Verizon Changing Users Router Passwords 545
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
Re:uhhh (Score:2, Informative)
Re:I'm upset (Score:2, Informative)
Re:Then change your password (Score:3, Informative)
There's no protection for having a stupid password to gain entry to a system.
You may as well have not had one.
Re:unauthorized access is unauthorized (Score:3, Informative)
Re:Perhaps a little cheese with that whine? (Score:5, Informative)
You are correct about the fine print, though. They reserve the right to update their software on my equipment (including computers). The simple solution there is not installing their software in the first place.
An insider says: (Score:2, Informative)
Erm.... TR-069, anyone? (Score:5, Informative)
AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.
This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.
I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.
Re:uhhh (Score:4, Informative)
No, they were able to because they used their backdoor which has it's own password to login and change it.
Realistically the password of the router doesn't matter if you have remote management turned off, but Verizon thinks that people are going around cracking the WEP keys and changing peoples routers.
They did the same to my router so I blocked port 4567.
How to disable the backdoor (Score:5, Informative)
Re:unauthorized access is unauthorized (Score:4, Informative)
Yes, I do. And have. However, if an update borks my connection, I'm shit out of luck as far as support from them is concerned. (I made a point of looking at my TOS when I did the update to make sure they couldn't kick me off for doing it).
Re:It's not your router. (Score:2, Informative)
In other words it's part of the ISP-Owned CPE. This is typical of customers purchasing leased line services.
And the OP naively assumed that the equipment being in their house automatically transferred legal ownership of it?
The ISP usually owns the router, and everything after the Telco demarcation up to the customer's cable, which is referred to as "CPE" (Customer-Premises Equipment)
This is useful to the ISP for various reasons, it can assist with troubleshooting. It can enable the ISP to implement end-to-end QoS, and implement traffic engineering / access restrictions (such as spoof prevention or anti-malware port 25 blocking), before the packet even goes to the ISP's distribution/aggregation router.
DNS hijacking for fun and profit (Score:3, Informative)
That would be the security used by the TR-069 spec for CPE remote management. If implemented correctly by hardware manufacturer and service provider, it's almost certainly more secure than any of the computers you have connected to the internet, even if you're not the kind of person that leaves a default password set on their router...
Seriously, having the default admin password set has been a bad idea with routers for a very long time. Think along the lines of a webpage doing a redirect attempt to the local gateway address with different providers default router passwords and then changing a setting like your DNS server...
Sound unrealistic? Already happened on a large scale years ago. Didn't work if you had changed your password or at least had a unique one in place like the device serial number.
So rest assured that what they did has actually increased the security of your network and has left no gaping hole in it's place.
Re:unauthorized access is unauthorized (Score:5, Informative)
What part of "I own the router, not them" do you not understand?
That goes for you too, mods!
I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.
Re:uhhh (Score:2, Informative)
Except they didn't change it to "something random without telling", they changed it to something very specific and THEN FUCKING TOLD HIM.
Re:uhhh (Score:5, Informative)
RTFA (Score:4, Informative)
am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them.
He owns the router, they don't. He doesn't lease it.
Re:unauthorized access is unauthorized (Score:3, Informative)
You don't get the right to update your firmware just using your own modem on a cable network, so this is likely covered by the contract.
Since when? The law allows you to use your own equipment (as the writer did; he said it was his OWN router). I too use my own cable adapter and router, which are both better equipment than the cable company leases. And the cable company has neither the legal or contractual right to access them without my permission. If they did, they would be guilty of illegally accessing my computer equipment over a network, which can be prosecuted as a FELONY in some cases.
Re:uhhh (Score:5, Informative)
If you read the ToS (for VZ Fios, Even Cox Cable has a similar provision) by agreeing to service, you authorize them to access your equipment.
See here: http://www.verizon.net/policies/popups/tos_popup.asp [verizon.net]
Search for "Monitoring of Network Performance by Verizon"
I soooo wish there was more competition for broadband in the states :(
A matter of necessity (Score:4, Informative)
Re:uhhh (Score:5, Informative)
I have fios and I have gone to my own software router running in a VM. But before I completely dumped the actiontec (which is really nice hardware for a router, but not all the well supported by alternative firmwares due to actiontec being asses about the GPL for a really long time), I noticed traffic on that port. After only cursory investigation, the impression I got was that the router was "phoning home" to verizon. That's how it got firmware updates and, I presume in this case, the password was changed. That "phoning home" behavior was something that creeped me out because I have no idea what it's reporting or what changes might be made, so it's what goosed me to start looking into alternative firmwares and eventually go the VM route instead.
Re:uhhh (Score:3, Informative)
If his FIOS router is something like the Actiontec MI424WR, the datasheet specifically states it supports TR-069
http://en.wikipedia.org/wiki/TR-069
Its their CPE, not his router, even if he changed the passwords and changed the firewall.
Re:Then change your password (Score:2, Informative)
Didn't you read about the recent DNS rebinding attack on wireless routers? It works on routers with remote access disabled but with the default administration password. The attack basically tricks the user's browser into attacking the local administration interface.
Re:You failed to consider: this person is clueless (Score:4, Informative)
Leasing routers happens (Score:2, Informative)
1) Leasing routers happens, especially if it's a modem-router, which is becoming more and more common.
2) Even if you own your modem, as a condition of service the telcos will typically insist on enough control of your equipment to manage "their side" of the connection. The same goes for cable-tv and cable-internet providers who let you use your own modems and cable boxes.
As far as #2 goes though, they typically "enforce" it by simply blackholing any device which doesn't give them the control they need. If you want your device to work you get to choose whether to keep being their customer on their terms or look for service elsewhere.
Re:Ummm...try changing the password! (Score:2, Informative)
Confirmed. Non-default password here, firmware 'magically' updated periodically. Modem web-server recently updated to display "westell" instead of "Verizon" as the logo following the Verizon to Frontier transfer in my area.
Unless all these geniuses can figure out how to put their modem behind a firewall, I don't think you can keep Verizon out. And if you did, I wouldn't be surprised if Verizon helped you on their end by blocking port 80, 8080, 25, 22,exec... until you let them back in.
Still kinda scary, but I'd hope Verizon has things protected by a good hash, and not just a super secret admin account.
Re:uhhh (Score:3, Informative)
They can. Siemens Gigasets have this functionality as well - it allows the ISP to push Firmware updates and config changes to attached CPE via the ACS server using TR-069.
Re:it up to you (Score:3, Informative)
if you had changed the password yourself, this wouldn't have happened.
I like how the fourth, fifth, tenth, whatever, redundant post saying this same sentiment STILL gets modded insightful. You know, mods, we DO have a '-1 Redundant' mod.
Re:uhhh (Score:5, Informative)
Administrative access was not used for this. His actiontec, along with most other telco distributed CPEs use the TR-69 remote administration spec to allow for reconfiguration of services, firmware updates and other crap that used to require a technician to be sent out.
Which is why they changed his password from the default to a unique one. Even with remote access disabled, a default password on your router is a risk. see Pharming [wikipedia.org]
Telcos are typically behind IBM and God on how many lawyers they have on staff. I'll eat my fucking shoe if it's not explicitly laid out in the TOS for FIOS that they can and will access the router for remote configuration changes, particularly for security reasons.
There is a backdoor to allow changes in configuration that are usually, but not always, related to connectivity and function of the actual connection to the provider - the minutiae that even a field tech doesn't want to have to waste time with.
Are we that sure it wasn't in that contract he signed?
A properly implemented TR-69 system is going to be more secure than any machine this guy is running on his network, guaranteed. The administration server address cannot be changed from the user accessible interfaces, the connection is initiated from the CPE to that server instead of the reverse and there are multiple layers of verification and encryption in use before anything is actually allowed to be updated or changed.
Re:I'm upset (Score:2, Informative)
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.
This is a TR 69/TR 98 device and you can't disable ISP access. Well, not through any normal user level screen. You'd have to hack it.
Changing the default login will not make any difference.
Re:Wow... retards abundant (Score:3, Informative)
retards abundant? yes, apparently there are. Retards like you... I don't care weather it was a stupid thing to do
Not to mention those retards who cannot write. Like whether to use 'whether' or 'weather'...
Re:uhhh (Score:5, Informative)
What are you all on about? He said [slashdot.org] he disabled administrative access from outside.
He disabled the user visible administrative interface.
Google for tr69 and you'll be enlightened.
In my router it's impossible to disable, however in some normally hidden menu I could modify the "call home" url, rendering it ineffective.
Re:uhhh (Score:5, Informative)
Re:uhhh (Score:3, Informative)
Re:In his defense... (Score:4, Informative)
He does have a problem with a bad password, there are some fairly clever javascript attacks that target exactly this situation, remote admin disabled and all.
The web browser is tricked to connect to a default router address (like 10.0.0.1) with a default login (admin/password1) and changes whatever settings it wants, perhaps just opening remote administration. Because the connection to the router comes from the local PC this isn't "remote" administration. There are few enough possible combinations that you can brute force the default login really easily and enough people with default set ups to make it very worth while.
If Verizon has all of their customers with the same router, the same network setup and the same password... it would be negligent not to do everything they could to help protect their customers.
Re:uhhh (Score:5, Informative)
I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."
Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?
Bad analogy, since this is leased equipment from Verizon, it's more like you rent an apartment and the landlord changes the busted up locks on your door or performs other various maintenance on their property for you. If you haven't rented before, I can tell you that is quite normal.
Re:uhhh (Score:5, Informative)
That password was owned by Verizon. He should have changed it to 'own' it, but he didn't.
This situation is like: you go into the shop, pay for some item but leave it on the counter.
The vendor notices it, runs out of the shop and hands it to you, again.
You scream a hissy fit that the vendor dared to touch YOUR ware.
He should have learned from this lesson and not be a dick and post this on Slashdot.
Re:RTFA (Score:3, Informative)
If the guy has Verizon FiOS, and is using the ActionTec router that was installed as part of the service, he does not own it. Verizon does NOT sell the router to the customer. (Buying the router is never an option.)
Verizon supplies the router to support TV & Internet services over FiOS, and Verizon will repair or replace the router at any time that there is a problem with it without charging the customer. (With the exception of incidents of vandalism, or a pattern of abuse requiring multiple swaps of the router over time.)
[I currently work for Verizon, and install FiOS every day. (Yes, the majority of the STUPID configuration decisions are forced on us by management to save time & effort from dealing with the average tech knowledge of both customers and other technicians with little or no knowledge about networks or security.)]