Forgot your password?
typodupeerror
Networking Security

Verizon Changing Users Router Passwords 545

Posted by timothy
from the has-this-happened-to-you? dept.
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
This discussion has been archived. No new comments can be posted.

Verizon Changing Users Router Passwords

Comments Filter:
  • uhhh (Score:5, Insightful)

    by buddyglass (925859) on Sunday August 01, 2010 @03:36PM (#33102802)
    Maybe they were able to access your router because the password was still password1 ?
    • Re:uhhh (Score:5, Insightful)

      by cosm (1072588) <thecosm3@EEEgmail.com minus threevowels> on Sunday August 01, 2010 @03:38PM (#33102832)
      End of thread. No further comments are necessary.
      • Re:uhhh (Score:5, Insightful)

        by complacence (214847) on Sunday August 01, 2010 @04:20PM (#33103274)

        What are you all on about? He said [slashdot.org] he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.

        If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.

        Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?

        Why is there an open forced access port/back door?
        Is that ok without telling the owner?
        What security is in place that entities besides Verizon can't access it?

        • Re:uhhh (Score:5, Informative)

          by Jah-Wren Ryel (80510) on Sunday August 01, 2010 @05:03PM (#33103624)

          I have fios and I have gone to my own software router running in a VM. But before I completely dumped the actiontec (which is really nice hardware for a router, but not all the well supported by alternative firmwares due to actiontec being asses about the GPL for a really long time), I noticed traffic on that port. After only cursory investigation, the impression I got was that the router was "phoning home" to verizon. That's how it got firmware updates and, I presume in this case, the password was changed. That "phoning home" behavior was something that creeped me out because I have no idea what it's reporting or what changes might be made, so it's what goosed me to start looking into alternative firmwares and eventually go the VM route instead.

          • Re:uhhh (Score:5, Informative)

            by jcostom (14735) on Sunday August 01, 2010 @09:19PM (#33105896) Homepage
            Interesting.. When we first got FiOS, they were only doing Internet & Phone (TV came 2 years later), and handing out D-Link routers. Since I work for a network manufacturer, the first thing I did was swap it out for a real firewall. 2 years later, they started doing TV in our area, they brought out an Actiontec, wanting to replace my firewall with theirs. Fortunately, I came upon a solution that worked perfectly, and doesn't involve using their router directly (shocked the installers that came out to do our TV install). I've got the Ethernet WAN port of their router plugged into an isolated zone on my firewall (where my Guest WLAN also lives), with the cable wire still connected (so the cable boxes can get guide data). This isolated zone has access to the Internet only, nothing on my "regular" network at all. Works like a champ. Get your FiOS Internet delivered over Cat5 if you can get the installer to do it, then hook up the router that way. The cable boxes don't seem to mind 2 layers of NAT, so I see no reason not to deploy like this.
        • Re: (Score:3, Informative)

          by Anonymous Coward

          If his FIOS router is something like the Actiontec MI424WR, the datasheet specifically states it supports TR-069

          http://en.wikipedia.org/wiki/TR-069

          Its their CPE, not his router, even if he changed the passwords and changed the firewall.

          • Re: (Score:3, Interesting)

            by David_W (35680)

            Its their CPE, not his router, even if he changed the passwords and changed the firewall.

            Not exactly (and this is why I hate how some devices blur the distinction between CPE and personal equipment, like cable modems). The Actiontec they give you with the service IS yours; if I were to cancel my FIOS service today they can't ask for me to return the router. I would be free to take it elsewhere and use it on something that isn't their service.

            That said, I always figured there were "gotchas" like this in the supplied router, which is why I stopped using it shortly after I got FIOS. I like the

        • Re:uhhh (Score:5, Insightful)

          by Roger W Moore (538166) on Sunday August 01, 2010 @05:35PM (#33103872) Journal

          He said [slashdot.org] he disabled administrative access from outside.

          Given the level of competence he has displayed I frankly suspect that he failed to do that correctly or, if he did, he probably ended up blocking access from outside the ISP subnet.

          Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere.

          He probably did - there is usually some clause somewhere where you agree to let them take action to prevent security breaches or some such. Failing that there is always a clause which lets them disconnect incorrectly configured hardware which poses a risk to the network which this arguably does. So would you advocate disconnecting the router and sending letter that customers have to reconfigure the default password before it will be allowed to reconnect? It's hard to see how anyone can complain about their actions. There is no private data stored on the router nor did they change any setting beyond the minimum needed to secure it. This is the sort of thing that a sysadmin does for you and that people usually say "thank you" for.

        • Re:uhhh (Score:5, Insightful)

          by INT_QRK (1043164) on Sunday August 01, 2010 @05:59PM (#33104114)
          I got the same message from Verizon FIOS. All I can think to say is, "thank you Verizon" for being proactive in addressing an identified security issue about which I was previously unaware. Please keep up the due diligence.
        • Re:uhhh (Score:5, Informative)

          by Anti_Climax (447121) on Sunday August 01, 2010 @06:14PM (#33104270)

          What are you all on about? He said [slashdot.org] he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.

          Administrative access was not used for this. His actiontec, along with most other telco distributed CPEs use the TR-69 remote administration spec to allow for reconfiguration of services, firmware updates and other crap that used to require a technician to be sent out.

          If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.

          Which is why they changed his password from the default to a unique one. Even with remote access disabled, a default password on your router is a risk. see Pharming [wikipedia.org]

          Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?

          Telcos are typically behind IBM and God on how many lawyers they have on staff. I'll eat my fucking shoe if it's not explicitly laid out in the TOS for FIOS that they can and will access the router for remote configuration changes, particularly for security reasons.

          Why is there an open forced access port/back door?

          There is a backdoor to allow changes in configuration that are usually, but not always, related to connectivity and function of the actual connection to the provider - the minutiae that even a field tech doesn't want to have to waste time with.

          Is that ok without telling the owner?

          Are we that sure it wasn't in that contract he signed?

          What security is in place that entities besides Verizon can't access it?

          A properly implemented TR-69 system is going to be more secure than any machine this guy is running on his network, guaranteed. The administration server address cannot be changed from the user accessible interfaces, the connection is initiated from the CPE to that server instead of the reverse and there are multiple layers of verification and encryption in use before anything is actually allowed to be updated or changed.

        • Re:uhhh (Score:5, Informative)

          by luca (6883) on Sunday August 01, 2010 @06:53PM (#33104668) Homepage

          What are you all on about? He said [slashdot.org] he disabled administrative access from outside.

          He disabled the user visible administrative interface.

          Google for tr69 and you'll be enlightened.

          In my router it's impossible to disable, however in some normally hidden menu I could modify the "call home" url, rendering it ineffective.

        • Re: (Score:3, Informative)

          My friend works for Verizon and warned me about port 4567 so I blocked it as soon as I got the service. This is scary because they can install any software on your router at any time.. Even to monitor your traffic on you LAN side. Even though I blocked the port, after hearing this, now may get rid of the actiontech, although it is a nice router.
      • Re:uhhh (Score:5, Informative)

        by Ksevio (865461) on Sunday August 01, 2010 @04:39PM (#33103428) Homepage
        If that were the whole story then it would be end of thread. Verizon changed the LAN side password remotely using their backdoor to the system. The backdoor uses a completely different authentication system. The only time the LAN side access password is useful is if you're already on the network, at which point there are probably more pressing security issues.
        • by Zen Hash (1619759)

          If that were the whole story then it would be end of thread. Verizon changed the LAN side password remotely using their backdoor to the system. The backdoor uses a completely different authentication system. The only time the LAN side access password is useful is if you're already on the network, at which point there are probably more pressing security issues.

          It's also useful if an attacker can, by any means, get any one of the people already on the network to visit a URL. If an attacker knows that many people are using the same password on their routers, he simply has to setup the exploit once then use any technique he prefers to bring in visitors. (ad networks, gain access to a popular site and modify a page or two, spam the URL all over the place, etc.)

      • Re:uhhh (Score:4, Insightful)

        by darthwader (130012) on Sunday August 01, 2010 @05:59PM (#33104104) Homepage

        I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."

        Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?

        Verizon can probably get away with this, because on page 239 of the user agreement he signed it says "Verizon reserves the right to do anything we want to you and your property, forever, because we know you won't read this far into the agreement, you're just going to sign it after skimming the first page. Sucker." But still, even if the poster did agree to this in a user agreement, Verizon should NOT be hacking into and reconfiguring other people's equipment, even if they think it's a good idea.

        • Re:uhhh (Score:5, Informative)

          by surferx0 (1206364) on Monday August 02, 2010 @01:30AM (#33107240)

          I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."

          Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?

          Bad analogy, since this is leased equipment from Verizon, it's more like you rent an apartment and the landlord changes the busted up locks on your door or performs other various maintenance on their property for you. If you haven't rented before, I can tell you that is quite normal.

    • Re: (Score:2, Informative)

      by Kohenkatz (1166461)
      I thought that blocking administrative access from WAN would have been enough.
      • Re:uhhh (Score:4, Insightful)

        by phoenixwade (997892) on Sunday August 01, 2010 @03:54PM (#33103010)

        I thought that blocking administrative access from WAN would have been enough.

        I'm gonna get modded troll for this, but "Thinking" was not what you were doing.

        You missed thinking in three key ways:

        • you didn't change the default password to something other than a common default password
        • You apparently were upset by them doing you a favor and changing the password
        • And the least amount of thinking in this entire thing: You told the Slashdot community about this? you deserve every thing you are about to read.
    • by Anonymous Coward

      It doesnt matter what his password was, they broke into his router illegally

      • Re: (Score:2, Insightful)

        No, they entered a router which they lease to him with the intention of making their network more secure. You don't get the right to update your firmware just using your own modem on a cable network, so this is likely covered by the contract.
        • by flosofl (626809) on Sunday August 01, 2010 @04:15PM (#33103228) Homepage

          You don't get the right to update your firmware just using your own modem on a cable network

          Yes, I do. And have. However, if an update borks my connection, I'm shit out of luck as far as support from them is concerned. (I made a point of looking at my TOS when I did the update to make sure they couldn't kick me off for doing it).

        • by whoever57 (658626) on Sunday August 01, 2010 @04:34PM (#33103370) Journal

          No, they entered a router which they lease to him with the intention of making their network more secure

          What part of "I own the router, not them" do you not understand?

          That goes for you too, mods!



          I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.

        • RTFA (Score:4, Informative)

          by pgmrdlm (1642279) on Sunday August 01, 2010 @04:43PM (#33103466) Journal
          From the article:

          am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them.

          He owns the router, they don't. He doesn't lease it.

          • Re: (Score:3, Informative)

            by BlackWind (11057)

            If the guy has Verizon FiOS, and is using the ActionTec router that was installed as part of the service, he does not own it. Verizon does NOT sell the router to the customer. (Buying the router is never an option.)
            Verizon supplies the router to support TV & Internet services over FiOS, and Verizon will repair or replace the router at any time that there is a problem with it without charging the customer. (With the exception of incidents of vandalism, or a pattern of abuse requiring multiple swaps of th

        • Re: (Score:3, Informative)

          You don't get the right to update your firmware just using your own modem on a cable network, so this is likely covered by the contract.

          Since when? The law allows you to use your own equipment (as the writer did; he said it was his OWN router). I too use my own cable adapter and router, which are both better equipment than the cable company leases. And the cable company has neither the legal or contractual right to access them without my permission. If they did, they would be guilty of illegally accessing my computer equipment over a network, which can be prosecuted as a FELONY in some cases.

      • by cosm (1072588)

        Verizon-supplied Actiontec router had the password 'password1.'

        Saying that it is purely 'his' could be questioned. It is hardware that they supplied him, and he is operating it on their network. I am not disagreeing completely with the moral stickiness of what they did, but a blanket 'it is illegal' statement would have a tough time in court, considering the weight these telcos have in terms of money and lawyers. Despite good idealistic intentions in defending the posters disdain, unfortunately the real world will have much less pity and sympathy.

        • Re: (Score:3, Informative)

          by Nikkos (544004)
          So what if they sold it to him? If it's his, and they accessed it without permission (no matter what the password) then they broke the law.
          • Re: (Score:2, Insightful)

            Not if the router is leased rather than owned. Since that's the way most internet companies work, I'm going to bet it's leased, and there's a clause in the contract that lets them access it for security purposes.
    • Re: (Score:3, Insightful)

      by Alsee (515537)

      About 12 out of the 20 posts so far all say the same thing. It's time to kill this entire story. It never should have appeared in the first place.

      -

    • by syousef (465911)

      Maybe they were able to access your router because the password was still password1 ?

      I think he would have preferred that they left his password alone and that instead some malicious hacker got in there and really did some damage. I wonder what feat of administrative magic he could do? Perhaps reset the router to default settings (removing any back doors he's worried about) and setting his own damn password. Nah, that would require taking some personal responsibility. Much better to yell "I've fallen and I can't get up" on a public board. What was your IP address again? You've broadcast tha

    • by rolfwind (528248)

      I have to check, but I have the same actiontec router and I believe the default setting is not to allow anyone not in the internal network to change settings or even remotely access it or log in, even if you have the correct password. This would seem to circumvent that.

    • Re:uhhh (Score:4, Informative)

      by Ksevio (865461) on Sunday August 01, 2010 @04:08PM (#33103154) Homepage

      No, they were able to because they used their backdoor which has it's own password to login and change it.

      Realistically the password of the router doesn't matter if you have remote management turned off, but Verizon thinks that people are going around cracking the WEP keys and changing peoples routers.

      They did the same to my router so I blocked port 4567.

  • by Anonymous Coward on Sunday August 01, 2010 @03:36PM (#33102806)
    Maybe they were able to change it because you were too lazy to do it in 3 years. For the first time, I think Verizon did the right thing in this case instead of letting stupid users be online and get potentially hacked and become a nuisance to the internet.
    • by Idbar (1034346)
      Also, as far as my contracts says: It's not my router unless I've been with them for more than 2 years.
  • by BondGamer (724662) on Sunday August 01, 2010 @03:37PM (#33102818) Journal
    You had kept your password as password1, yet are complaining about Verizon being able to change your password?
    • by PinkyGigglebrain (730753) on Sunday August 01, 2010 @04:23PM (#33103304)
      I think his concern is that Verizon was able to change it from the outside.

      That he left it with such a weak password is beside the point. The routers I've worked with will not allow administration level access over the outside port or wireless connection unless explicitly allowed by the admin, so Verizon being able to do just that should raise a few questions.

      He owns the router, right, and yet Verizon thought they had the right to log in and change his password.

      Makes me wonder if they have a firmware coded backdoor/admin password into the router.
  • by wiredlogic (135348) on Sunday August 01, 2010 @03:38PM (#33102836)

    Every broadband provider has access to the modems connected to their network to perform maintenance and updates as necessary. It's part of the fine print you agreed to. If you didn't want them getting into your router configuration you should have changed the default password.

    • by thestuckmud (955767) on Sunday August 01, 2010 @04:04PM (#33103108)
      My provider allows third party modems. Absent a conspiracy between manufacturers and providers, there is no way they can force updates on my equipment.

      You are correct about the fine print, though. They reserve the right to update their software on my equipment (including computers). The simple solution there is not installing their software in the first place.

      • I would be very suspicious that you're not correct, at least if you're dealing with cable. I own a modem on my cable line, yet Comcast updates the modem with firmware (via a push) periodically. I have no control over that.
  • I'm upset (Score:3, Insightful)

    by OverlordQ (264228) on Sunday August 01, 2010 @03:38PM (#33102840) Journal

    I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!

    I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.

    • Re: (Score:2, Informative)

      by Kohenkatz (1166461)
      You can't get in to my router from outside except on Verizon's maintenance port - and I didn't know they can do password changes from there.
  • I'm assuming that by "and it had actually been changed" you mean that they changed, not that you did before them. If you had the password left as it's initial value, they set this for you, and the change they made did the same, just to a more secure value. If they changed your password even though you had already done it, my apologies, as that ain't right. I would hope that if you changed your password to a custom value, they have no way to change anything on your router.
  • by mhkohne (3854) on Sunday August 01, 2010 @03:39PM (#33102850) Homepage

    If you don't want them to access the router, change the bloody password. Like you should have done 3 years ago!

    • by fuzzyfuzzyfungus (1223518) on Sunday August 01, 2010 @04:07PM (#33103138) Journal
      There is no particular reason to suspect that changing the password would alter their level of access.

      On most consumer routers, "the password" is what controls access to the dinky webserver serving the configuration interface, on port 80, LAN side only. According to TFS, Verizon's pet routers have something listening to port 4567, WAN side. There is no particular reason to believe(and, indeed, reason to disbelieve) that the password controlling access to the port 80 web interface and the access control mechanism on the port 4567 WAN management interface are at all connected. Assuming they aren't total morons, I'd imagine that they would use some flavor of keypair auth for that one.

      We would need somebody to grab the firmware for the router in question and have a look to actually settle the issue.
  • by dave562 (969951) on Sunday August 01, 2010 @03:42PM (#33102870) Journal

    Your router was set to the default password after 3 YEARS and you're claiming to be upset that Verizon secured it for you? Are you kidding me? I'm all for letting people wallow in their own stupidity and ignorance, but come on buddy. They did you a favor. In all seriousness, they shouldn't have left it default in the first place. It should have been set to your serial number from the factory.

  • by Raxxon (6291) on Sunday August 01, 2010 @03:42PM (#33102878)

    I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.

    Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).

    Please contact Verizon, ask them to cancel your service and GTFO the internets plz.

    • Apparently, Verizon isn't trying to access routers that aren't their own property. Shocker.
      • by Raxxon (6291)

        Technically they have tried to access because they most likely can't 100% determine if it is their router or not on the other end. They attempt to connect, are unable to connect and move on.

        Basically not much more harmful than the random portscans I get on a daily basis...

  • by mandark1967 (630856) on Sunday August 01, 2010 @03:46PM (#33102918) Homepage Journal

    Lazy Fuck receives router with password set to password1
    Lazy Fuck doesn't change it for THREE fucking years
    ISP decides to secure router for Lazy Fuck since Lazy Fuck evidently cannot
    ISP Emails Lazy Fuck with new password
    ISP changes password so Lazy Fuck doesn't get wtfpwn3d
    Lazy Fuck whines like a petulant little schoolgirl

    How did this retard even find slashdot, let alone create an account and post?

    lazy fuck could be lit on fire next to a pool and he'd burn to death.

    • In honor of the movie Dinner for Schmucks [imdb.com] Is Slashdot holding a contest for stupid submissions? Come on, I have a device on the internet with the default password and someone changed it. Please thank the nice ISP and go back to watching reruns of Gilligan's Island on Hulu. Nothing to see here, move along.
    • Re: (Score:3, Funny)

      by ntdesign (1229504)

      lazy fuck could be lit on fire next to a pool and he'd burn to death.

      And complain if someone pushed him in to it.

  • Pro tip: If the router is "yours", you might want to set a password for it that only you know.

    Has there ever been a dumber article on /.? I think this is a strong candidate for winning the contest.

  • Or maybe... (Score:2, Interesting)

    by segin (883667)

    It's because the router is Verizon property and they probably have access to it no matter what your password is?

    Actually, I've never used FiOS but I've always assumed that the routers remained property of Verizon, same as the set-top-boxes for television do. If someone can prove this, one way or another, I'd like to know.

    P.S., on another note, has anyone tried to port a free router distro to the Westell 9100EM [verizon.net] routers specially made for Verizon as FiOS routers and MoCA [wikipedia.org] gateways. It seems Westell released th [westell.com]

  • by spartacus_prime (861925) on Sunday August 01, 2010 @03:50PM (#33102964) Homepage
    <Cthon98> hey, if you type in your pw, it will show as stars
    <Cthon98> ********* see!
    <AzureDiamond> hunter2
    <AzureDiamond> doesnt look like stars to me
    <Cthon98> <AzureDiamond> *******
    <Cthon98> thats what I see
    <AzureDiamond> oh, really?
    <Cthon98> Absolutely
    <AzureDiamond> you can go hunter2 my hunter2-ing hunter2
    <AzureDiamond> haha, does that look funny to you?
    <Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
    <AzureDiamond> thats neat, I didnt know IRC did that
    <Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
    <AzureDiamond> awesome!
    <AzureDiamond> wait, how do you know my pw?
    <Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
    <AzureDiamond> oh, ok.
  • Huh!? (Score:2, Redundant)

    by topham (32406)

    Your worried about their level of access when you left it with the default password?

    Change the thing yourself. DUH.

  • by djlowe (41723) * on Sunday August 01, 2010 @03:52PM (#33102990)
    Hi,

    I checked and it actually had been changed.

    OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?

    I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!

    No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.

    I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"

    I imagine they at least understand the importance of password security, where you apparently did not.

    You're not a nerd, this isn't news that matters... slow day, Timothy?

    Regards,

    dj

    • by phantomfive (622387) on Sunday August 01, 2010 @04:58PM (#33103584) Journal

      You're not a nerd, this isn't news that matters... slow day, Timothy?

      It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.

      Slashdot should start a new Sunday feature, call it, "Is it Real?" or something, where they post stories like this and make us try to guess if the original post is real or not.

      This man (original poster) should never change. He should preserve himself as he is, so all of us can look at him and wonder, how is such a thing possible. It is a sterling example of what the human race is truly capable of.

      The opening line is the best, let me quote it again just because it makes me laugh out loud every time I read it:

      I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago.

      Seriously, how on earth could anyone think that was a clever thing to write? He's an Eliza-bot or something.

      • Re: (Score:3, Insightful)

        It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.

        I have thoroughly enjoyed watching dozens of geeks, who believe themselves to be technology gurus in general, get so UTTERLY confused about what password was changed and what it normally does and fly off in uncontrollable rage at the original poster over a situation which they have so comprehensively misunderstood. The password which Verizon changed exists only to stop technologically illiterate people who live in the same house from mucking the router up. Assuming that OP was right when he said that WAN ac

        • Re: (Score:3, Insightful)

          by phantomfive (622387)
          I hate to break it to you, but you are the utterly confused one, and on top of that, you can't read. The link to the vulnerability is in the summary. The guy had a link to the vulnerability in the summary he wrote. It is too sweet.
  • by IBBoard (1128019) on Sunday August 01, 2010 @04:05PM (#33103114) Homepage

    At least you knew your password! Sky in the UK ship out Netgear routers and don't tell you the password. I "brute-forced" it in about three attempts, but that's not the point (in fact, perhaps it is, since it was something like "admin" and "sky"!).

    The worst part was that we later complained about speed issues on the line and they got back to us saying "sorry, we seem to be having problems accessing your router". Erm, yeah, that'd kinda be the point - I don't want my router open and available with any backdoors on the Internet!

  • In his defense... (Score:3, Insightful)

    by sanosuke001 (640243) on Sunday August 01, 2010 @04:05PM (#33103116)
    Most routers do not allow remote administration unless you specifically enable it. If it was disabled; he shouldn't have a problem with a bad password. The router "shouldn't" allow anyone to log in remotely.

    Unfortunately, we all know that not enabling something doesn't always mean it can't be accessed and he should be kicked off the internet for being ignorant.
    • Re:In his defense... (Score:4, Informative)

      by lordlod (458156) on Sunday August 01, 2010 @09:28PM (#33105942)

      He does have a problem with a bad password, there are some fairly clever javascript attacks that target exactly this situation, remote admin disabled and all.

      The web browser is tricked to connect to a default router address (like 10.0.0.1) with a default login (admin/password1) and changes whatever settings it wants, perhaps just opening remote administration. Because the connection to the router comes from the local PC this isn't "remote" administration. There are few enough possible combinations that you can brute force the default login really easily and enough people with default set ups to make it very worth while.

      If Verizon has all of their customers with the same router, the same network setup and the same password... it would be negligent not to do everything they could to help protect their customers.

  • An insider says: (Score:2, Informative)

    by dicobalt (1536225)
    Comcast and AT&T have access to routers that they supplied as well. This isn't limited to Verizon.
  • by jimicus (737525) on Sunday August 01, 2010 @04:07PM (#33103132)

    AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.

    This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.

    I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.

  • When I read the article, my brain interpreted it as

    Thank you for looking out for me and my security. I realise you didn't have to go to all that trouble - both to help save me from myself and to actually send me email to keep me aware. I can see that you are definitely on top of your customer support processes, and I promise not to call you with stoopid questions that I could easily answer for myself if I just opened the manual,

  • The router that you have is Verizon supplied. Does that mean it comes with your service or that you are renting it? In that case technically it's not "your" router. It's theirs and they can change it if they wish. In most rental/lease agreements there are clauses that allow the owner to modify, inspect, replace, remove, etc the equipment. If you bought the router, that's another story. They shouldn't have done it but it's not the end of the world.
  • by duppyconqueror (1161341) on Sunday August 01, 2010 @04:14PM (#33103218)
    http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 [broadbandreports.com] Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.
  • So... pretty much any router sold by a telco is set up for remote management via the TR-069 spec. Even if you had already changed the password, they can still get in; it's something far different that accessing the admin interface through the WAN and almost certainly buried in their TOS.

    I worked on a Qwest DSL connection for a friend and replaced their POS Actiontec with something more functional. When it came time to switch packages to a higher speed, the connection simply stopped working. Apparently Qwest

  • by SuperKendall (25149) on Sunday August 01, 2010 @04:20PM (#33103276)

    After three years, they changed the password to something you could easily find just by looking at the device.

    I would have changed the password to something totally random, and made you sit through four hours of voice menus on the phone to figure out what the new one was, for fear you would change it back.

    Verizon deserves a medal for restraint on this one.

  • by Anti_Climax (447121) on Sunday August 01, 2010 @04:28PM (#33103322)

    I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?

    That would be the security used by the TR-069 spec for CPE remote management. If implemented correctly by hardware manufacturer and service provider, it's almost certainly more secure than any of the computers you have connected to the internet, even if you're not the kind of person that leaves a default password set on their router...

    Seriously, having the default admin password set has been a bad idea with routers for a very long time. Think along the lines of a webpage doing a redirect attempt to the local gateway address with different providers default router passwords and then changing a setting like your DNS server...

    Sound unrealistic? Already happened on a large scale years ago. Didn't work if you had changed your password or at least had a unique one in place like the device serial number.

    So rest assured that what they did has actually increased the security of your network and has left no gaping hole in it's place.

  • by GothPanda (1159707) on Sunday August 01, 2010 @04:53PM (#33103542) Homepage
    I used to work for a call center that did the tech support for Verizon DSL. We had an internal system that's responsible for line testing, and this system also let us push changes equipment we've provided. Most agents didn't know how to use the functionality of this system, but it's almost required, because some customers aren't able to change the settings with or without our help. "We need you to reset your modem. Hold down the little button on the back. You can't find it? You don't know how a button works? Fine, just let me do it from here." To OP, it's a modem that happens to have a router, not just your router. You may own the equipment, but it's still connecting to the Verizon Network, and since Verizon provided the equipment, they're going to make sure that they can make it work if you fraked it up.
  • TR-069 TR-098 (Score:4, Insightful)

    by dogsbreath (730413) on Sunday August 01, 2010 @06:27PM (#33104400)

    Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.

    TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.

    You might want to google TR-098 which is the Internet Gateway device specification within TR-069

    http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf [broadband-forum.org]

    http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf [actiontec.com]

    Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!

    HDM systems also gather metrics from the subscriber routers.

    As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.

    From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.

    Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.

    Again, I am not saying this is hunky-dory but it is what I have seen.

  • by robot5five (1608793) on Sunday August 01, 2010 @07:05PM (#33104814)
    For reference port 4567 is listening on the OUTSIDE interface...the side that faces the internet. This came to my attention some time ago when I decided to switch from Comcast to Verizon. I did a tad bit of research when I was in between jobs and kept a blog on my adventures with port 4567....that CAN'T BE DISABLED. There are ways to keep verizon from spying on you and illegally entering your computer network. My blog posts are here: http://robot5five.blogspot.com/2009_07_01_archive.html [blogspot.com] Cracking the password hash was trivial, although it took me a little time until I found several other folks had already done it.
  • Router security (Score:3, Insightful)

    by SlashDev (627697) on Sunday August 01, 2010 @08:24PM (#33105496) Homepage
    1) Since it's 'your' router, maybe you should have secured it better, I bet you didn't even know its password. They actually did you a favor, this is the same logic as hackers hacking into systems to discover their security holes. 2) I'd really like to see most of the Verizon FIOS customers configure 'their' Verizon FIOS router. Please quit whining, and be thankful they changed the default password instead of some cracker changing the router's DNS settings and ruined your life.

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...