Verizon Issues Patch For Vulnerabilities on Millions of Fios Routers

Verizon is sending out an update for millions of its routers after security researchers discovered vulnerabilities that could allow potential attackers to take over the devices. From a report: Researchers from Tenable, a security company, detailed three vulnerabilities with Verizon's Fios Quantum Gateway router on Tuesday. The company said it disclosed these security flaws to Verizon last December, and that the company issued a fix on March 13. Verizon said that a small percentage of its customers did not get the update automatically, and will still need a patch to protect against this security flaw. "We were recently made aware of three vulnerabilities related to login and password information on the Broadband Home Router Fios-G1100," a Verizon spokesman said in a statement.

"As soon as we were made aware of these vulnerabilities, we took immediate action to remediate them and are issuing patches." The company said that several customers with a particular type of router did not get the update, but said that people affected will not need to take any action. If your router's firmware is running version 02.02.00.13, you're up to date and safe from the vulnerabilities.

Actually, well done, Verizon.

[flippy]

Being made aware of a vulnerability, producing a patch in a timely fashion, and pushing it out to vulnerable devices? Wow. That's actually well done.

Re: Actually, well done, Verizon.

Now maybe they want to get larger shirts for the installers so I don't have to see the man boobs on their chests

Re:Actually, well done, Verizon.

[kaizendojo]

Except when they did it, they added a redirect to an invalid certificate so you have to go through allowing the exception instead of just going to your login. So even when they fix something, they screw something else up.

Re:Actually, well done, Verizon.

Not so sure about "well done". The upgraded my router on 03/04/2019, but then downgraded it back to the vulnerable firmware on 03/23/2019. I saw them do this by watching the SNMP logs.

I have Verizon and use pfSense

[MikeDataLink]

I'd never allow their router on my network. Turns out I was correct.

Re:I have Verizon and use pfSense

[flippy]

I have a tendency to agree with you, I was just giving them props for doing what all the vendors should be doing, and doing it in a timely manner.

I recently moved to an apartment where I get free wifi. In my old place, I paid for the internet access myself, and had a direct wired connection. Rather than reprogram all my devices, I got a wifi bridge, connected that to the wifi provided to me, and plugged my old router into the bridge's ethernet port. My router complained a little about double-nat, but it honestly hasn't caused any actual issues, and I turned off the notification. The more I think about this, the more I like it from a security perspective. If someone wants to get to my devices, they'll have to get through two different router/firewall combinations from two different vendors.

Re:I have Verizon and use pfSense

[iamgnat]

I'd never allow their router on my network. Turns out I was correct.

Except when you have to call support for something (like them randomly changing your service without your input or consent). No matter how many times you tell them "I don't have any of your hardware, you can't run tests past the ONT" there is still always a pause followed by "huh? I can't seem to communicate with the router/DVR".

Still, while I'm not netsec guru I still trust my hardware/software picks much better than the garbage they want me to pay a monthly rental for. The occasional hassle of dealing with an idiot that doesn't listen is worth it.

Re:I have Verizon and use pfSense

[Fly+Swatter]

But they did fix the problem, that is better than most. Vulnerabilities happen, even for pfSense.

What does this have to do with Global Warming?

I thought that Slashdot was the Global Warming website. Now they are putting up filler material about Verizon routers! Jeez, let's get back to Global Warming stories 24/7.

Re: What does this have to do with Global Warming?

The editors couldn't read, even with glasses but at least they keep the stories coming

Oh...sure...patch those...

[DewDude]

But completely deny us the ability to turn off UPnP.

Seriously...unless they changed it in the last update....the page to disable UPnP is hidden; and even when you do manualy access it...it DOES NOT WORK.

Any device plugged in to a FiOS router will get ports assigned to it over UPnP with zero questions asked.

Re:Oh...sure...patch those...

There are enough tutorials on using your own router on Verizon that if you still use theirs at this point then you are doing so by choice. Make a different choice. I bet if you saved up all the time you've spend posting about this and used it to fix the issue then you'd also have a lot more free time moving forward.

Re:Oh...sure...patch those...

[Fly+Swatter]

It gets better than that. This update also disabled being able to rename the admin account, I had a custom admin name and password - perhaps that was part of the vulnerability - but it was not fun finding you were essentially locked out of your own router unless you entered the default password printed on the router. All with no warning.

It also disabled mac filtering, completely gone from the UI and it seems some people had issues that had set mac filtering were now unable to connect those devices with the router. With this vulnerability news, the feeling they rushed out the update is confirmed.

Frontier?

[Carcass666]

Wonder about those of us poor saps that Verizon sold to Frontier...

Re:Frontier?

[AsylumWraith]

I had been wondering the same thing.

Of course, after they *badly* botched the rollover in my area, (including a more than one week internet outage in my case,) I dropped them and went with an alternative. Screw Frontier; I'm guessing they won't patch those old Verizon routers anytime soon.

Fios Router?

[TechyImmigrant]

Why would you use the router that comes with a Fios service?

Re:Fios Router?

[Fly+Swatter]

Because they actually fix their vulnerabilities?
Because it does what I need and just works?
Because it was free? (although it is a monthly fee for most now)
If it breaks, they replace it for free
Not everyone needs a network war room

- things I don't use but should be included for completeness -
Because it works with their TV service and STBs.
Because getting support if a customer has an issue is easier, they don't tech support third party routers.

just use host filez

You all know my host files rock
IM THE KING OF THE INTERWEBZ
You know you love me =>APK
Besides every fool that I misquote there are lots of ppl that love me-
Just not here
I'm the god of /. =>APK
Download my warez
Only 79k lines of code
Not bad for a string sort program
Just install it now it helps a whole lot
Guaranteed by slashdot editors

Re:just use host filez

Only 79k lines of code
Not bad for a string sort program

79000 lines of code for a fucking string sort?

What kind of a head injury do you have, anyway?

My FIOS router is insulated behind my SonicWall fi

I trust the security I pay for rather than the security Verizon sloppily provides.