Verizon Changing Users Router Passwords 545
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
uhhh (Score:5, Insightful)
Then change your password (Score:5, Insightful)
Putting things in perspective (Score:5, Insightful)
Re:uhhh (Score:5, Insightful)
it up to you (Score:1, Insightful)
if you had changed the password yourself, this wouldn't have happened.
Perhaps a little cheese with that whine? (Score:3, Insightful)
Every broadband provider has access to the modems connected to their network to perform maintenance and updates as necessary. It's part of the fine print you agreed to. If you didn't want them getting into your router configuration you should have changed the default password.
I'm upset (Score:3, Insightful)
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.
Ummm...try changing the password! (Score:4, Insightful)
If you don't want them to access the router, change the bloody password. Like you should have done 3 years ago!
You're joking, right?! (Score:4, Insightful)
Your router was set to the default password after 3 YEARS and you're claiming to be upset that Verizon secured it for you? Are you kidding me? I'm all for letting people wallow in their own stupidity and ignorance, but come on buddy. They did you a favor. In all seriousness, they shouldn't have left it default in the first place. It should have been set to your serial number from the factory.
Wow... retards abundant (Score:5, Insightful)
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
unauthorized access is unauthorized (Score:2, Insightful)
It doesnt matter what his password was, they broke into his router illegally
Re:uhhh (Score:3, Insightful)
About 12 out of the 20 posts so far all say the same thing. It's time to kill this entire story. It never should have appeared in the first place.
-
Re:unauthorized access is unauthorized (Score:2, Insightful)
This is News for Nerds, Stuff That Matters?!? (Score:5, Insightful)
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
Re:uhhh (Score:4, Insightful)
I thought that blocking administrative access from WAN would have been enough.
I'm gonna get modded troll for this, but "Thinking" was not what you were doing.
You missed thinking in three key ways:
News for ... wait, who? (Score:1, Insightful)
Really?
How is this worth a Slashdot article?
Re:uhhh (Score:4, Insightful)
>>>A UK citizen...threatened with exportation & 20 years imprisonment by the current administration.
Also this is a clear indication of a double standard and Inequality under the law. If a government or corporation leaves the password as 'password1' and a citizen enters that computer, then the citizen will be severely punished. BUT in the opposite case of government/corporation entering a citizen's private computer or router?
That's okay.
In his defense... (Score:3, Insightful)
Unfortunately, we all know that not enabling something doesn't always mean it can't be accessed and he should be kicked off the internet for being ignorant.
Re:unauthorized access is unauthorized (Score:2, Insightful)
Re:Ummm...try changing the password! (Score:5, Insightful)
On most consumer routers, "the password" is what controls access to the dinky webserver serving the configuration interface, on port 80, LAN side only. According to TFS, Verizon's pet routers have something listening to port 4567, WAN side. There is no particular reason to believe(and, indeed, reason to disbelieve) that the password controlling access to the port 80 web interface and the access control mechanism on the port 4567 WAN management interface are at all connected. Assuming they aren't total morons, I'd imagine that they would use some flavor of keypair auth for that one.
We would need somebody to grab the firmware for the router in question and have a look to actually settle the issue.
WRONG (Score:1, Insightful)
they can do what they want to stuff they own.
THEY are not allowed to update my modem OR router unless i give permission
and thats why they call it UPDATING YOUR FIRMWARE IN THE TOOLS SECTION.
regardless this poster is a complete noob, technically however what verizon did do was agaisnt most laws even if it had hte best interest at heart
ITS like a hacker breaking into YOUR website and leaving you a note he updated all your software that was vulnerable.
ITS STILL AGAINST THE LAW
Re:uhhh (Score:5, Insightful)
What are you all on about? He said [slashdot.org] he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.
If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.
Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?
Why is there an open forced access port/back door?
Is that ok without telling the owner?
What security is in place that entities besides Verizon can't access it?
Re:uhhh (Score:5, Insightful)
Re:Putting things in perspective (Score:5, Insightful)
That he left it with such a weak password is beside the point. The routers I've worked with will not allow administration level access over the outside port or wireless connection unless explicitly allowed by the admin, so Verizon being able to do just that should raise a few questions.
He owns the router, right, and yet Verizon thought they had the right to log in and change his password.
Makes me wonder if they have a firmware coded backdoor/admin password into the router.
Re:Use a different router (Score:3, Insightful)
Then you're to blame threefold: 1) By your own admission, you let a noob stand in for you: If you'd cared to have it done correctly, you should have scheduled the installation around your availability so as to ensure that it met your requirements. 2) You apparently didn't do anything to correct matters afterwards, despite the fact that it wasn't to your satisfaction, and 3) Now you're whining about it on Slashdot.
Fourfold, if you expected anything other than what happened... and fivefold, if you expect to get any sympathy here for it.
I know it's harsh, but Timothy should never have accepted your submission. IMO, he threw you under the bus, and I am sorry for that.
My advice? First, change the password on your router, ASAP. Secondly, call Verizon, and inquire about changing from coax to Ethernet. Worst case they can't/won't, but you'll at least know.
Regards,
dj
You are NOT fscking serious, right? (Score:0, Insightful)
If? Did you friggin' say "if"? It's not a conditional. He left his password as "password1" for three friggin' years. This is just much ado about nothing in a way Shakespeare couldn't have imagined. OMFG I am a careless clueless luser who never changed my routers password from the default and Verizon pointed it out for me and made me more secure! I am outraged! How dare they!
Re:uhhh (Score:5, Insightful)
A UK citizen who used a similar backdoor (typed the default password) to get into a US computer is now being raked-over-the-coals and threatened with exportation & 20 years imprisonment by the current administration. If it wasn't okay for him to enter a privately-owned computer, why it is okay for Verizon to enter a privately-owned router?
Did Verizon leave threatening messages promising continued disruption? Did Verizon attempt to conceal their activity by deleting log files? Was Verizon attempting to gain access to the user's private data?
The answer to all of these is "no", making this totally different from the McKinnon case. (And these are just the things McKinnon admits to. He's alleged to have been much more destructive).
Also, the router is connected to Verizon's network, and was set up by Verizon for the customer. Even if the customer owns the router, it is is quite likely there is a contract between the customer and Verizon allowing them to access it for administrative purposes. Did McKinnon have a contract with the owners of the 96 or so computers he hacked? Were they on a network he owned and using a service he provided?
Re:This is News for Nerds, Stuff That Matters?!? (Score:5, Insightful)
You're not a nerd, this isn't news that matters... slow day, Timothy?
It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.
Slashdot should start a new Sunday feature, call it, "Is it Real?" or something, where they post stories like this and make us try to guess if the original post is real or not.
This man (original poster) should never change. He should preserve himself as he is, so all of us can look at him and wonder, how is such a thing possible. It is a sterling example of what the human race is truly capable of.
The opening line is the best, let me quote it again just because it makes me laugh out loud every time I read it:
I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago.
Seriously, how on earth could anyone think that was a clever thing to write? He's an Eliza-bot or something.
Yes, but... (Score:5, Insightful)
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
Re:uhhh (Score:2, Insightful)
If you're too stupid to know to ALWAYS CHANGE THE DEFAULT PASSWORD perhaps you're too stupid to save the settings after "disabling" administration from WAN
Re:uhhh (Score:5, Insightful)
He said [slashdot.org] he disabled administrative access from outside.
Given the level of competence he has displayed I frankly suspect that he failed to do that correctly or, if he did, he probably ended up blocking access from outside the ISP subnet.
Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere.
He probably did - there is usually some clause somewhere where you agree to let them take action to prevent security breaches or some such. Failing that there is always a clause which lets them disconnect incorrectly configured hardware which poses a risk to the network which this arguably does. So would you advocate disconnecting the router and sending letter that customers have to reconfigure the default password before it will be allowed to reconnect? It's hard to see how anyone can complain about their actions. There is no private data stored on the router nor did they change any setting beyond the minimum needed to secure it. This is the sort of thing that a sysadmin does for you and that people usually say "thank you" for.
Re:Ummm...try changing the password! (Score:5, Insightful)
As for what it is capable of, reports suggest that it can be used for firmware updates, and TFS suggests that it can see(and change) password hashes on the system. If it can do that, it seems reasonable to assume that it can probably access the entire local filesystem on the device. Further, if it can update the firmware, Verizon could always push a firmware update giving their remote management interface any powers that it currently lacks.
In addition to unnervingly paternalistic, but more or less benign, firmware updating and password securing; it isn't exactly tinfoil-hat territory to postulate that it might be used for market research(number of devices/household, manufacturers, determined by MAC, of those devices, etc.)
I would assume, though, that any heavy network monitoring/secret sinister CALEA/NSL stuff probably isn't handled on the router. Verizon, being your ISP, controls the other end of the connection(and, unless you take specific steps to the contrary, is your DNS provider), so they hardly need to build any serious spying power into their routers(especially since that would raise BOM cost for a device that they order millions of, and expose their sinister program to anybody with some basic linux hacking chops who either downloads and disassembles the firmware, or snags a used router on ebay, or signs up and investigates his own router(and, given that techies are more than usually interested in high-speed internet, the odds are very good of this happening). Therefore, I would expect that this management interface offers an upsettingly comprehensive set of functions for controlling the router and accessing its filesystem; but contains no overtly sinister embedded logic. Any of that that exists would be closer to the center of the network.
Re:uhhh (Score:4, Insightful)
I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."
Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?
Verizon can probably get away with this, because on page 239 of the user agreement he signed it says "Verizon reserves the right to do anything we want to you and your property, forever, because we know you won't read this far into the agreement, you're just going to sign it after skimming the first page. Sucker." But still, even if the poster did agree to this in a user agreement, Verizon should NOT be hacking into and reconfiguring other people's equipment, even if they think it's a good idea.
Re:uhhh (Score:5, Insightful)
Re:uhhh (Score:3, Insightful)
Hello? McFLY! YOU let the tech in already! (Score:2, Insightful)
YOU allowed the technician access to your router during setup.
YOU allowed him to set the administrative password.
YOU allowed him to set the router options such that someone could remote logon.
YOU are the one who DID NOT change the password once he was done!
YOU are at fault.
Verizon is merely covering YOUR ass (and, let's be honest, theirs too) because you allowed the setting of a shitty, insecure password and did JACK SHIT to change it to something more secure IN A THREE YEAR TIMESPAN!
If you didn't want Verizon, or anyone BUT YOU to get into the router, YOU SHOULD HAVE CHANGED THE FUCKING PASSWORD YOU WHINY ASSHOLE DOUCHEBAG!
TR-069 TR-098 (Score:4, Insightful)
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf [broadband-forum.org]
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf [actiontec.com]
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.
Re:uhhh (Score:3, Insightful)
No, they just sent one indicating that they had already perpetrated a DOS attack
A DOS attack? Really? What service was denied? There's no indication the customer's service was interrupted at all.
Re:Hello? McFLY! YOU let the tech in already! (Score:3, Insightful)
Good job using so much caps dude. Calm down. Yelling doesn't make you look good. There's two ways to look at this:
- Verizon is doing people a favor by securing their routers a little more
- Verizon has a backdoor
FYI the option to backdoor isn't set by the tech per-se. The tech runs a program that executes several scripts. Whether the default firmware for these devices has this option on by default OR if the script does it I am not sure of. But it's normal practice for them to have this setup as is. The issue at hand is that they have a way back into your router. My guess is that, for the most part, it's there for maintenance, status checking (i.e. do you have an actual internet connection) or password resetting if the user forgets it. POSSIBLY for data monitoring, but I'm not going to say that's true, nor am I going to rule it out.
But Jesus, next time don't use such harsh words. Try thinking first.
Re:This is News for Nerds, Stuff That Matters?!? (Score:3, Insightful)
It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.
I have thoroughly enjoyed watching dozens of geeks, who believe themselves to be technology gurus in general, get so UTTERLY confused about what password was changed and what it normally does and fly off in uncontrollable rage at the original poster over a situation which they have so comprehensively misunderstood. The password which Verizon changed exists only to stop technologically illiterate people who live in the same house from mucking the router up. Assuming that OP was right when he said that WAN access was off, then Verizon has not made ANY APPRECIABLE IMPROVEMENT TO HIS NETWORK SECURITY, all they've done is annoy their customer.
Port 4567 can't be disabled (Score:3, Insightful)
Related WiFi Router Vulnerability Just Announced (Score:2, Insightful)
Ownership shouldn't matter. Knowledge of your router's administrative password does matter. If you were too lazy or clueless to change that password before the tech who installed it got to his/her truck, you got better than you deserved. You should go immediately to your email program and write a nice thank you note to Verizon for doing a security sweep for a WiFi router administrative password vulnerability recently (2010-7-21) announced (by Seismic [engadget.com]) on behalf of its customers. In particular danger are routers with no administrative password set (or ones set to known values used by technicians installing routers, like "password1"). A complete fix for this vulnerability will require firmware updates to the affected routers. But, making sure you have a strong administrative password activated is a good stop-gap measure. And, given the timing, I would bet this stop-gap protection is what Verizon was trying to provide for its customers.
Router security (Score:3, Insightful)
Re:unauthorized access is unauthorized (Score:2, Insightful)
A lot of people think they own their equipment, when in reality, they do not. As many have stated, companies tend to lease the equipment for use on their networks.
Re:This is News for Nerds, Stuff That Matters?!? (Score:3, Insightful)
Re:uhhh (Score:2, Insightful)