Verizon Changing Users Router Passwords 545
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
Use a different router (Score:1, Interesting)
Seems like an easy solution to me. If you have to have their router for the FiOS Tv just put the router behind whatever you replace it with. There is a good guide on how to do this on the dd-wrt website.
Or maybe... (Score:2, Interesting)
It's because the router is Verizon property and they probably have access to it no matter what your password is?
Actually, I've never used FiOS but I've always assumed that the routers remained property of Verizon, same as the set-top-boxes for television do. If someone can prove this, one way or another, I'd like to know.
P.S., on another note, has anyone tried to port a free router distro to the Westell 9100EM [verizon.net] routers specially made for Verizon as FiOS routers and MoCA [wikipedia.org] gateways. It seems Westell released the Linux-based firmware source [westell.com] which, although I've not looked at it, is probably the same Linux firmware that Verizon ships these things with, except without Verizon's branding and webapp look-n'-feel. I'm surprised that no-one has tried to port another Linux distro to it, but I guess that if Verizon owns the routers, the customers with the know-how won't bother trying.
Re:uhhh (Score:1, Interesting)
>>>Maybe they were able to access your router because the password was still password1 ?
A UK citizen who used a similar backdoor (typed the default password) to get into a US computer is now being raked-over-the-coals and threatened with exportation & 20 years imprisonment by the current administration. If it wasn't okay for him to enter a privately-owned computer, why it is okay for Verizon to enter a privately-owned router?
Answer: It isn't. Sue them.
Oh and this behavior is typical considering Verizon used to be part of the Bell Monopoly. They used to consider any and all devices attached to their phonelines as their property - apparently they have not changed that way of thinking, even though it's no longer true.
At least you knew your password (Score:4, Interesting)
At least you knew your password! Sky in the UK ship out Netgear routers and don't tell you the password. I "brute-forced" it in about three attempts, but that's not the point (in fact, perhaps it is, since it was something like "admin" and "sky"!).
The worst part was that we later complained about speed issues on the line and they got back to us saying "sorry, we seem to be having problems accessing your router". Erm, yeah, that'd kinda be the point - I don't want my router open and available with any backdoors on the Internet!
Re:uhhh (Score:1, Interesting)
Oh har har, how about finding out why? If you had FiOS (can't afford fiber Mr. Dweeb?), you would know that the install monkeys actually demand that you leave it as that. Their excuse is they get fucked off trying to get admin on their routers when the have to do support. It shouldn't be an issue LAN side. and clearly it wasn't an issue until this exploit was published.
You failed to consider: this person is clueless (Score:1, Interesting)
You are assuming that admin access was indeed properly disabled. In forming your conclusion you are taking the word of someone who never changed their default router password, and is now complaining that Verizon finally did the responsible thing and informed him of the egregious error. You might want to think about this a bit more ...
Re:uhhh (Score:1, Interesting)
If a router does not have administration interface on the internet side, the password is irrelevant. What the hell is the router doing responding to ANY kind of administration requests via anything but the local LAN?
Re:uhhh (Score:3, Interesting)
Its their CPE, not his router, even if he changed the passwords and changed the firewall.
Not exactly (and this is why I hate how some devices blur the distinction between CPE and personal equipment, like cable modems). The Actiontec they give you with the service IS yours; if I were to cancel my FIOS service today they can't ask for me to return the router. I would be free to take it elsewhere and use it on something that isn't their service.
That said, I always figured there were "gotchas" like this in the supplied router, which is why I stopped using it shortly after I got FIOS. I like the clear distinction where their control point ends (the ONT) and mine begins (my FreeBSD box).
Re:Yes, but... (Score:3, Interesting)
>>>The "regulated monopoly" of the phone lines was actually a huge success story for the United States.
Yes and it was for Cable TV too, in order to get wires running-out to suburbs of cities in the 80s, but its time has passed. The Bell Monopoly hung-on far too long, and stifled innovation. From the 1950s to the mid-80s telephone network speeds only grew from 110 to 1200 (+30 bps/year). Then the monopoly was broken-up and other competing companies were allowed to sell modems too. The speed increased from 1200 to 56,000 in just a little over ten years (+5000 bps/year). The monopoly had stifled not just freedom of choice, but also progress. When you are the only choice, there's no need to waste money on improvement.
.
>>>most other countries that had competition in that market ended up with multiple incompatible system
Which countries?
.
>>>(telephone lines), prices did NOT go down!
Sure it did. I used to pay 25 cents per minute of long distance under the Bell Monopoly, which is equivalent to 49 cents in today's devalued paper. But now that I'm not stuck with a monopoly, I can choose any carrier, and it only costs me 5 cents. A 95% reduction. And of course the quality is much better because competitors laid-down fiber optics. Without that competition we'd probably still be using Bell's noisy copper - talking to distant California would be filled with static.
.
>>>So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad
I have a duopoly. So just like when I vote, I have no real choice. The Republicans/Verizon is a little better than Democrats/Comcast but not by much. I just get screwed less often.
Re:I used to work Verizon tech support... (Score:3, Interesting)
Mmm. I suggest working out in the call center trenches for a few months before you call anything a tier 1 agent does a "power trip."
On the other hand, good for you, with your router.
Re:uhhh (Score:2, Interesting)
I worked for fios tech support (well a 3rd party contractor) and we never got calls about this port being open. The few people that did call knew it was the Verizon management port. The thing is used for calling home and for Verizon to enable things like caller id on stbs, remote dvr, Diagnostics, etc without the customer having to open ports for these features. I think it's a good idea for them to change the passwords, more then half the people that called had the default password set and trying to walk them to even change the router password was a complete nightmare sometimes. Also the OP notes that "especially because I own the router, not them!", as far as I am aware this is not true. Every time someone did a disconnect they had to send back equipment or pay a fee for not returning it. In addition if the router failed Verizon will drop-ship one free of charge so it is Verizon's, else they would charge a replacement fee. The only way I know of to own one is to cancel fios and not return the router, pay the $100+ fee and then sign up for fios somewhere else.Tech support reps have limited command which include reset the router password to default (which is now serial number, cannot be set to anything else), reset wep/ssid to default (can be set to anything, protocol requires verifying it with the cx before setting), factory reset the router, reboot the router. get the status of the ports, see a list of ip leases (shows ip address, mac address, and a name of the device), ping the router, Ping the internet from the router (never works), and see a snapshot of the current speed up and down. I don't think any of those command would violate privacy.
I would equate it to almost being a voluntary recall, the router was technically "faulty" because, it used a default password that was exploitable so, they sent out a fix. I would add that anyone who wants to change the password back to password1 can go right ahead ;-)