Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australia's Biggest Telco Sold Routers With Hardcoded Passwords

Posted by Unknown on from the who-released-the-debug-build dept.

mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."

33 of 154 comments (clear)

  1. Comcast routers by onix · · Score: 5, Informative

    Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

    1. Re:Comcast routers by Anonymous Coward · · Score: 3, Informative

      All of them using the exact same SSID and WPA (hardcoded) or each device has it's unique SSID and WPA hardcoded, big diff there.

    2. Re:Comcast routers by __aaltlg1547 · · Score: 4, Insightful

      Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

      That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?

    3. Re:Comcast routers by ppanon · · Score: 3, Interesting

      You think that a company that is going to hardcode the SSID/WPA password into firmware updates (instead of keeping your current settings) would go to the trouble of customizing a different firmware file for each user so that they can get a high security hardcoded default? Really?

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
    4. Re:Comcast routers by DarwinSurvivor · · Score: 2

      Shaw does.

    5. Re:Comcast routers by green1 · · Score: 2

      Most residential broadband routers are factory configured with their own unique SSID/WPA key, this information is typed on the sticker on the bottom of the router, and is more or less unique to that specific router. Some companies have a habit of resetting everything to factory defaults when they do firmware upgrades, hence wiping out any custom SSID/WPA key and resetting to the one printed on the bottom of the device.

      Personally I recommend to most customers that if they aren't comfortable messing with the settings on the router on a regular basis they are much better off just using the ones printed on the router. They're mostly as secure as your own settings, and you don't have to worry about what happens if the thing gets reset. It also has the added bonus that when they forget it (and yes, people do regularly forget the ones they set themselves) it is printed right on the bottom of the device.

    6. Re:Comcast routers by WaffleMonster · · Score: 4, Interesting

      No one serious about security would use Comcast anyway.

      Like your choice of ISP magically changes the reality of Internet being a fully untrusted and untrustworthy network.

      Always assume your pipe is compromised and use end-to-end security if you care about the confidentiality and integrity of any data you transmit over the Internet.

      I don't know anyone in the tech field that uses them

      LOL I know of many network engineers who work for first and second tier operators who use comcast at home.

      CenturyLink is so reliable that they own the market for professionals. I used Comcast for a while, but the 200+ msec ping made SSH unusable

      YMMV... my pings are about 30ms to google and 20ms when using comcast as a WAN link to our corporate office.

      like everyone else that needs a reliable connection, gave up on them years ago. They don't try and don't care.

      These comments are pointless. If you look for it there will always be someone saying megaco x is horrible because y happened or megaco a is great because b happened. Our personal experiences mean squat. You would be on better footing by citing the results of a customer satisfaction survey.

    7. Re:Comcast routers by Drakonblayde · · Score: 5, Insightful

      Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).

    8. Re:Comcast routers by realityimpaired · · Score: 2

      More likely, they do what Bell Canada does, which is to have the firmware read the serial number and apply an algorithm to that in order to create the default SSID/key on each modem. On the 2Wire modems, the default SSID was always BELL{last 3 digits of s/n}. I never did figure out what the algorithm was for the default key, but it is different on every modem, and on the Sagemcom modems, it's a different algorithm to figure out the default SSID as well.

  2. Easy fix by Artea · · Score: 2, Interesting

    Chances are this is the remote admin password for easy customer service. The devices are probably just rebranded Netgears or Belkins. Flash the firmware from the Vendor's support site, and clear off the Telstra "customer friendly" version of the firmware and this becomes a non-issue. I recall even manually adding a variable into the url enabled "advanced mode" to change this stuff without flashing the firmware.

    1. Re:Easy fix by WaffleMonster · · Score: 4, Insightful

      What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

      Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

      <A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>

    2. Re:Easy fix by Wandering+Voice · · Score: 2

      Reminds me of when a spam email went around in the late 90s or early 00s which informed people of a virus infection and if you had an AOL icon on your desktop, you were infected. Hahah. AOL was flooded that day with tech support calls from many who were not able to dial in. Post a similar threat warning on Facebook (fAOLbook?) and we'll have come nearly full circle again.

  3. More the reason ... by lsllll · · Score: 2

    ... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

    --
    Is that a roll of dimes in your pocket or are you happy to see me?
    1. Re:More the reason ... by Cimexus · · Score: 3, Insightful

      Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

      Also, people should be avoiding Telstra as a matter of principle anyway :)

    2. Re:More the reason ... by mjwx · · Score: 3, Insightful

      Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

      This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

      Also, people should be avoiding Telstra as a matter of principle anyway :)

      To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  4. Not surprised at all. by crafty.munchkin · · Score: 5, Interesting

    Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this for one of their latest privacy blunders...

    --
    ... wait, what?
    1. Re:Not surprised at all. by mjwx · · Score: 3, Funny

      Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this for one of their latest privacy blunders...

      Never blame malice for what can easily be blamed for stupidity.

      Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    2. Re:Not surprised at all. by tlhIngan · · Score: 2

      Never blame malice for what can easily be blamed for stupidity.

      Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

      Actually, in this case, it's probably the manufacturer of the router. Basically the ISP says "I want a modem+router for CPE (customer premises equipment), and I'll pay you $20 per unit". Yes, CPE is built down to a price because the ISP doesn't want to pay much for it. So shortcuts are always taken to meet the requirement - cheap processors barely able to keep up, low features, barely the minimum amount of RAM, etc. Which is why these routers will flop if you try to push any traffic more demanding that websurfing through them. No ISP cares about what it does - as long as it lets traffic through.

      The only way to get things properly done is get a modem only if you can, get it set to bridge mode if you can't (or supply your own if it's an option - this isn't necessarily the case). Use your own router, because the router they give you will be crap, and there's a reason why routers sell for $20 and $200.

  5. Re:If you have a MAC... by crafty.munchkin · · Score: 5, Funny

    You should've seen the installation tech who came to install Bigpond Cable at our office. He needed a PC to activate it, I brought out my linux laptop - I've never seen anyone so confused. He asked for Internet Explorer, I told him he could have Firefox or Chrome. I think he nearly cried.

    --
    ... wait, what?
  6. Re:If you have a MAC... by DarwinSurvivor · · Score: 2

    We have a friend that works for HP, so we got him as our rep for maintaining our business line computer. We were having an issue and he decided the best thing would be to update the firmware (it was fairly out of date). That was when we both realized he had no idea how to do it from a non-windows computer. Turns out all you have to do to "reimage" an hp printer is *litterally* print the firmware file from any computer!

  7. So what are they? by Xtifr · · Score: 2

    Don't be coy. What are these passwords? :)

    1. Re:So what are they? by Macgrrl · · Score: 3, Funny

      I thought they picked something secure like Hunter2?

      --
      Sara
      Designer, Gamer, Macgrrl in an XP World
  8. Re:If you have a MAC... by green1 · · Score: 5, Interesting

    I install ADSL service for a Largish telco. I am always THRILLED when someone brings out a computer that isn't running windows. The reason? Windows machines support our company's software install, which is mandatory, can't be skipped, and takes 15 mins+ to install the first time you open a browser. However, if you are using a Mac, or Linux, or various other devices, the software install fails right away, gives you a warning telling you that your system doesn't meet our minimum requirements, and then without further ado activates the connection so everything works. Net benefit is that it saves me 15+ minutes, and the customers are happier because they don't have 4 more programs installed on their desktop!

  9. Merely a time saving measure by Grayhand · · Score: 3

    Just image all the man hours of hacker's time think saved! If only other companies were as forward thinking.

  10. No problem by slazzy · · Score: 4, Funny

    This is why I always change my password to "secret" right away.

    --
    Website Just Down For Me? Find out
  11. A flaw, really? by JayTech · · Score: 2

    Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

  12. Re:If you have a MAC... by SeaFox · · Score: 2

    Forget the platform restrictions. Since when does one need to "install" a piece of hardware that's supposed to function independently of a computer.

    Anytime I see instructions saying I need to install software for a router to work I mentally add "so we can install our spyware on your computer" to the step.

  13. Re:If you have a MAC... by wvmarle · · Score: 2

    The last few times I had Internet installed at either office or home, the tech always took their own laptop to set it up. So at least he has all the tools he needs at hand. I really don't understand that Bigpond Cable tech didn't carry his own laptop...

  14. Sasktel is the same by xQuarkDS9x · · Score: 2

    I found out last year when me and my girlfriend moved into this apartment together that Sasktel (DSL internet provider for Saskatchewan Canada) apparantly also uses 2wire Routers/gateways and this one was literally screwed into the wall with a mounting bracket. Also disturbing was just doing a quick google search and sure enough in under 30 seconds I found default passwords for 2wire routers/gateways... what a suprise.

    As I have been an Access Communications customer for years with a cable modem and my own router currently using a Linksys WRT400N and before that a Linksys WRT54GS that I donated to my sister a couple years ago I basically said screw sasktel called up Access and they setup my VOIP phone server and internet access.

    Funny thing is you use any wi-fi device to look for routers nearby and you see about 20-25 2wire(3 digit number here) routers then my router that I named "2 Girls 1 Router" just to be different and hopefully give some people a laugh. :)

    --
    You must master your joystick like a fisherman masters bait! - Gimpy
  15. HP printer firmware upgrade via print ? by johnjones · · Score: 3, Interesting

    are you serious ?

    so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

    is this only over USB or Networked as well ?

    (this is not a bad solution to upgrade the firmware but I bet they dont sign their firmware only use a magic hexcode to initiate the upgrade )

    regards

    John

    1. Re:HP printer firmware upgrade via print ? by dbIII · · Score: 3, Interesting

      so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

      That sounds like HP all right. A simple nmap portscan kills their Jetdirect cat5 to parallel boxes dead. Not factory reset dead, but desolder a chip and replace it with a new one dead.

  16. Isn't that common practice? by aaaaaaargh! · · Score: 2

    In Portugal, the passwords of the routers of the biggest telecom (TMN) are available and easy to find on the Net, and each router doesn't have just one but usually several admin and root accounts. I guess they think that as long as you can access it only from LAN and via "official channels" that's secure enough.

  17. Sounds like a reasonable way to proceed by golodh · · Score: 2

    Explained this way (the hard-coded password device-specific and printed on a sticker inderneath it), what you sketch here sounds practical and thoroughly reasonable (something you couldn't possibly guess from the usual Slashdot headlines though).