: 1

      After bothering to Read TFA, these are Netcomm mobile broadband modems. So disregard nearly everything except the vendor firmware bit I guess.

    2. Re:Easy fix by green1 · · Score: 1

      What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

    3. Re:Easy fix by WaffleMonster · · Score: 4, Insightful

      What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

      Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

      <A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>

    4. Re:Easy fix by kiddygrinder · · Score: 1

      it *looks* like (shitty article) that you can bypass unique wireless passwords with a default admin password.

      --
      This is a joke. I am joking. Joke joke joke.
    5. Re:Easy fix by Wandering+Voice · · Score: 2

      Reminds me of when a spam email went around in the late 90s or early 00s which informed people of a virus infection and if you had an AOL icon on your desktop, you were infected. Hahah. AOL was flooded that day with tech support calls from many who were not able to dial in. Post a similar threat warning on Facebook (fAOLbook?) and we'll have come nearly full circle again.

    6. Re:Easy fix by Hal_Porter · · Score: 1

      Hey! He read the TFA! We'll have to keep and eye on him and put a bullet in his brain when he turns

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    7. Re:Easy fix by green1 · · Score: 1

      That's not how I read the article at all, the way I read it was that if you were already connected to the wireless (or wired) network, you could log in to the router with a default password to be able to change the wireless settings. Which is a much less severe problem.

      Of course, as you point out, the article is awful, so there's no real way of telling which one of us is right, or even if we're both wrong and it's something completely different.

    8. Re:Easy fix by green1 · · Score: 1

      That's assuming that there is in fact also a way of passing dangerous information to the device by requesting a specific URL, And that you can even enter the username and password through the URL request as well. Sure, that would turn an almost non-issue in to a moderately bad exploit, but it also seems like a large stretch from what was listed.

  3. More the reason ... by lsllll · · Score: 2

    ... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

    --
    Is that a roll of dimes in your pocket or are you happy to see me?
    1. Re:More the reason ... by Cimexus · · Score: 3, Insightful

      Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

      Also, people should be avoiding Telstra as a matter of principle anyway :)

    2. Re:More the reason ... by Midnight+Thunder · · Score: 1

      ... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

      For the non-tech that's akin to doing brain surgery, so that changes nothing. For the average tech, downloading a precompiled firmware is still preferable in many cases. Having the source available will allow more eyes on it and the chance to improve it, but still an easy option to 'make firmware' and be done is appealing.

      --
      Jumpstart the tartan drive.
    3. Re:More the reason ... by mjwx · · Score: 3, Insightful

      Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

      This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

      Also, people should be avoiding Telstra as a matter of principle anyway :)

      To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  4. If you have a MAC... by Nutria · · Score: 1

    Step 1 of 3: Install the BigPond Elite Network Gateway on a Windows computer by using the installation USB stick that came with your kit.

    WTF are these people thinking?

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:If you have a MAC... by crafty.munchkin · · Score: 5, Funny

      You should've seen the installation tech who came to install Bigpond Cable at our office. He needed a PC to activate it, I brought out my linux laptop - I've never seen anyone so confused. He asked for Internet Explorer, I told him he could have Firefox or Chrome. I think he nearly cried.

      --
      ... wait, what?
    2. Re:If you have a MAC... by DarwinSurvivor · · Score: 2

      We have a friend that works for HP, so we got him as our rep for maintaining our business line computer. We were having an issue and he decided the best thing would be to update the firmware (it was fairly out of date). That was when we both realized he had no idea how to do it from a non-windows computer. Turns out all you have to do to "reimage" an hp printer is *litterally* print the firmware file from any computer!

    3. Re:If you have a MAC... by green1 · · Score: 5, Interesting

      I install ADSL service for a Largish telco. I am always THRILLED when someone brings out a computer that isn't running windows. The reason? Windows machines support our company's software install, which is mandatory, can't be skipped, and takes 15 mins+ to install the first time you open a browser. However, if you are using a Mac, or Linux, or various other devices, the software install fails right away, gives you a warning telling you that your system doesn't meet our minimum requirements, and then without further ado activates the connection so everything works. Net benefit is that it saves me 15+ minutes, and the customers are happier because they don't have 4 more programs installed on their desktop!

    4. Re:If you have a MAC... by SeaFox · · Score: 2

      Forget the platform restrictions. Since when does one need to "install" a piece of hardware that's supposed to function independently of a computer.

      Anytime I see instructions saying I need to install software for a router to work I mentally add "so we can install our spyware on your computer" to the step.

    5. Re:If you have a MAC... by wvmarle · · Score: 2

      The last few times I had Internet installed at either office or home, the tech always took their own laptop to set it up. So at least he has all the tools he needs at hand. I really don't understand that Bigpond Cable tech didn't carry his own laptop...

    6. Re:If you have a MAC... by Joe_Dragon · · Score: 1

      and you don't get a black mark for a no install?

    7. Re:If you have a MAC... by kiddygrinder · · Score: 1

      that is kinda ingeneous

      --
      This is a joke. I am joking. Joke joke joke.
    8. Re:If you have a MAC... by Maow · · Score: 1

      Those are *completely* absurd statements that indicate an *utter* lack of comprehension as to how computer and peripherals actually are and how they work.

      Besides being stupidly paranoid.

      Then explain why a router would need any software on a PC to make the router run?

      DHCP should be all that's needed, and it ought to be part of a base install of all systems out there.

    9. Re:If you have a MAC... by oobayly · · Score: 1

      Don't ascribe to malice ...

      One of our [self employed] brokers called me over to have a look at his laptop - BT (UK ISP) help centre wanted to update. Out of morbid curiousity I ran it. All it was was an program that launched a URL in Internet Explorer (not the default browser) and took you to their help website (no activex etc). What the fuck did it need to be updated for? All they needed to do is create a http shortcut on the desktop or start menu, but no, some dimwit decided they needed an executable to do the job. Probably because they got a splash screen.

    10. Re:If you have a MAC... by Neil+Boekend · · Score: 1

      Isn't that usually done with a simple webinterface?

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
    11. Re:If you have a MAC... by SeaFox · · Score: 1

      They could.

      I know from personal experience that they generally are not good, and are more work than just telling the user how to access the web-based admin interface.
      Is there any reason this easy setup wizard couldn't be just part of the web admin? Nope.

    12. Re:If you have a MAC... by Nutria · · Score: 1

      You need to re-read the OP.

      The Windows-only software is needed to install updated router firmware. The firmware that comes factory-installed on the router doesn't need Windows.

      (That's still an incompetent updating method; other routers have had browser-based updating for 10 years.)

      --
      "I don't know, therefore Aliens" Wafflebox1
    13. Re:If you have a MAC... by crafty.munchkin · · Score: 1

      Well, that WAS an option, but I was hoping to actually complete the install, rather than have him crying in a corner and reporting it couldn't be done... ;)

      --
      ... wait, what?
    14. Re:If you have a MAC... by crafty.munchkin · · Score: 1

      You clearly haven't encountered Telstra, and all their incompetence.

      --
      ... wait, what?
    15. Re:If you have a MAC... by green1 · · Score: 1

      I think you misunderstood. It's not mandatory that I run some install CD or something like that, it's that the first time you try to access the internet your browser redirects you to a webpage that forces you to install software before it will let you access the internet. For non-windows machines it simply bypasses the software install because it's windows only software. but on windows machines it won't let you access the net unless the software fully installs.
      My ratings for installs are based on several factors. To get credit for doing the install I just have to say I'm done and fill out my time sheet, but I also get marked on whether the customer had to call back in within the first 7 days, and on a customer satisfaction survey done by phone the day after I complete the job, I also get one random job a month inspected by one of our quality inspectors.

      So no, I'm quite happy if their system doesn't support our software install. It means I'll likely get a better rating on the satisfaction survey, and it saves me time. It's win-win. I just wish I could convince our higher-ups that nobody actually wants that stupid software installed!

    16. Re:If you have a MAC... by cusco · · Score: 1

      Wow, I haven't seen anything like that since the late '90s. Don't know how many times I killed the 2mb USWest "mandatory" download (after which it would connect fine) on our 28.8 modem, before my wife logged in and let it complete.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    17. Re:If you have a MAC... by green1 · · Score: 1

      On our system, it's not just downloading it, you can't get online until it installs successfully and reports back that it did so. Or you can simply not run Windows (which is my preferred option anyway)
      On a side note, Android phones are a good way around this too (iphones and ipads can't even get far enough to "fail" though so you can't get online that way)

    18. Re:If you have a MAC... by ColdWetDog · · Score: 1

      However, if you are using a Mac, or Linux, or various other devices, the software install fails right away, gives you a warning telling you that your system doesn't meet our minimum requirements, and then without further ado activates the connection so everything works.

      Words fail me.

      --
      Faster! Faster! Faster would be better!
    19. Re:If you have a MAC... by green1 · · Score: 1

      I should clarify, only one device in the house needs to go through this process before everything has full internet access. so use your android phone first, and then your widows PC won't have to get the software.

    20. Re:If you have a MAC... by green1 · · Score: 1

      The failover part where it warns you and then lets you continue to a working connection is the one part that's done right. The alternative would be that it insists you somehow find a windows machine to install on when you don't want it.

      Of course I still think a better option would be allowing a connection from the start without forcing the software on anyone... but I don't get to make those decisions.

    21. Re:If you have a MAC... by green1 · · Score: 1

      A few reasons. First of all it would be a big violation of company policy, and could get me fired. Passive options like registering the user's Android phone before their windows desktop are one thing, but dragging in another device specifically to counteract company policy? That sounds like a recipe for getting fired.
      Beyond that, I don't believe I should have to use any personal equipment at work, any tools needed for my job are supplied by the company, I'd like to keep it that way.

      I don't always agree with company decisions, but they are my employer, there is only so much I can do to bypass their decisions without risking my job.

  5. Not surprised at all. by crafty.munchkin · · Score: 5, Interesting

    Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this for one of their latest privacy blunders...

    --
    ... wait, what?
    1. Re:Not surprised at all. by SirAdelaide · · Score: 1

      ...and for this reason, if someone chooses them as their ISP, then having a backdoor to their network probably IS necessary, as they are the type of person who will forget their password and lock themselves out of their router, and not be able to find the factory reset. Telstra were just being proactive in their service offering. For this same reason, noone that cares about security was affected.

      --
      I'm a fruit pirate. I bought a watermelon once, and spat the seeds in the back yard. They grew into another watermelon,
    2. Re:Not surprised at all. by mjwx · · Score: 3, Funny

      Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this for one of their latest privacy blunders...

      Never blame malice for what can easily be blamed for stupidity.

      Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    3. Re:Not surprised at all. by crafty.munchkin · · Score: 1

      I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.

      --
      ... wait, what?
    4. Re:Not surprised at all. by tlhIngan · · Score: 2

      Never blame malice for what can easily be blamed for stupidity.

      Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

      Actually, in this case, it's probably the manufacturer of the router. Basically the ISP says "I want a modem+router for CPE (customer premises equipment), and I'll pay you $20 per unit". Yes, CPE is built down to a price because the ISP doesn't want to pay much for it. So shortcuts are always taken to meet the requirement - cheap processors barely able to keep up, low features, barely the minimum amount of RAM, etc. Which is why these routers will flop if you try to push any traffic more demanding that websurfing through them. No ISP cares about what it does - as long as it lets traffic through.

      The only way to get things properly done is get a modem only if you can, get it set to bridge mode if you can't (or supply your own if it's an option - this isn't necessarily the case). Use your own router, because the router they give you will be crap, and there's a reason why routers sell for $20 and $200.

    5. Re:Not surprised at all. by kiddygrinder · · Score: 1

      heh, their help desk is hilarious, had to get a dsl password reset, after 30 mins on the line to one of their staff from Papua New Guinea (i believe they actually give them english lessons to get them into the role) and them attempting to sms me the new randomised password 5 times and receiving nothing we were at an impasse. i gave up for the night, called back the next day to get one of their remaining australian staff, he reset the password and told me it over the phone and i was rolling. about a week later one of the sms came through with my new *email* password. efficient.

      --
      This is a joke. I am joking. Joke joke joke.
    6. Re:Not surprised at all. by mjwx · · Score: 1

      I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.

      Were they Telstra linesmen or contractor linesmen?

      The old Telstra employed ones were good, the contractors are shite. A lot like Aus Post, the old posties used to be decent, the contractors throw parcels out the window of their van, you're lucky if it hits near your front door.

      Unfortunately, shite contractors are what happens when you farm work out to the cheapest contractors.

      I feel like this post should end with a stern warning for young people to vacate my greenery.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    7. Re:Not surprised at all. by crafty.munchkin · · Score: 1

      They were Telstra linesmen for almost all of the visits. The contractors actually bothered to contact me when they were coming - the Telstra tech's just turned up, did the work incorrectly, and then left. The last one who came was a contractor, and he fixed up the patching to the MDF from the building sub-exchange on all six lines. Even he couldn't believe how badly it had been botched. Crossed pairs, pairs tagged incorrectly, and since Telstra only issued one job for one line at a time, this had meant so many different visits.

      To be fair the building sub-exchange was a confusing point for them all. After the 8th visit turned out to not have any tags at the MDF, I put up a sign on the sub-exchange door. As to the following 5 visits, well, who knows what those morons were smoking.

      --
      ... wait, what?
    8. Re:Not surprised at all. by oztiks · · Score: 1

      Funny story about Telstra. Wife called them up concerned that she couldn't find the latest Twilight movie on TBox. Sufficed to say the "accented man" Filipino / Indian guy gave her a bittorrent address and told her she can download the movie from there :)

    9. Re:Not surprised at all. by cowstaker · · Score: 1

      FYI I work for Telstra. Telstra carries secure networks for foreign governments, defense departments and large corporations. There is a large difference between an enterprise product and one for a consumer. Given the size and scope of the company, and the inevitable nature of dealing with customers and employees, situations like this simply happen. Judge the company on the response not on the issue itself, especially considering that our routers are sourced from an external company. I guess this is a case of we sold you the rope with which you hang us. At some point every carrier in Australia uses our plant or equipment ranging from fully provisioned data networks to rack space and so on. I would object to the label of dodgy when clearly we have a transatlantic network that is sufficient for you to post on slashdot with.

    10. Re:Not surprised at all. by realityimpaired · · Score: 1

      I would object to the label of dodgy when clearly we have a transatlantic network that is sufficient for you to post on slashdot with.

      Assuming you actually do work for Telstra, I can judge the company as quite dodgy, and completely incompetent based on this statement alone: Australia is in the Pacific, not the Atlantic, and if your network is transatlantic, you clearly have no idea what the hell you're doing.

  6. So what are they? by Xtifr · · Score: 2

    Don't be coy. What are these passwords? :)

    1. Re:So what are they? by Macgrrl · · Score: 3, Funny

      I thought they picked something secure like Hunter2?

      --
      Sara
      Designer, Gamer, Macgrrl in an XP World
    2. Re:So what are they? by Anonymous Coward · · Score: 1

      Here you go:

      Hard-coded credentials and command-injection vulnerabilities on BigPond 3G21WB

      ADVISORY INFORMATION
      Title: Hard-coded credentials and command-injection vulnerabilities
                on BigPond 3G21WB
      Discovery date: 17/09/2012
      Release date: 11/10/2012
      Credits: Roberto Paleari (roberto@greyhats.it, @rpaleari)

      VULNERABILITY INFORMATION
      Class: Authentication bypass, command-injection

      AFFECTED PRODUCTS
      We confirm the following device models to be affected:
            * BigPond 3G21WB

      Similar routers are probably vulnerable to these very same issues.

      VULNERABILITY DETAILS
      The firmware running on the affected routers is subject to multiple security
      issues that allow an unauthenticated attacker to gain administrative access to
      the device and execute arbitrary commands. In the following paragraphs we
      describe the details of the vulnerabilities we identified.

      a) Hard-coded credentials
            A user can authenticate to the web server running on the device using the
            credentials "Monitor:bigpond1". These credentials are hard-coded, and cannot
            be changed by a normal user.

      b) Command-injection vulnerability
            The "ping.cgi" web page is subject to a command-injection vulnerability, as
            the server-side script does not properly validate user-supplied input.

            The following URL exploits this issue, executing the "ls /" command:
            http:///ping.cgi?DIA_IPADDRESS=;%20cat%20/etc/passwd

      REMEDIATION
      We are not aware of an updated firmware that corrects the issues described in
      this advisory. We suggest users to disable web access on the WAN side.

      DISCLOSURE TIME-LINE
              * 17/09/2012 - Initial vendor contact.

              * 18/09/2012 - Vendor replied asking for details.

              * 19/09/2012 - The author replied and asked for a technical
                                            contact. Disclosure date set to October 10th, 2012 (3
                                            weeks).

              * 19/09/2012 - Vendor replied, providing the phone contact number of the
                                            Technical Support Department.

              * 20/09/2012 - The author replied, asking to keep all the communication
                                            through e-mail, in order to keep track of the whole
                                            conversation.

              * 24/09/2012 - No response from the vendor. The author re-sent the last
                                            e-mail.

              * 04/10/2012 - No response from the vendor. The author re-sent the last
                                            e-mail (again).

              * 11/10/2012 - Still no response from the vendor. Disclosure.

      DISCLAIMER
      The author is not responsible for the misuse of the information provided in
      this security advisory. The advisory is a service to the professional security
      community. There are NO WARRANTIES with regard to this information. Any
      application or distribution of this information constitutes acceptance AS IS,
      at the user's own risk. This information is subject to change without notice.

    3. Re:So what are they? by WGFCrafty · · Score: 1

      12345

    4. Re:So what are they? by leathered · · Score: 1

      I thought they picked something secure like *******?

      I don't get it, why would you want ******* as a password?

      --
      For all intensive porpoises your a bunch of rediculous loosers
    5. Re:So what are they? by oodaloop · · Score: 1

      That's the kind of password an idiot would use on his luggage!

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  7. What's the IP block for D'OH! by Chas · · Score: 1

    You'd think these people would learn.

    But NOOOOOOOOO!

    Why not just pre-infect the fucking things and sell them to a damn botnet...

    Idiots...

    --


    Chas - The one, the only.
    THANK GOD!!!
  8. Merely a time saving measure by Grayhand · · Score: 3

    Just image all the man hours of hacker's time think saved! If only other companies were as forward thinking.

  9. No problem by slazzy · · Score: 4, Funny

    This is why I always change my password to "secret" right away.

    --
    Website Just Down For Me? Find out
    1. Re:No problem by ArcadeNut · · Score: 1

      Damn it! Now I have to change my password! Thanks!

      --
      Visit the Arcade Restoration Workshop @ http://www.arcaderestoration.com
    2. Re:No problem by dcrisp · · Score: 1

      Damn right!.. I use that one as well. Everybody[1] keeps telling us that the password must be secret. So I made it secret.
      [1] The Royal Everybody.

    3. Re:No problem by trancemission · · Score: 1

      Surely "itsasecret"

  10. A flaw, really? by JayTech · · Score: 2

    Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

    1. Re:A flaw, really? by fuzzyfuzzyfungus · · Score: 1

      Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

      It isn't an either/or.

      Hard-coded credentials are a backdoor, whether covert or just buried in fine print; but they are a flawed backdoor because they are far too trivial for malicious 3rd parties to exploit on top of the intended malicious users.

      Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

      Neither is desirable, from the user point of view; but they are very different things.

    2. Re:A flaw, really? by bmo · · Score: 1

      >Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

      Until the private key gets leaked.

      Key escrow is always bad.

      --
      BMO

    3. Re:A flaw, really? by JayTech · · Score: 1

      I used a little hyperbole to make a point about the passwords being a backdoor. Your argument is valid, absolutely; but that assumes The Man is efficient and crafty - none of which are generally equated with governments these days. This is a lazy man's backdoor, through a gate that appears to be normal both inside and out. On the other hand, a black hat implementing your proposed covert SSH backdoor would fit right in line with their known weapons of fear, surprise, and ruthless efficiency.

    4. Re:A flaw, really? by bmo · · Score: 1

      >If The Man's copy of private key gets leaked then security is lost, but that's true however many people had it to begin with.

      "Three can keep a secret, if two of them are dead." - Benjamin Franklin.

      I reiterate: key escrow is always bad.

      --
      BMO

  11. Sasktel is the same by xQuarkDS9x · · Score: 2

    I found out last year when me and my girlfriend moved into this apartment together that Sasktel (DSL internet provider for Saskatchewan Canada) apparantly also uses 2wire Routers/gateways and this one was literally screwed into the wall with a mounting bracket. Also disturbing was just doing a quick google search and sure enough in under 30 seconds I found default passwords for 2wire routers/gateways... what a suprise.

    As I have been an Access Communications customer for years with a cable modem and my own router currently using a Linksys WRT400N and before that a Linksys WRT54GS that I donated to my sister a couple years ago I basically said screw sasktel called up Access and they setup my VOIP phone server and internet access.

    Funny thing is you use any wi-fi device to look for routers nearby and you see about 20-25 2wire(3 digit number here) routers then my router that I named "2 Girls 1 Router" just to be different and hopefully give some people a laugh. :)

    --
    You must master your joystick like a fisherman masters bait! - Gimpy
    1. Re:Sasktel is the same by xQuarkDS9x · · Score: 1

      Meant to say VOIP phone service and also meant to add that man oh man do they ever try to shove sasktel down your throat when we moved in... if you didn't know about Access Communications which competes with them in this province especially if you moved in from out of province or from a different country you'd probably get suckered into Sasktel and their crown corporation garbage.

      --
      You must master your joystick like a fisherman masters bait! - Gimpy
  12. HP printer firmware upgrade via print ? by johnjones · · Score: 3, Interesting

    are you serious ?

    so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

    is this only over USB or Networked as well ?

    (this is not a bad solution to upgrade the firmware but I bet they dont sign their firmware only use a magic hexcode to initiate the upgrade )

    regards

    John

    1. Re:HP printer firmware upgrade via print ? by dbIII · · Score: 3, Interesting

      so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

      That sounds like HP all right. A simple nmap portscan kills their Jetdirect cat5 to parallel boxes dead. Not factory reset dead, but desolder a chip and replace it with a new one dead.

    2. Re:HP printer firmware upgrade via print ? by azalin · · Score: 1

      fun times. That reminds me of the (far less lasting) joke of sending a raytracer written in postsrcipt to the printer. Took about half an hour for the single page to print.

    3. Re:HP printer firmware upgrade via print ? by DarwinSurvivor · · Score: 1

      It's a network printer and yes, I was amazed at how rediculously insecure it was as well. Even if they DID sign it, and I'm certain they don't, all it takes is for HP to release 1 buggy version, which would be signed, for someone to screw up a printer. BTW, you can also print (and update the firmware) over an unprotected FTP port which is enabled by default.

      In other words, thou shalt firewall thine printers!

    4. Re:HP printer firmware upgrade via print ? by girlinatrainingbra · · Score: 1

      Is that kind of problem the reason that they invented PDF format so that PS programs that might run for too long got truncated into known-to-stop printing commands?

    5. Re:HP printer firmware upgrade via print ? by Shimbo · · Score: 1

      so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

      ..and halt and catch fire, possibly. http://redtape.nbcnews.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say

      HP do now support code signing, whereas previously they had code singeing. And of course, everyone with a networked HP printer has applied the patches, right?

    6. Re:HP printer firmware upgrade via print ? by ediron2 · · Score: 1

      I'm hearing similar rumblings for a high end LG fridge. Think we're going to be seeing more of this as time goes by...

  13. Telstra-Microsoft Sales Conspiracy? by Anonymous Coward · · Score: 1

    Seems Telstra's upgrade page has a small sales conspiracy to get users away from Macs. From the upgrade instructions:

    If you have a MAC

    Step 1 of 3: Install the BigPond Elite Network Gateway on a Windows computer by using the installation USB stick that came with your kit.
    Step 2 of 3: Follow the upgrade instructions for Windows users above.
    Step 3 of 3: Once you've upgraded your device, you can continue using your device on your Mac as normal

  14. Cisco by BlackPignouf · · Score: 1

    Cisco has backdoors too
    https://www.networkworld.com/community/node/57070

  15. Isn't that common practice? by aaaaaaargh! · · Score: 2

    In Portugal, the passwords of the routers of the biggest telecom (TMN) are available and easy to find on the Net, and each router doesn't have just one but usually several admin and root accounts. I guess they think that as long as you can access it only from LAN and via "official channels" that's secure enough.

    1. Re:Isn't that common practice? by Inda · · Score: 1

      I thought it was common too.

      There's an app on Google Play that tries default passwords on wireless access points. I forget its name, as I only tried it a few times, and routers I was trying to connect to probably didn;t have this exploit.

      ezNetScan rings a bell.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  16. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  17. Why worry about Huawei? by gtirloni · · Score: 1

    I think Telstra is doing a fine job on screwing .au

    --
    none
    1. Re:Why worry about Huawei? by fa2k · · Score: 1

      Well sure, but now all Australian hardware has to be banned because this is clearly intentional government spying. Telstra was even part of the Australian government :O

  18. Sounds like a reasonable way to proceed by golodh · · Score: 2

    Explained this way (the hard-coded password device-specific and printed on a sticker inderneath it), what you sketch here sounds practical and thoroughly reasonable (something you couldn't possibly guess from the usual Slashdot headlines though).

  19. Comcast did the same thing by koan · · Score: 1

    Set up neighbours Comcast router they bought from Comcast only to discover it had a fixed password, you would have to flash it to get rid of the password.
    Not something my neighbour even knows about or can do by himself.

    --
    "If any question why we died, Tell them because our fathers lied."
  20. This saves a lot of time and money by sl4shd0rk · · Score: 1

    * Do not have to wait for customer to come back from lunch to get passwords when in field.
    * No danger of leaving password written down on sticky note
    * Saves money in costly bandwidth due to encrypted data
    * Lowers customer's TCO; no encryption royalties

    --
    Join the Slashcott! Feb 10 thru Feb 17!