Verizon Changing Users Router Passwords

Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"

Re:uhhh

[Kohenkatz]

I thought that blocking administrative access from WAN would have been enough.

Re:I'm upset

[Kohenkatz]

You can't get in to my router from outside except on Verizon's maintenance port - and I didn't know they can do password changes from there.

Re:Then change your password

[jasen666]

There's no protection for having a stupid password to gain entry to a system.
You may as well have not had one.

Re:unauthorized access is unauthorized

[Nikkos]

So what if they sold it to him? If it's his, and they accessed it without permission (no matter what the password) then they broke the law.

Re:Perhaps a little cheese with that whine?

[thestuckmud]

My provider allows third party modems. Absent a conspiracy between manufacturers and providers, there is no way they can force updates on my equipment.

You are correct about the fine print, though. They reserve the right to update their software on my equipment (including computers). The simple solution there is not installing their software in the first place.

An insider says:

[dicobalt]

Comcast and AT&T have access to routers that they supplied as well. This isn't limited to Verizon.

Erm.... TR-069, anyone?

[jimicus]

AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.

This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.

I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.

Re:uhhh

[Ksevio]

No, they were able to because they used their backdoor which has it's own password to login and change it.

Realistically the password of the router doesn't matter if you have remote management turned off, but Verizon thinks that people are going around cracking the WEP keys and changing peoples routers.

They did the same to my router so I blocked port 4567.

How to disable the backdoor

[duppyconqueror]

http://www.broadbandreports.com/forum/r21990593-modemrouter-Remove-the-actiontec-verizon-backdoor-on-port-456 [broadbandreports.com] Haven't tried it, but worth a shot. Took a (very) little bit of googling to find which was still less effort than lambasting the OP.

Re:unauthorized access is unauthorized

[flosofl]

You don't get the right to update your firmware just using your own modem on a cable network

Yes, I do. And have. However, if an update borks my connection, I'm shit out of luck as far as support from them is concerned. (I made a point of looking at my TOS when I did the update to make sure they couldn't kick me off for doing it).

Re:It's not your router.

[mysidia]

In other words it's part of the ISP-Owned CPE. This is typical of customers purchasing leased line services.

And the OP naively assumed that the equipment being in their house automatically transferred legal ownership of it?

The ISP usually owns the router, and everything after the Telco demarcation up to the customer's cable, which is referred to as "CPE" (Customer-Premises Equipment)

This is useful to the ISP for various reasons, it can assist with troubleshooting. It can enable the ISP to implement end-to-end QoS, and implement traffic engineering / access restrictions (such as spoof prevention or anti-malware port 25 blocking), before the packet even goes to the ISP's distribution/aggregation router.

DNS hijacking for fun and profit

[Anti_Climax]

I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?

That would be the security used by the TR-069 spec for CPE remote management. If implemented correctly by hardware manufacturer and service provider, it's almost certainly more secure than any of the computers you have connected to the internet, even if you're not the kind of person that leaves a default password set on their router...

Seriously, having the default admin password set has been a bad idea with routers for a very long time. Think along the lines of a webpage doing a redirect attempt to the local gateway address with different providers default router passwords and then changing a setting like your DNS server...

Sound unrealistic? Already happened on a large scale years ago. Didn't work if you had changed your password or at least had a unique one in place like the device serial number.

So rest assured that what they did has actually increased the security of your network and has left no gaping hole in it's place.

Re:unauthorized access is unauthorized

[whoever57]

No, they entered a router which they lease to him with the intention of making their network more secure

What part of "I own the router, not them" do you not understand?

That goes for you too, mods!



I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.

Re:uhhh

[Anonymous Coward]

Except they didn't change it to "something random without telling", they changed it to something very specific and THEN FUCKING TOLD HIM.

Re:uhhh

[Ksevio]

If that were the whole story then it would be end of thread. Verizon changed the LAN side password remotely using their backdoor to the system. The backdoor uses a completely different authentication system. The only time the LAN side access password is useful is if you're already on the network, at which point there are probably more pressing security issues.

RTFA

[pgmrdlm]

From the article:

am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them.

He owns the router, they don't. He doesn't lease it.

Re:unauthorized access is unauthorized

[Jane Q. Public]

You don't get the right to update your firmware just using your own modem on a cable network, so this is likely covered by the contract.

Since when? The law allows you to use your own equipment (as the writer did; he said it was his OWN router). I too use my own cable adapter and router, which are both better equipment than the cable company leases. And the cable company has neither the legal or contractual right to access them without my permission. If they did, they would be guilty of illegally accessing my computer equipment over a network, which can be prosecuted as a FELONY in some cases.

Re:uhhh

[mystik]

If you read the ToS (for VZ Fios, Even Cox Cable has a similar provision) by agreeing to service, you authorize them to access your equipment.

See here: http://www.verizon.net/policies/popups/tos_popup.asp [verizon.net]

Search for "Monitoring of Network Performance by Verizon"

I soooo wish there was more competition for broadband in the states :(

A matter of necessity

[GothPanda]

I used to work for a call center that did the tech support for Verizon DSL. We had an internal system that's responsible for line testing, and this system also let us push changes equipment we've provided. Most agents didn't know how to use the functionality of this system, but it's almost required, because some customers aren't able to change the settings with or without our help. "We need you to reset your modem. Hold down the little button on the back. You can't find it? You don't know how a button works? Fine, just let me do it from here." To OP, it's a modem that happens to have a router, not just your router. You may own the equipment, but it's still connecting to the Verizon Network, and since Verizon provided the equipment, they're going to make sure that they can make it work if you fraked it up.

Re:uhhh

[Jah-Wren Ryel]

I have fios and I have gone to my own software router running in a VM. But before I completely dumped the actiontec (which is really nice hardware for a router, but not all the well supported by alternative firmwares due to actiontec being asses about the GPL for a really long time), I noticed traffic on that port. After only cursory investigation, the impression I got was that the router was "phoning home" to verizon. That's how it got firmware updates and, I presume in this case, the password was changed. That "phoning home" behavior was something that creeped me out because I have no idea what it's reporting or what changes might be made, so it's what goosed me to start looking into alternative firmwares and eventually go the VM route instead.

Re:uhhh

[Anonymous Coward]

If his FIOS router is something like the Actiontec MI424WR, the datasheet specifically states it supports TR-069

http://en.wikipedia.org/wiki/TR-069

Its their CPE, not his router, even if he changed the passwords and changed the firewall.

Re:Then change your password

[iburrell]

Didn't you read about the recent DNS rebinding attack on wireless routers? It works on routers with remote access disabled but with the default administration password. The attack basically tricks the user's browser into attacking the local administration interface.

Re:You failed to consider: this person is clueless

[e4g4]

Every ActionTec router from Verizon that i've encountered (a dozen or so) had remote administrative access disabled by default.

Leasing routers happens

[davidwr]

1) Leasing routers happens, especially if it's a modem-router, which is becoming more and more common.

2) Even if you own your modem, as a condition of service the telcos will typically insist on enough control of your equipment to manage "their side" of the connection. The same goes for cable-tv and cable-internet providers who let you use your own modems and cable boxes.

As far as #2 goes though, they typically "enforce" it by simply blackholing any device which doesn't give them the control they need. If you want your device to work you get to choose whether to keep being their customer on their terms or look for service elsewhere.

Re:Ummm...try changing the password!

[memyselfandeye]

Confirmed. Non-default password here, firmware 'magically' updated periodically. Modem web-server recently updated to display "westell" instead of "Verizon" as the logo following the Verizon to Frontier transfer in my area.

Unless all these geniuses can figure out how to put their modem behind a firewall, I don't think you can keep Verizon out. And if you did, I wouldn't be surprised if Verizon helped you on their end by blocking port 80, 8080, 25, 22,exec... until you let them back in.

Still kinda scary, but I'd hope Verizon has things protected by a good hash, and not just a super secret admin account.

Re:uhhh

[Kalriath]

They can. Siemens Gigasets have this functionality as well - it allows the ISP to push Firmware updates and config changes to attached CPE via the ACS server using TR-069.

Re:it up to you

[fishexe]

if you had changed the password yourself, this wouldn't have happened.

I like how the fourth, fifth, tenth, whatever, redundant post saying this same sentiment STILL gets modded insightful. You know, mods, we DO have a '-1 Redundant' mod.

Re:uhhh

[Anti_Climax]

What are you all on about? He said [slashdot.org] he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.

Administrative access was not used for this. His actiontec, along with most other telco distributed CPEs use the TR-69 remote administration spec to allow for reconfiguration of services, firmware updates and other crap that used to require a technician to be sent out.

If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.

Which is why they changed his password from the default to a unique one. Even with remote access disabled, a default password on your router is a risk. see Pharming [wikipedia.org]

Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?

Telcos are typically behind IBM and God on how many lawyers they have on staff. I'll eat my fucking shoe if it's not explicitly laid out in the TOS for FIOS that they can and will access the router for remote configuration changes, particularly for security reasons.

Why is there an open forced access port/back door?

There is a backdoor to allow changes in configuration that are usually, but not always, related to connectivity and function of the actual connection to the provider - the minutiae that even a field tech doesn't want to have to waste time with.

Is that ok without telling the owner?

Are we that sure it wasn't in that contract he signed?

What security is in place that entities besides Verizon can't access it?

A properly implemented TR-69 system is going to be more secure than any machine this guy is running on his network, guaranteed. The administration server address cannot be changed from the user accessible interfaces, the connection is initiated from the CPE to that server instead of the reverse and there are multiple layers of verification and encryption in use before anything is actually allowed to be updated or changed.

Re:I'm upset

[dogsbreath]

I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!

I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.

This is a TR 69/TR 98 device and you can't disable ISP access. Well, not through any normal user level screen. You'd have to hack it.

Changing the default login will not make any difference.

Re:Wow... retards abundant

[LynnwoodRooster]

retards abundant? yes, apparently there are. Retards like you... I don't care weather it was a stupid thing to do

Not to mention those retards who cannot write. Like whether to use 'whether' or 'weather'...

Re:uhhh

[luca]

What are you all on about? He said [slashdot.org] he disabled administrative access from outside.

He disabled the user visible administrative interface.

Google for tr69 and you'll be enlightened.

In my router it's impossible to disable, however in some normally hidden menu I could modify the "call home" url, rendering it ineffective.

Re:uhhh

[jcostom]

Interesting.. When we first got FiOS, they were only doing Internet & Phone (TV came 2 years later), and handing out D-Link routers. Since I work for a network manufacturer, the first thing I did was swap it out for a real firewall. 2 years later, they started doing TV in our area, they brought out an Actiontec, wanting to replace my firewall with theirs. Fortunately, I came upon a solution that worked perfectly, and doesn't involve using their router directly (shocked the installers that came out to do our TV install). I've got the Ethernet WAN port of their router plugged into an isolated zone on my firewall (where my Guest WLAN also lives), with the cable wire still connected (so the cable boxes can get guide data). This isolated zone has access to the Internet only, nothing on my "regular" network at all. Works like a champ. Get your FiOS Internet delivered over Cat5 if you can get the installer to do it, then hook up the router that way. The cable boxes don't seem to mind 2 layers of NAT, so I see no reason not to deploy like this.

Re:uhhh

[SuperTechnoNerd]

My friend works for Verizon and warned me about port 4567 so I blocked it as soon as I got the service. This is scary because they can install any software on your router at any time.. Even to monitor your traffic on you LAN side. Even though I blocked the port, after hearing this, now may get rid of the actiontech, although it is a nice router.

Re:In his defense...

[lordlod]

He does have a problem with a bad password, there are some fairly clever javascript attacks that target exactly this situation, remote admin disabled and all.

The web browser is tricked to connect to a default router address (like 10.0.0.1) with a default login (admin/password1) and changes whatever settings it wants, perhaps just opening remote administration. Because the connection to the router comes from the local PC this isn't "remote" administration. There are few enough possible combinations that you can brute force the default login really easily and enough people with default set ups to make it very worth while.

If Verizon has all of their customers with the same router, the same network setup and the same password... it would be negligent not to do everything they could to help protect their customers.

Re:uhhh

[surferx0]

I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."

Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?

Bad analogy, since this is leased equipment from Verizon, it's more like you rent an apartment and the landlord changes the busted up locks on your door or performs other various maintenance on their property for you. If you haven't rented before, I can tell you that is quite normal.

Re:uhhh

[someone1234]

That password was owned by Verizon. He should have changed it to 'own' it, but he didn't.

This situation is like: you go into the shop, pay for some item but leave it on the counter.
The vendor notices it, runs out of the shop and hands it to you, again.
You scream a hissy fit that the vendor dared to touch YOUR ware.

He should have learned from this lesson and not be a dick and post this on Slashdot.

Re:RTFA

[BlackWind]

If the guy has Verizon FiOS, and is using the ActionTec router that was installed as part of the service, he does not own it. Verizon does NOT sell the router to the customer. (Buying the router is never an option.)
Verizon supplies the router to support TV & Internet services over FiOS, and Verizon will repair or replace the router at any time that there is a problem with it without charging the customer. (With the exception of incidents of vandalism, or a pattern of abuse requiring multiple swaps of the router over time.)
[I currently work for Verizon, and install FiOS every day. (Yes, the majority of the STUPID configuration decisions are forced on us by management to save time & effort from dealing with the average tech knowledge of both customers and other technicians with little or no knowledge about networks or security.)]