Australia's Biggest Telco Sold Routers With Hardcoded Passwords

← Back to Stories (view on slashdot.org)

Australia's Biggest Telco Sold Routers With Hardcoded Passwords

Posted by Unknown on Monday November 12, 2012 @04:01PM from the who-released-the-debug-build dept.

mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."

18 of 154 comments (clear)

Min score:

Reason:

Sort:

Comcast routers by onix · 2012-11-12 16:03 · Score: 5, Informative

Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.
1. Re:Comcast routers by Anonymous Coward · 2012-11-12 16:09 · Score: 3, Informative
  
  All of them using the exact same SSID and WPA (hardcoded) or each device has it's unique SSID and WPA hardcoded, big diff there.
2. Re:Comcast routers by __aaltlg1547 · 2012-11-12 16:16 · Score: 4, Insightful
  
  Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.
  That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?
3. Re:Comcast routers by ppanon · 2012-11-12 16:21 · Score: 3, Interesting
  
  You think that a company that is going to hardcode the SSID/WPA password into firmware updates (instead of keeping your current settings) would go to the trouble of customizing a different firmware file for each user so that they can get a high security hardcoded default? Really?
  
  --
  Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
4. Re:Comcast routers by WaffleMonster · 2012-11-12 17:41 · Score: 4, Interesting
  
  No one serious about security would use Comcast anyway.
  Like your choice of ISP magically changes the reality of Internet being a fully untrusted and untrustworthy network.
  Always assume your pipe is compromised and use end-to-end security if you care about the confidentiality and integrity of any data you transmit over the Internet.
  
  I don't know anyone in the tech field that uses them
  LOL I know of many network engineers who work for first and second tier operators who use comcast at home.
  
  CenturyLink is so reliable that they own the market for professionals. I used Comcast for a while, but the 200+ msec ping made SSH unusable
  YMMV... my pings are about 30ms to google and 20ms when using comcast as a WAN link to our corporate office.
  
  like everyone else that needs a reliable connection, gave up on them years ago. They don't try and don't care.
  These comments are pointless. If you look for it there will always be someone saying megaco x is horrible because y happened or megaco a is great because b happened. Our personal experiences mean squat. You would be on better footing by citing the results of a customer satisfaction survey.
5. Re:Comcast routers by Drakonblayde · 2012-11-12 17:59 · Score: 5, Insightful
  
  Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).
Not surprised at all. by crafty.munchkin · 2012-11-12 16:23 · Score: 5, Interesting

Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this for one of their latest privacy blunders...

--
... wait, what?
1. Re:Not surprised at all. by mjwx · 2012-11-12 17:27 · Score: 3, Funny
  
  Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this for one of their latest privacy blunders...
  Never blame malice for what can easily be blamed for stupidity.
  
  Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
Re:More the reason ... by Cimexus · 2012-11-12 16:24 · Score: 3, Insightful

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.
Also, people should be avoiding Telstra as a matter of principle anyway :)
Re:If you have a MAC... by crafty.munchkin · 2012-11-12 16:25 · Score: 5, Funny

You should've seen the installation tech who came to install Bigpond Cable at our office. He needed a PC to activate it, I brought out my linux laptop - I've never seen anyone so confused. He asked for Internet Explorer, I told him he could have Firefox or Chrome. I think he nearly cried.

--
... wait, what?
Re:If you have a MAC... by green1 · 2012-11-12 16:47 · Score: 5, Interesting

I install ADSL service for a Largish telco. I am always THRILLED when someone brings out a computer that isn't running windows. The reason? Windows machines support our company's software install, which is mandatory, can't be skipped, and takes 15 mins+ to install the first time you open a browser. However, if you are using a Mac, or Linux, or various other devices, the software install fails right away, gives you a warning telling you that your system doesn't meet our minimum requirements, and then without further ado activates the connection so everything works. Net benefit is that it saves me 15+ minutes, and the customers are happier because they don't have 4 more programs installed on their desktop!
Merely a time saving measure by Grayhand · 2012-11-12 16:47 · Score: 3

Just image all the man hours of hacker's time think saved! If only other companies were as forward thinking.
No problem by slazzy · 2012-11-12 16:50 · Score: 4, Funny

This is why I always change my password to "secret" right away.

--
Website Just Down For Me? Find out
Re:So what are they? by Macgrrl · 2012-11-12 17:20 · Score: 3, Funny

I thought they picked something secure like Hunter2?

--
Sara
Designer, Gamer, Macgrrl in an XP World
Re:More the reason ... by mjwx · 2012-11-12 17:25 · Score: 3, Insightful

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.
This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

Also, people should be avoiding Telstra as a matter of principle anyway :)
To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

--
Calling someone a "hater" only means you can not rationally rebut their argument.
Re:Easy fix by WaffleMonster · 2012-11-12 17:56 · Score: 4, Insightful

What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)
Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

<A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>
HP printer firmware upgrade via print ? by johnjones · 2012-11-12 18:37 · Score: 3, Interesting

are you serious ?
so your telling me that I can screw your entire print service and DOS it by sending it a print job ?
is this only over USB or Networked as well ?
(this is not a bad solution to upgrade the firmware but I bet they dont sign their firmware only use a magic hexcode to initiate the upgrade )
regards
John
1. Re:HP printer firmware upgrade via print ? by dbIII · 2012-11-12 20:10 · Score: 3, Interesting
  
  so your telling me that I can screw your entire print service and DOS it by sending it a print job ?
  That sounds like HP all right. A simple nmap portscan kills their Jetdirect cat5 to parallel boxes dead. Not factory reset dead, but desolder a chip and replace it with a new one dead.