eldavojohn writes "Wired is reporting on a simple hack putting some 65,000 customers at risk. The hack to gain administrative access to the cable modem/router combo is remarkably simple: '[David] Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router's configuration file. That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner's network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.' If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing."
...is to put them in bridge mode and use your own router (no matter who your provider is). Same with DSL modems. Even when they aren't misconfigured (deliberately or due to sheer incompetence) the firmware is usually buggy and limited.
While I agree with you, the issue usually isn't the small percentage of technically savvy people who use this, but rather the majority of folks looking to "plug and play". These are the security gaps that allow zombie DDoS attacks to happen so easily, as they open up easy access to lot's of similarly configured boxes.
I was under the impression that the only user-configurable option is to add URLs to a blocking list. There is no way to put it in bridge mode, and even if it was someone could log on and change it, and simply pass all your data to their servers anyway.
This is the kind of setup you give people who don't know about security, so they can't muck it up. Of course, it needs to be secure in the first place, so this is a huge issue and fixable only with firmware (or different hardware).
Initially I was a little confused about the cable modem not being in bridge mode and having an admin interface at all. After RTFA, this vulnerability is only for SMC router/modem combo devices from TW. There was no mention of the Motorola cable modem I have from TW. The Motorola cable modems are acting as a bridge already because my router gets the lease to the public IP.
So apparently no worries regarding this vulnerability for me, but this certainly sucks for 65K other people.
You have the same as I then. Into a browser visit http://192.168.1.1/ [192.168.1.1] and play around. While it doesn't havethe stats the full router does you canreally fsck the time warners network and screw the frequencies of everyone on your local cable share. Be warned however you take out your network to do so. And you might not get it back without their help.
Ihave had to manually reset them a couple of times for timewarner. However I haven't found any useful account data their. Just hardware settings.
I think that's not the IP address for the Motorola ( try http://192.168.100.1/ [192.168.100.1] ), but for a Linksys wireless router, like say a WRT54G.
by Anonymous Coward
on Thursday October 22, @09:38AM (#29835043)
Bridge mode is just that -- it's a connection between two separate networks. In this case, the TW box is connected to the Internet and is one point of the bridge. On the other end is your home network router, which acts as the other point of the bridge. Your network is physically separate from theirs, and joined by the single patch cable between the boxes.. This is usually how these things work anyways, even when it's all in one box. The difference here is that you're using two physical boxes to ensure the separation, which avoids absurd goofs like the one described in TFA.
Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware. Hell, fork out $50 for a tried and tested model from Newegg. Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"
Yeah, my utopian world of consumer power is better than this one of "Please, Mr Corporation, harder and deeper!"
So you are saying I should go back to dial-up...? Because that is my only alternative. Thanks for doing my cost/benefit analysis of this situation for me! It is definitely better to have worthless internet than to just maintain my own router!
How about lobbying your congressman to get the monopoly given to Time Warner / AT&T / Comcast / Sprint or whatever split up as anti-competitive and not just taking a big rubbery one up the wrong'un?
How about lobbying your congressman to get the monopoly given to Time Warner / AT&T / Comcast / Sprint or whatever split up as anti-competitive and not just taking a big rubbery one up the wrong'un?
Lobby as in write letters? Check.
Lobby as in send 'contributions' in the hundreds of millions of dollars a year like time warner does?
Not so much. All though if you let me borrow that amount, I will do exactly that with it. Just paypal it to me!
Sadly I have discovered they do not accept monopoly money:{
The local monopolies aren't granted by your congressman, not even your state legislator. It's on a more local level, and usually done by people who have even less information than a congressman would have.
Even if this were viable, it'd take years to oust TW, open things up, and then get another ISP in town. My house is 1/4 mile from a Verizon building (I presume the main switching station for the town), and I can't get any high-speed offering from them - no DSL, no FiOS, nothing. My options are between TW a
Speaking as someone who has no option of anything other than dial-up, I can tell you that it most certainly is worthless.
Remember back in 1999 how it would take 15 seconds to load a page? Now imagine that every page has flash instead of pictures and most serves will decide to give you a timeout message if you take longer than 45 seconds to respond to a request. Youtube, torrents, the whole digital distribution revolution is totally useless.
I dare you, go back to dial-up for two weeks. Completely worthless Internet. Yeah, I've still got Internet at the library, but that doesn't allow me to get patches for my OS or watch Youtube, now does it?
I use dialup and can access youtube videos, bittorrent the latest Stargate episodes, download pics, and so on. The only thing I can't do is access streaming video sites like NBC.com, since they require minimum 192k connections, but everything else works just fine. Even flash-heavy sites like imdb.com
One advantage I probably have over your connection is I use Netscape ISP. It uses on-the-fly image, text, and flash compression to speed things up. You providerr may not have it, so consider an upgrade: http [getnetscape.com]
That doesn't sound right. At 9.6 kbit/s it would take 8 minutes to load a single slashdot page. Even if you turned-off the java, CSS, and pics it would still requires over a minute to download. ----- Perhaps if you said 96k for your GSM that would be more realistic... about twice as fast as a dialup connection.
Have you tried Opera 10 with your modem? O10 uses compression to speed-up slow connections.
Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware. Hell, fork out $50 for a tried and tested model from Newegg. Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"
Only on slashdot would such a ridiculous "solution" be proposed, when putting the CPE in bridged mode and using your own router (which I'd think most everyone here would be doing already) would suffice.
you left out the tinfoil. No seriously you would also want to remove the antennas, or wrap the TW box in a Faraday cage IE tinfoil (OK it is unlikely but...) If anyone can remote into the Wifi/bridge config portion of the router, sounds like you could still remote into the neighbors router with this, change his wifi settings of the TW box for you to connect through, set your wifi connected box as their new dns/dhcp/etc host, change the IP of the TW box (so if they hardcoded) all their traffic would now go t
Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"
Unfortunately, in negligence cases the courts often look to the industry standard to decide what sort of precautions a company ought to take. Given that the industry standard is basically no security at all this might be a tough case. Also, to establish negligence you'd have to show some actual harm done - not just the potential for harm. "Unfit for purpose" might still get you out of the contract though.
A hacker going by the name 'Vendetta', supposedly an American living in Belgium, got fed up with the monthly data cap (at Belgacom, figured out that there's a way to find the username/password for a modem by browsing to it (much as in this article), did that to a claimed several thousand (285,000) modems, and is threatening to release them slowly over time until November 30th as long as Belgacom keeps its monthly data cap.
So far this hacker released 30 usernames/passwords, and they were found to be genuine.
Belgacom contacted authorities, is investigating the claimed method of hacking, blabla.
The modem in question with Belgacom is labeled a "B-Box2-modem".
Why are evil minions so dumb. This guy gets access to all these passwords and his only idea is to blackmail a corporate entity more evil then himself...by doling out uid/pwd combinations a few at a time...please!!
As was already stated the first action by evil corporation is to get the law on their side so they do not have to do any work to change anything. The law pursues the bad guy and he realizes the grand scheme not only fails, but now he's screwed because ultimately he either gets caught, or can't release anything else for fear of being caught and thus becomes harmless. He never gets what he wants.
Were it me (and I most certainly do not live in Belgium) and I choose to do evil I would have blasted all uid/pwds at once across as many nodes as possible thus, for a moment, potentially hurting the pockets of evil corporation. Short lived excitement with no long term reward, but still would be fun to watch the fallout.
My other idea would be to use my new found data to my advantage. Can I load slaves on all those systems so that when I want to watch streaming video of pr0n I piggyback on someone else's quota. Perhaps I can monitor usage and find users with low bandwidth and borrow (steal) from them. I would never ever share this information with others, because certainly at some point a "friend" would abuse the system, or rat me out if/when caught.
No, the guy blackmails a corporate with some stupid ass name and a piss poor methodology for revenge. Do they not teach anything at Evil U any more?
Perhaps I can monitor usage and find users with low bandwidth and borrow (steal) from them. I would never ever share this information with others, because certainly at some point a "friend" would abuse the system, or rat me out if/when caught.
(looks around)
Is there a camera in this basement? It's like I'm being watched. Oh no, I've said too much. +++
If I was him, I would have somehow figured out a way to add 285,000 TOR exit nodes.
THAT would have been fun. Every user in the country hits their quota, while completely screwing the ISP's transit quotas. They would never dare bill all of their customers for that kind of overage, they would HAVE to eat it.
Convenience and incompetence. They want to be able to run scripts to update/reconfigure all the modems and this is the first method that occured to them. Being stupid, they didn't think it through.
I don't know if they're using DOCSIS, but I can't imagine they aren't. If I'm wrong, ignore the rest of this comment; but if they are DOCSIS modems, then they get their config file from the network every time you boot them. Even if they aren't DOCSIS modems, that's still the most reasonable way to configure them, and if they didn't do that they should be shot into orbit without a suit, or perhaps with one but on a rapidly decaying orbit and without heat shields.
Yes incompetence looks like the primary cause here. Whoever hides the access to administrative functions of anything by simple javascript on a web page should be at best fired.
It is quite amazing to see how many programmers are just totally clueless about the technology they're using. It's just appauling.
According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.
Also in TFA...
Time Warner’s Dudley says the SMC8014 modem/routers are just a small portion of the 14 million devices its customers are using.
According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.
Although I agree that it is dumb, I think that it is to make technical support easier for the company. If the company can go straight to your router and configure it then it makes their life easier. Of course, it turns out that it makes a lot of people's lives easier including hackers.
If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing.
And if you are a hacker planning to pwn Time Warner's SMC8014 series cable modem/Wi-Fi router combo, be sure to get your exploit written and distributed soon before the new firmware is released.
Maybe if they actually gave 0.0000000001% of a shit about the service they provide instead of spending millions trying to figure out how to fuck the customers they've oversold to out of YetAnotherPenny... nah, won't happen.
AOL/TWC have gone through so many reorganizations and consolidations, the best and brightest have been gone from the company for quite some time. This is just a result of continuing to run a failing course.
My initial, gut response to this was sheer horror. They list exploit and target side-by-side! The only mention of a fix is that it's to be 'released soon', informing any malicious agents out there that now is the time to strike.
Reading the Wired article, the right thing was done. Big company was sitting on their hands, and now that publicity has been made, they're starting to move.
Wired did the right thing. But this summary, it's fear-mongering and bad journalism.
This isn't just a security vulnerability - those things happen. This is gross negligence. There are 3 simultaneous absolutely bone-headed things here:
- PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers. - JAVASCRIPT is their security? That was dumb back in 1998, but who does that now? - CLEAR TEXT username/password? There was this great technique we used back in 1975 called hashing. Look it up. Why does it even write the username/password out anyway?
This is one of those cases of just too many stupid things all at once for it to be a mistake.
- JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?
I heard a story that a major public University had exactly this kind of vulnerability in its new financial system. It was found and plugged, but it never should have been their in the first place. I'd reveal which University, but the story was passed down to me 3rd hand so it's not completely verified.
This kind of idiocy is more common than you'd think. Too many programmers aren't taught to think about security and develop
- PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers.
Even the cheesy home routers have this as an option, but it's always buried deep in the 'advanced' configuration options, and it's ALWAYS disabled by default.
Some years ago, part of my tech support job was to set up PLANET [planet.com.tw] ADSL modem/wifi routers. I quickly noticed that the admin login / password was embedded in most configuration pages. But not to worry, they had cleverly hidden them with this brilliant security technique :
How stupid could they possible have been? It's easy (with the correct equipment) to extract white text on a white background. They should have used style="display: none"
The Javascript thing isn't important - that's how the device operates because it's been told to and, in 99% of circumstances it's an internal-only device. My printer offers up a lot worse options. However, exposing that interface to the web is stupid, as are using standardised passwords.
The former is nothing but user-education and/or forcing them into a password from the factory (like a lot of wireless routers comes with WPA keys printed on the bottom of them).
For the latter, a lot of cheap ADSL modems/routers do this, it's hardly a shock. Some of them run telnet on ports 254/255 and the only way to get rid of it is to forward that port to a non-existent IP address. Yes, it's crap security. Yes, they should know better. But, additionally, it's their fault from day one and people have known about this for YEARS.
It would also pick up on *any* external security scanner (e.g. nmap, GRC.com's ShieldsUp!) and any competent person would be testing any new system with something like that anyway. I know I've always scanned whenever I've used a new connection, if only to find what proxy servers / port-blocking / port-forwarding are in place. And yet all my Internet connections have hard-coded DNS, the router acts as nothing more than a passthrough to a real firewall (usually Linux iptables, if only for decent, configurable NAT / port-forwarding) and anything vaguely suspicious on an external scan is investigated (my ISP offer port 139 filtering as default, for example).
If you didn't know about it, test it. If you haven't already disabled it, do so. If you're that worried, change the device. This type of problem has been around for YEARS, and only the bog-standard, password is 'password', home users would ever be hurt by it. I think it's disgusting that they are, but they are not the only ISP / modem / router that has these problems.
And to claim this is new/shocking is quite misleading - most router manufacturers have suffered from this since ADSL became mainstream. Even things like BT's HomeHub have had similar security problems over the years.
I was very much worried when I got Verizon FiOS. The Verizon supplied router is actually a linux box that has a web server and it throws a username/password dialog to the WAN side. I was worried so much I had another old router behind the Verizon router and connected my machines to this second router. But the other router was
old and it maxed out at 10Mbps and FiOS was delivering 20Mbps. So I did some googling. Found that Verizon has been shipping that kind of routers for more than 5 years and so far no hack has been found. So I removed my second line of defense. Looks like it is a prudent idea to buy a more capable modern router and protect
the machines from possible future hacks.
The only prudent thing to do with these things... (Score:5, Insightful)
...is to put them in bridge mode and use your own router (no matter who your provider is). Same with DSL modems. Even when they aren't misconfigured (deliberately or due to sheer incompetence) the firmware is usually buggy and limited.
Re:The only prudent thing to do with these things. (Score:5, Insightful)
While I agree with you, the issue usually isn't the small percentage of technically savvy people who use this, but rather the majority of folks looking to "plug and play". These are the security gaps that allow zombie DDoS attacks to happen so easily, as they open up easy access to lot's of similarly configured boxes.
Parent
Re:The only prudent thing to do with these things. (Score:4, Insightful)
I was under the impression that the only user-configurable option is to add URLs to a blocking list. There is no way to put it in bridge mode, and even if it was someone could log on and change it, and simply pass all your data to their servers anyway.
This is the kind of setup you give people who don't know about security, so they can't muck it up. Of course, it needs to be secure in the first place, so this is a huge issue and fixable only with firmware (or different hardware).
Parent
Re:The only prudent thing to do with these things. (Score:5, Informative)
So apparently no worries regarding this vulnerability for me, but this certainly sucks for 65K other people.
Parent
Re: (Score:3, Informative)
You have the same as I then. Into a browser visit http://192.168.1.1/ [192.168.1.1] and play around. While it doesn't havethe stats the full router does you canreally fsck the time warners network and screw the frequencies of everyone on your local cable share. Be warned however you take out your network to do so. And you might not get it back without their help.
Ihave had to manually reset them a couple of times for timewarner. However I haven't found any useful account data their. Just hardware settings.
Re: (Score:3, Informative)
I think that's not the IP address for the Motorola ( try http://192.168.100.1/ [192.168.100.1] ), but for a Linksys wireless router, like say a WRT54G.
Re:The only prudent thing to do with these things. (Score:4, Insightful)
Parent
They need to act on this immediately! (Score:5, Funny)
Why wait? (Score:2, Insightful)
Yeah, my utopian world of consumer power is better than this one of "Please, Mr Corporation, harder and deeper!"
Re:Why wait? (Score:5, Informative)
Parent
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
How about lobbying your congressman to get the monopoly given to Time Warner / AT&T / Comcast / Sprint or whatever split up as anti-competitive and not just taking a big rubbery one up the wrong'un?
Lobby as in write letters?
Check.
Lobby as in send 'contributions' in the hundreds of millions of dollars a year like time warner does? :{
Not so much. All though if you let me borrow that amount, I will do exactly that with it. Just paypal it to me!
Sadly I have discovered they do not accept monopoly money
Re:Why wait? (Score:4, Funny)
Sadly I have discovered they do not accept monopoly money :{
What do you mean? They've been accepting money from various monopolies for decades!
Parent
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
The local monopolies aren't granted by your congressman, not even your state legislator. It's on a more local level, and usually done by people who have even less information than a congressman would have.
Even if this were viable, it'd take years to oust TW, open things up, and then get another ISP in town. My house is 1/4 mile from a Verizon building (I presume the main switching station for the town), and I can't get any high-speed offering from them - no DSL, no FiOS, nothing. My options are between TW a
Re: (Score:3)
This is where you write to your congressman backing a similar scheme as is being mandated in Sweden; Guaranteed 1MB downstream to the home.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
Re:Why wait? (Score:4, Interesting)
Speaking as someone who has no option of anything other than dial-up, I can tell you that it most certainly is worthless.
Remember back in 1999 how it would take 15 seconds to load a page? Now imagine that every page has flash instead of pictures and most serves will decide to give you a timeout message if you take longer than 45 seconds to respond to a request. Youtube, torrents, the whole digital distribution revolution is totally useless.
I dare you, go back to dial-up for two weeks. Completely worthless Internet. Yeah, I've still got Internet at the library, but that doesn't allow me to get patches for my OS or watch Youtube, now does it?
Parent
Re: (Score:3, Informative)
I use dialup and can access youtube videos, bittorrent the latest Stargate episodes, download pics, and so on. The only thing I can't do is access streaming video sites like NBC.com, since they require minimum 192k connections, but everything else works just fine. Even flash-heavy sites like imdb.com
One advantage I probably have over your connection is I use Netscape ISP. It uses on-the-fly image, text, and flash compression to speed things up. You providerr may not have it, so consider an upgrade: http [getnetscape.com]
Re: (Score:3, Interesting)
That doesn't sound right. At 9.6 kbit/s it would take 8 minutes to load a single slashdot page. Even if you turned-off the java, CSS, and pics it would still requires over a minute to download. ----- Perhaps if you said 96k for your GSM that would be more realistic... about twice as fast as a dialup connection.
Have you tried Opera 10 with your modem? O10 uses compression to speed-up slow connections.
Re: (Score:3, Informative)
Install your own patch right now by cancelling your Time Warner contract, throwing the router in the trash, and getting a new ISP with better hardware. Hell, fork out $50 for a tried and tested model from Newegg. Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"
Only on slashdot would such a ridiculous "solution" be proposed, when putting the CPE in bridged mode and using your own router (which I'd think most everyone here would be doing already) would suffice.
Re: (Score:3, Insightful)
you left out the tinfoil. No seriously you would also want to remove the antennas, or wrap the TW box in a Faraday cage IE tinfoil (OK it is unlikely but...)
If anyone can remote into the Wifi/bridge config portion of the router, sounds like you could still remote into the neighbors router with this, change his wifi settings of the TW box for you to connect through, set your wifi connected box as their new dns/dhcp/etc host, change the IP of the TW box (so if they hardcoded) all their traffic would now go t
Re: (Score:3, Interesting)
Be sure to tell Time Warner to "Abragofuckyourself" when they say you're tied into a contract by using the words "unfit for purpose" "gross criminal negligence" and "class action"
Unfortunately, in negligence cases the courts often look to the industry standard to decide what sort of precautions a company ought to take. Given that the industry standard is basically no security at all this might be a tough case. Also, to establish negligence you'd have to show some actual harm done - not just the potential for harm. "Unfit for purpose" might still get you out of the contract though.
Related to Belgacom hack and 'ransom'? (Score:5, Informative)
I wonder if this is the same 'hack' used to attack Belgacom.
http://tweakers.net/nieuws/63200/belgacom-hacker-publiceerde-authentieke-inloggegevens-van-klanten.html [tweakers.net]
For the curious, a quick recap in English...
A hacker going by the name 'Vendetta', supposedly an American living in Belgium, got fed up with the monthly data cap (at Belgacom, figured out that there's a way to find the username/password for a modem by browsing to it (much as in this article), did that to a claimed several thousand (285,000) modems, and is threatening to release them slowly over time until November 30th as long as Belgacom keeps its monthly data cap.
So far this hacker released 30 usernames/passwords, and they were found to be genuine.
Belgacom contacted authorities, is investigating the claimed method of hacking, blabla.
The modem in question with Belgacom is labeled a "B-Box2-modem".
Re:Related to Belgacom hack and 'ransom'? (Score:4, Funny)
Why are evil minions so dumb. This guy gets access to all these passwords and his only idea is to blackmail a corporate entity more evil then himself...by doling out uid/pwd combinations a few at a time...please!!
As was already stated the first action by evil corporation is to get the law on their side so they do not have to do any work to change anything. The law pursues the bad guy and he realizes the grand scheme not only fails, but now he's screwed because ultimately he either gets caught, or can't release anything else for fear of being caught and thus becomes harmless. He never gets what he wants.
Were it me (and I most certainly do not live in Belgium) and I choose to do evil I would have blasted all uid/pwds at once across as many nodes as possible thus, for a moment, potentially hurting the pockets of evil corporation. Short lived excitement with no long term reward, but still would be fun to watch the fallout.
My other idea would be to use my new found data to my advantage. Can I load slaves on all those systems so that when I want to watch streaming video of pr0n I piggyback on someone else's quota. Perhaps I can monitor usage and find users with low bandwidth and borrow (steal) from them. I would never ever share this information with others, because certainly at some point a "friend" would abuse the system, or rat me out if/when caught.
No, the guy blackmails a corporate with some stupid ass name and a piss poor methodology for revenge. Do they not teach anything at Evil U any more?
Parent
Re: (Score:3, Funny)
Perhaps I can monitor usage and find users with low bandwidth and borrow (steal) from them. I would never ever share this information with others, because certainly at some point a "friend" would abuse the system, or rat me out if/when caught.
(looks around)
Is there a camera in this basement? It's like I'm being watched. Oh no, I've said too much. +++
ATH
^&@^&%*!!%*!@
NO CARRIER
Re: (Score:3, Funny)
If I was him, I would have somehow figured out a way to add 285,000 TOR exit nodes.
THAT would have been fun. Every user in the country hits their quota, while completely screwing the ISP's transit quotas. They would never dare bill all of their customers for that kind of overage, they would HAVE to eat it.
the routers also expose their web interfaces to (Score:5, Funny)
the public-facing internet
wait. what? why?
Re: the routers also expose their web interfaces t (Score:5, Insightful)
Convenience and incompetence. They want to be able to run scripts to update/reconfigure all the modems and this is the first method that occured to them. Being stupid, they didn't think it through.
Parent
Re: (Score:3, Interesting)
I don't know if they're using DOCSIS, but I can't imagine they aren't. If I'm wrong, ignore the rest of this comment; but if they are DOCSIS modems, then they get their config file from the network every time you boot them. Even if they aren't DOCSIS modems, that's still the most reasonable way to configure them, and if they didn't do that they should be shot into orbit without a suit, or perhaps with one but on a rapidly decaying orbit and without heat shields.
Re: the routers also expose their web interfaces t (Score:4, Insightful)
Yes incompetence looks like the primary cause here. Whoever hides the access to administrative functions of anything by simple javascript on a web page should be at best fired.
It is quite amazing to see how many programmers are just totally clueless about the technology they're using. It's just appauling.
Parent
FAIL (Score:2, Interesting)
According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.
Also in TFA...
What's more? Gnome With the Ping of Death? ;)
Re: (Score:3, Informative)
According to TFA (my karma be damned), Web-based admin UI is enabled on these routers, not only for the LAN but for the whole fucking Internet. This must be the dumbest default setting ever.
Although I agree that it is dumb, I think that it is to make technical support easier for the company. If the company can go straight to your router and configure it then it makes their life easier. Of course, it turns out that it makes a lot of people's lives easier including hackers.
A hack? Hardly (Score:2)
This is not a hack, this is incompetence from the guys who sold that in the first place.
Are all Time Warner employees marketers or something?
Clock is ticking (Score:2, Funny)
If you use Time Warner's SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing.
And if you are a hacker planning to pwn Time Warner's SMC8014 series cable modem/Wi-Fi router combo, be sure to get your exploit written and distributed soon before the new firmware is released.
Re: (Score:2)
Or just wait for the new firmware and hack that: it will be just as bad.
Maybe (Score:2, Insightful)
That's what they get... (Score:2, Insightful)
AOL/TWC have gone through so many reorganizations and consolidations, the best and brightest have been gone from the company for quite some time. This is just a result of continuing to run a failing course.
re: the summary (Score:4, Informative)
Reading the Wired article, the right thing was done. Big company was sitting on their hands, and now that publicity has been made, they're starting to move.
Wired did the right thing. But this summary, it's fear-mongering and bad journalism.
Re: (Score:3, Funny)
You must be new here.
Multiple-levels of incompetence (Score:5, Insightful)
This isn't just a security vulnerability - those things happen. This is gross negligence. There are 3 simultaneous absolutely bone-headed things here:
- PUBLIC facing web configuration? I have never, ever, ever, seen a router that did that. Not even cheesy home routers.
- JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?
- CLEAR TEXT username/password? There was this great technique we used back in 1975 called hashing. Look it up. Why does it even write the username/password out anyway?
This is one of those cases of just too many stupid things all at once for it to be a mistake.
Re: (Score:3, Informative)
- JAVASCRIPT is their security? That was dumb back in 1998, but who does that now?
I heard a story that a major public University had exactly this kind of vulnerability in its new financial system. It was found and plugged, but it never should have been their in the first place. I'd reveal which University, but the story was passed down to me 3rd hand so it's not completely verified.
This kind of idiocy is more common than you'd think. Too many programmers aren't taught to think about security and develop
Re:Multiple-levels of incompetence (Score:4, Interesting)
Even the cheesy home routers have this as an option, but it's always buried deep in the 'advanced' configuration options, and it's ALWAYS disabled by default.
Parent
Still better than PLANET... (Score:5, Funny)
...
Re:Still better than PLANET... (Score:5, Funny)
Parent
Not surprising (Score:4, Interesting)
The Javascript thing isn't important - that's how the device operates because it's been told to and, in 99% of circumstances it's an internal-only device. My printer offers up a lot worse options. However, exposing that interface to the web is stupid, as are using standardised passwords.
The former is nothing but user-education and/or forcing them into a password from the factory (like a lot of wireless routers comes with WPA keys printed on the bottom of them).
For the latter, a lot of cheap ADSL modems/routers do this, it's hardly a shock. Some of them run telnet on ports 254/255 and the only way to get rid of it is to forward that port to a non-existent IP address. Yes, it's crap security. Yes, they should know better. But, additionally, it's their fault from day one and people have known about this for YEARS.
It would also pick up on *any* external security scanner (e.g. nmap, GRC.com's ShieldsUp!) and any competent person would be testing any new system with something like that anyway. I know I've always scanned whenever I've used a new connection, if only to find what proxy servers / port-blocking / port-forwarding are in place. And yet all my Internet connections have hard-coded DNS, the router acts as nothing more than a passthrough to a real firewall (usually Linux iptables, if only for decent, configurable NAT / port-forwarding) and anything vaguely suspicious on an external scan is investigated (my ISP offer port 139 filtering as default, for example).
If you didn't know about it, test it. If you haven't already disabled it, do so. If you're that worried, change the device. This type of problem has been around for YEARS, and only the bog-standard, password is 'password', home users would ever be hurt by it. I think it's disgusting that they are, but they are not the only ISP / modem / router that has these problems.
And to claim this is new/shocking is quite misleading - most router manufacturers have suffered from this since ADSL became mainstream. Even things like BT's HomeHub have had similar security problems over the years.
Not a hack (Score:3, Insightful)
VErizon FiOS routers do something similar (Score:5, Interesting)
Re: (Score:3, Insightful)
You should always have a key to show to the cops