Verizon Changing Users Router Passwords 545
Kohenkatz writes "I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago. I received an email from Verizon that said 'we have identified that your router still had a password of either password1 or admin1 and we have changed it to your serial number.' I checked and it actually had been changed. I believe this to be in response to the Black Hat presentation about the hackability of home routers. I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them! I looked in the router's settings and I see port 4567 goes to the router and is labeled 'Verizon FIOS Service.' Is this port for anything useful other than Verizon changing settings on my router? What security measures does Verizon have to protect that port from unauthorized access?"
uhhh (Score:5, Insightful)
Re:uhhh (Score:5, Insightful)
Re:uhhh (Score:5, Insightful)
What are you all on about? He said [slashdot.org] he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.
If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.
Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?
Why is there an open forced access port/back door?
Is that ok without telling the owner?
What security is in place that entities besides Verizon can't access it?
Re:uhhh (Score:5, Informative)
I have fios and I have gone to my own software router running in a VM. But before I completely dumped the actiontec (which is really nice hardware for a router, but not all the well supported by alternative firmwares due to actiontec being asses about the GPL for a really long time), I noticed traffic on that port. After only cursory investigation, the impression I got was that the router was "phoning home" to verizon. That's how it got firmware updates and, I presume in this case, the password was changed. That "phoning home" behavior was something that creeped me out because I have no idea what it's reporting or what changes might be made, so it's what goosed me to start looking into alternative firmwares and eventually go the VM route instead.
Re:uhhh (Score:5, Informative)
Re: (Score:3, Informative)
If his FIOS router is something like the Actiontec MI424WR, the datasheet specifically states it supports TR-069
http://en.wikipedia.org/wiki/TR-069
Its their CPE, not his router, even if he changed the passwords and changed the firewall.
Re: (Score:3, Interesting)
Its their CPE, not his router, even if he changed the passwords and changed the firewall.
Not exactly (and this is why I hate how some devices blur the distinction between CPE and personal equipment, like cable modems). The Actiontec they give you with the service IS yours; if I were to cancel my FIOS service today they can't ask for me to return the router. I would be free to take it elsewhere and use it on something that isn't their service.
That said, I always figured there were "gotchas" like this in the supplied router, which is why I stopped using it shortly after I got FIOS. I like the
Re:uhhh (Score:5, Insightful)
He said [slashdot.org] he disabled administrative access from outside.
Given the level of competence he has displayed I frankly suspect that he failed to do that correctly or, if he did, he probably ended up blocking access from outside the ISP subnet.
Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere.
He probably did - there is usually some clause somewhere where you agree to let them take action to prevent security breaches or some such. Failing that there is always a clause which lets them disconnect incorrectly configured hardware which poses a risk to the network which this arguably does. So would you advocate disconnecting the router and sending letter that customers have to reconfigure the default password before it will be allowed to reconnect? It's hard to see how anyone can complain about their actions. There is no private data stored on the router nor did they change any setting beyond the minimum needed to secure it. This is the sort of thing that a sysadmin does for you and that people usually say "thank you" for.
Re:uhhh (Score:5, Insightful)
Re:uhhh (Score:5, Funny)
and thank you Verizon for stopping by and diddling my wife, I was previously unaware of how unsatisfied she was.
Re:uhhh (Score:5, Informative)
Administrative access was not used for this. His actiontec, along with most other telco distributed CPEs use the TR-69 remote administration spec to allow for reconfiguration of services, firmware updates and other crap that used to require a technician to be sent out.
Which is why they changed his password from the default to a unique one. Even with remote access disabled, a default password on your router is a risk. see Pharming [wikipedia.org]
Telcos are typically behind IBM and God on how many lawyers they have on staff. I'll eat my fucking shoe if it's not explicitly laid out in the TOS for FIOS that they can and will access the router for remote configuration changes, particularly for security reasons.
There is a backdoor to allow changes in configuration that are usually, but not always, related to connectivity and function of the actual connection to the provider - the minutiae that even a field tech doesn't want to have to waste time with.
Are we that sure it wasn't in that contract he signed?
A properly implemented TR-69 system is going to be more secure than any machine this guy is running on his network, guaranteed. The administration server address cannot be changed from the user accessible interfaces, the connection is initiated from the CPE to that server instead of the reverse and there are multiple layers of verification and encryption in use before anything is actually allowed to be updated or changed.
Re:uhhh (Score:5, Informative)
What are you all on about? He said [slashdot.org] he disabled administrative access from outside.
He disabled the user visible administrative interface.
Google for tr69 and you'll be enlightened.
In my router it's impossible to disable, however in some normally hidden menu I could modify the "call home" url, rendering it ineffective.
Re: (Score:3, Informative)
Re:uhhh (Score:5, Informative)
That password was owned by Verizon. He should have changed it to 'own' it, but he didn't.
This situation is like: you go into the shop, pay for some item but leave it on the counter.
The vendor notices it, runs out of the shop and hands it to you, again.
You scream a hissy fit that the vendor dared to touch YOUR ware.
He should have learned from this lesson and not be a dick and post this on Slashdot.
Re:uhhh (Score:5, Informative)
Re: (Score:3)
If that were the whole story then it would be end of thread. Verizon changed the LAN side password remotely using their backdoor to the system. The backdoor uses a completely different authentication system. The only time the LAN side access password is useful is if you're already on the network, at which point there are probably more pressing security issues.
It's also useful if an attacker can, by any means, get any one of the people already on the network to visit a URL. If an attacker knows that many people are using the same password on their routers, he simply has to setup the exploit once then use any technique he prefers to bring in visitors. (ad networks, gain access to a popular site and modify a page or two, spam the URL all over the place, etc.)
Re:uhhh (Score:4, Insightful)
I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."
Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?
Verizon can probably get away with this, because on page 239 of the user agreement he signed it says "Verizon reserves the right to do anything we want to you and your property, forever, because we know you won't read this far into the agreement, you're just going to sign it after skimming the first page. Sucker." But still, even if the poster did agree to this in a user agreement, Verizon should NOT be hacking into and reconfiguring other people's equipment, even if they think it's a good idea.
Re:uhhh (Score:5, Informative)
I purchased a combination lock for my front door three years ago. Today, saw a note on my kitchen table from the locksmith. I said "I noticed that the lock I sold you three years ago still has the default combination on it. That's really insecure, so I changed it to your phone number. No need to thank me."
Did the locksmith do anything wrong by breaking into my house to change the combination on the lock?
Bad analogy, since this is leased equipment from Verizon, it's more like you rent an apartment and the landlord changes the busted up locks on your door or performs other various maintenance on their property for you. If you haven't rented before, I can tell you that is quite normal.
Re: (Score:2, Informative)
Re:uhhh (Score:4, Insightful)
I thought that blocking administrative access from WAN would have been enough.
I'm gonna get modded troll for this, but "Thinking" was not what you were doing.
You missed thinking in three key ways:
Re:uhhh (Score:5, Insightful)
Re: (Score:3, Informative)
They can. Siemens Gigasets have this functionality as well - it allows the ISP to push Firmware updates and config changes to attached CPE via the ACS server using TR-069.
Re:You failed to consider: this person is clueless (Score:4, Informative)
unauthorized access is unauthorized (Score:2, Insightful)
It doesnt matter what his password was, they broke into his router illegally
Re: (Score:2, Insightful)
Re:unauthorized access is unauthorized (Score:4, Informative)
Yes, I do. And have. However, if an update borks my connection, I'm shit out of luck as far as support from them is concerned. (I made a point of looking at my TOS when I did the update to make sure they couldn't kick me off for doing it).
Re:unauthorized access is unauthorized (Score:5, Informative)
What part of "I own the router, not them" do you not understand?
That goes for you too, mods!
I expect that I'll be modded down as a troll for pointing out facts that contradict the parent post.
RTFA (Score:4, Informative)
am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them.
He owns the router, they don't. He doesn't lease it.
Re: (Score:3, Informative)
If the guy has Verizon FiOS, and is using the ActionTec router that was installed as part of the service, he does not own it. Verizon does NOT sell the router to the customer. (Buying the router is never an option.)
Verizon supplies the router to support TV & Internet services over FiOS, and Verizon will repair or replace the router at any time that there is a problem with it without charging the customer. (With the exception of incidents of vandalism, or a pattern of abuse requiring multiple swaps of th
Re: (Score:3, Informative)
You don't get the right to update your firmware just using your own modem on a cable network, so this is likely covered by the contract.
Since when? The law allows you to use your own equipment (as the writer did; he said it was his OWN router). I too use my own cable adapter and router, which are both better equipment than the cable company leases. And the cable company has neither the legal or contractual right to access them without my permission. If they did, they would be guilty of illegally accessing my computer equipment over a network, which can be prosecuted as a FELONY in some cases.
Re: (Score:2)
Verizon-supplied Actiontec router had the password 'password1.'
Saying that it is purely 'his' could be questioned. It is hardware that they supplied him, and he is operating it on their network. I am not disagreeing completely with the moral stickiness of what they did, but a blanket 'it is illegal' statement would have a tough time in court, considering the weight these telcos have in terms of money and lawyers. Despite good idealistic intentions in defending the posters disdain, unfortunately the real world will have much less pity and sympathy.
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
About 12 out of the 20 posts so far all say the same thing. It's time to kill this entire story. It never should have appeared in the first place.
-
Re: (Score:2)
Maybe they were able to access your router because the password was still password1 ?
I think he would have preferred that they left his password alone and that instead some malicious hacker got in there and really did some damage. I wonder what feat of administrative magic he could do? Perhaps reset the router to default settings (removing any back doors he's worried about) and setting his own damn password. Nah, that would require taking some personal responsibility. Much better to yell "I've fallen and I can't get up" on a public board. What was your IP address again? You've broadcast tha
Re: (Score:2)
I have to check, but I have the same actiontec router and I believe the default setting is not to allow anyone not in the internal network to change settings or even remotely access it or log in, even if you have the correct password. This would seem to circumvent that.
Re:uhhh (Score:4, Informative)
No, they were able to because they used their backdoor which has it's own password to login and change it.
Realistically the password of the router doesn't matter if you have remote management turned off, but Verizon thinks that people are going around cracking the WEP keys and changing peoples routers.
They did the same to my router so I blocked port 4567.
Re: (Score:3, Insightful)
Re:uhhh (Score:4, Insightful)
>>>A UK citizen...threatened with exportation & 20 years imprisonment by the current administration.
Also this is a clear indication of a double standard and Inequality under the law. If a government or corporation leaves the password as 'password1' and a citizen enters that computer, then the citizen will be severely punished. BUT in the opposite case of government/corporation entering a citizen's private computer or router?
That's okay.
Re: (Score:2)
Yes, but... (Score:5, Insightful)
Of course, since then the situation has been straightened out in most countries. Nevertheless, for decades the regulated monopoly gave us tremendous advantages that "free market" competition could not and did not achieve in those other countries. I am generally not one to support laws and regulation but that is the factual, undeniable history.
If it were not for the fact that Bell blatantly violated court orders, and greedily used its given monopoly of the lines to also create a monopoly of hardware, we might very well still be on a universal Bell system. Which would not be good: the breakup occurred at a fortunate time, when the technology actually allowed competition in the hardware. But it should be noted that after the breakup, when competition was allowed in the area of infrastructure (telephone lines), prices did NOT go down! Phones got better and cheaper, but access did not.
For something like phone line infrastructure, and now network infrastructure, the regulated-monopoly model is actually a very good and workable one. Of course we already had competition in network infrastructure, so establishing a regulated monopoly is probably out of the question. But what we have is a few big players, not many small ones. So it may not be a monopoly, but it's definitely an oligopoly, which is nearly as bad. Surveys of other countries that have better network access (i.e., cheaper and faster), show very clearly that laws mandating leased access to infrastructure, so that the "little guys" can participate, is essential to opening up the market and gaining the benefits of actual "free market" competition. Allowing the oligopoly to remain has already caused the US to fall behind much of the developed world in network infrastructure. If we continue to allow that, without mandatory leased access to the infrastructure, we will only continue to fall farther behind.
Re: (Score:3, Interesting)
>>>The "regulated monopoly" of the phone lines was actually a huge success story for the United States.
Yes and it was for Cable TV too, in order to get wires running-out to suburbs of cities in the 80s, but its time has passed. The Bell Monopoly hung-on far too long, and stifled innovation. From the 1950s to the mid-80s telephone network speeds only grew from 110 to 1200 (+30 bps/year). Then the monopoly was broken-up and other competing companies were allowed to sell modems too. The speed incr
Re:uhhh (Score:5, Insightful)
A UK citizen who used a similar backdoor (typed the default password) to get into a US computer is now being raked-over-the-coals and threatened with exportation & 20 years imprisonment by the current administration. If it wasn't okay for him to enter a privately-owned computer, why it is okay for Verizon to enter a privately-owned router?
Did Verizon leave threatening messages promising continued disruption? Did Verizon attempt to conceal their activity by deleting log files? Was Verizon attempting to gain access to the user's private data?
The answer to all of these is "no", making this totally different from the McKinnon case. (And these are just the things McKinnon admits to. He's alleged to have been much more destructive).
Also, the router is connected to Verizon's network, and was set up by Verizon for the customer. Even if the customer owns the router, it is is quite likely there is a contract between the customer and Verizon allowing them to access it for administrative purposes. Did McKinnon have a contract with the owners of the 96 or so computers he hacked? Were they on a network he owned and using a service he provided?
Re: (Score:3, Insightful)
No, they just sent one indicating that they had already perpetrated a DOS attack
A DOS attack? Really? What service was denied? There's no indication the customer's service was interrupted at all.
Re:uhhh (Score:5, Informative)
If you read the ToS (for VZ Fios, Even Cox Cable has a similar provision) by agreeing to service, you authorize them to access your equipment.
See here: http://www.verizon.net/policies/popups/tos_popup.asp [verizon.net]
Search for "Monitoring of Network Performance by Verizon"
I soooo wish there was more competition for broadband in the states :(
Then change your password (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
There's no protection for having a stupid password to gain entry to a system.
You may as well have not had one.
Putting things in perspective (Score:5, Insightful)
Re:Putting things in perspective (Score:5, Insightful)
That he left it with such a weak password is beside the point. The routers I've worked with will not allow administration level access over the outside port or wireless connection unless explicitly allowed by the admin, so Verizon being able to do just that should raise a few questions.
He owns the router, right, and yet Verizon thought they had the right to log in and change his password.
Makes me wonder if they have a firmware coded backdoor/admin password into the router.
Perhaps a little cheese with that whine? (Score:3, Insightful)
Every broadband provider has access to the modems connected to their network to perform maintenance and updates as necessary. It's part of the fine print you agreed to. If you didn't want them getting into your router configuration you should have changed the default password.
Re:Perhaps a little cheese with that whine? (Score:5, Informative)
You are correct about the fine print, though. They reserve the right to update their software on my equipment (including computers). The simple solution there is not installing their software in the first place.
Re: (Score:2)
I'm upset (Score:3, Insightful)
I am upset about this because Verizon should not have any way to get into my router and change the settings, especially because I own the router, not them!
I'm upset they let people like you on the internet. Change your passwords from the default and use something secure. Instead of waiting for somebody to do something fun like log in remotely to your router using the default login and hosing your settings so your internet goes down.
Re: (Score:2, Informative)
Not a huge deal (Score:2)
Ummm...try changing the password! (Score:4, Insightful)
If you don't want them to access the router, change the bloody password. Like you should have done 3 years ago!
Re:Ummm...try changing the password! (Score:5, Insightful)
On most consumer routers, "the password" is what controls access to the dinky webserver serving the configuration interface, on port 80, LAN side only. According to TFS, Verizon's pet routers have something listening to port 4567, WAN side. There is no particular reason to believe(and, indeed, reason to disbelieve) that the password controlling access to the port 80 web interface and the access control mechanism on the port 4567 WAN management interface are at all connected. Assuming they aren't total morons, I'd imagine that they would use some flavor of keypair auth for that one.
We would need somebody to grab the firmware for the router in question and have a look to actually settle the issue.
Re:Ummm...try changing the password! (Score:5, Insightful)
As for what it is capable of, reports suggest that it can be used for firmware updates, and TFS suggests that it can see(and change) password hashes on the system. If it can do that, it seems reasonable to assume that it can probably access the entire local filesystem on the device. Further, if it can update the firmware, Verizon could always push a firmware update giving their remote management interface any powers that it currently lacks.
In addition to unnervingly paternalistic, but more or less benign, firmware updating and password securing; it isn't exactly tinfoil-hat territory to postulate that it might be used for market research(number of devices/household, manufacturers, determined by MAC, of those devices, etc.)
I would assume, though, that any heavy network monitoring/secret sinister CALEA/NSL stuff probably isn't handled on the router. Verizon, being your ISP, controls the other end of the connection(and, unless you take specific steps to the contrary, is your DNS provider), so they hardly need to build any serious spying power into their routers(especially since that would raise BOM cost for a device that they order millions of, and expose their sinister program to anybody with some basic linux hacking chops who either downloads and disassembles the firmware, or snags a used router on ebay, or signs up and investigates his own router(and, given that techies are more than usually interested in high-speed internet, the odds are very good of this happening). Therefore, I would expect that this management interface offers an upsettingly comprehensive set of functions for controlling the router and accessing its filesystem; but contains no overtly sinister embedded logic. Any of that that exists would be closer to the center of the network.
You're joking, right?! (Score:4, Insightful)
Your router was set to the default password after 3 YEARS and you're claiming to be upset that Verizon secured it for you? Are you kidding me? I'm all for letting people wallow in their own stupidity and ignorance, but come on buddy. They did you a favor. In all seriousness, they shouldn't have left it default in the first place. It should have been set to your serial number from the factory.
Wow... retards abundant (Score:5, Insightful)
I have Verizon FIOS. Tech came out to make sure everything worked and told me that despite the fact that I am a network engineer and it is a Business Class account that he was required as part of his job to install their crappy router and verify connectivity with it. I allowed him to do it and 20 minutes after he was out the door I had my router in place and everything secured to my specifications.
Funny enough, I haven't been contacted by Verizon about the fact that my router is insecure or has default passwords. They haven't changed the password(s) on my router or reconfigured anything other than when I called them 2 weeks ago to make them give me more speed for less money (Packages changed, double the bandwidth I had for $15/mo LESS).
Please contact Verizon, ask them to cancel your service and GTFO the internets plz.
Re: (Score:2)
Re: (Score:2)
Technically they have tried to access because they most likely can't 100% determine if it is their router or not on the other end. They attempt to connect, are unable to connect and move on.
Basically not much more harmful than the random portscans I get on a daily basis...
Re: (Score:2)
Re: (Score:2)
How many cars of coal do you have to have for your engine to haul 19 boxcars loaded to 85% weight capacity from Pittsburg to Detroit?
The "engineer argument" was old when I finished my CNE testing back in 1993, and it's even more played out now.
Last I checked, the router is not OWNED by the individual user on the end, it's rented as part of the contract agreement. This might have changed as I haven't looked at the newest revision of the contract they're having people agree to for new service, but if they ret
Re: (Score:3, Informative)
retards abundant? yes, apparently there are. Retards like you... I don't care weather it was a stupid thing to do
Not to mention those retards who cannot write. Like whether to use 'whether' or 'weather'...
So let's see... (Score:4, Funny)
Lazy Fuck receives router with password set to password1
Lazy Fuck doesn't change it for THREE fucking years
ISP decides to secure router for Lazy Fuck since Lazy Fuck evidently cannot
ISP Emails Lazy Fuck with new password
ISP changes password so Lazy Fuck doesn't get wtfpwn3d
Lazy Fuck whines like a petulant little schoolgirl
How did this retard even find slashdot, let alone create an account and post?
lazy fuck could be lit on fire next to a pool and he'd burn to death.
Slashdot for Schmucks (Score:2)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
lazy fuck could be lit on fire next to a pool and he'd burn to death.
And complain if someone pushed him in to it.
srsly u r dmb (Score:2)
Pro tip: If the router is "yours", you might want to set a password for it that only you know.
Has there ever been a dumber article on /.? I think this is a strong candidate for winning the contest.
Or maybe... (Score:2, Interesting)
It's because the router is Verizon property and they probably have access to it no matter what your password is?
Actually, I've never used FiOS but I've always assumed that the routers remained property of Verizon, same as the set-top-boxes for television do. If someone can prove this, one way or another, I'd like to know.
P.S., on another note, has anyone tried to port a free router distro to the Westell 9100EM [verizon.net] routers specially made for Verizon as FiOS routers and MoCA [wikipedia.org] gateways. It seems Westell released th [westell.com]
Easier way to find out new password (Score:5, Funny)
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
Huh!? (Score:2, Redundant)
Your worried about their level of access when you left it with the default password?
Change the thing yourself. DUH.
This is News for Nerds, Stuff That Matters?!? (Score:5, Insightful)
OMG! So, you tried the new password, and it worked? Why didn't you change it then? More importantly: Why didn't you change it the first time?
No, you're upset because you are clueless, though you think you are not, just discovered it and are pissed off because your router had the same password for 3 years as a result, and Verizon was forced to change it because you were too ignorant to do so yourself earlier.
I imagine they at least understand the importance of password security, where you apparently did not.
You're not a nerd, this isn't news that matters... slow day, Timothy?
Regards,
dj
Re:This is News for Nerds, Stuff That Matters?!? (Score:5, Insightful)
You're not a nerd, this isn't news that matters... slow day, Timothy?
It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.
Slashdot should start a new Sunday feature, call it, "Is it Real?" or something, where they post stories like this and make us try to guess if the original post is real or not.
This man (original poster) should never change. He should preserve himself as he is, so all of us can look at him and wonder, how is such a thing possible. It is a sterling example of what the human race is truly capable of.
The opening line is the best, let me quote it again just because it makes me laugh out loud every time I read it:
I have Verizon FIOS at home and my Verizon-supplied Actiontec router had the password 'password1' that the tech assigned to it when he set it up three years ago.
Seriously, how on earth could anyone think that was a clever thing to write? He's an Eliza-bot or something.
Re: (Score:3, Insightful)
It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.
I have thoroughly enjoyed watching dozens of geeks, who believe themselves to be technology gurus in general, get so UTTERLY confused about what password was changed and what it normally does and fly off in uncontrollable rage at the original poster over a situation which they have so comprehensively misunderstood. The password which Verizon changed exists only to stop technologically illiterate people who live in the same house from mucking the router up. Assuming that OP was right when he said that WAN ac
Re: (Score:3, Insightful)
At least you knew your password (Score:4, Interesting)
At least you knew your password! Sky in the UK ship out Netgear routers and don't tell you the password. I "brute-forced" it in about three attempts, but that's not the point (in fact, perhaps it is, since it was something like "admin" and "sky"!).
The worst part was that we later complained about speed issues on the line and they got back to us saying "sorry, we seem to be having problems accessing your router". Erm, yeah, that'd kinda be the point - I don't want my router open and available with any backdoors on the Internet!
In his defense... (Score:3, Insightful)
Unfortunately, we all know that not enabling something doesn't always mean it can't be accessed and he should be kicked off the internet for being ignorant.
Re:In his defense... (Score:4, Informative)
He does have a problem with a bad password, there are some fairly clever javascript attacks that target exactly this situation, remote admin disabled and all.
The web browser is tricked to connect to a default router address (like 10.0.0.1) with a default login (admin/password1) and changes whatever settings it wants, perhaps just opening remote administration. Because the connection to the router comes from the local PC this isn't "remote" administration. There are few enough possible combinations that you can brute force the default login really easily and enough people with default set ups to make it very worth while.
If Verizon has all of their customers with the same router, the same network setup and the same password... it would be negligent not to do everything they could to help protect their customers.
An insider says: (Score:2, Informative)
Erm.... TR-069, anyone? (Score:5, Informative)
AFAICT, many ISPs that supply their own routers are actively looking at (if they're not already) supplying routers which support TR-069 and setting up infrastructure to configure them.
This is a protocol intended for the management of home routers - unlike SNMP, it's got some semblance of security (it's actually based on SOAP over HTTP, optionally HTTPS) - IIRC the CPE initiates the connection and can get things like configuration and firmware upgrades automatically.
I don't see how this is drastically different in concept from cable modems, which are more-or-less invariably heavily managed using DOCSIS.
a strange way to show your appreciation (Score:2)
Thank you for looking out for me and my security. I realise you didn't have to go to all that trouble - both to help save me from myself and to actually send me email to keep me aware. I can see that you are definitely on top of your customer support processes, and I promise not to call you with stoopid questions that I could easily answer for myself if I just opened the manual,
Define "supplied" (Score:2)
How to disable the backdoor (Score:5, Informative)
TR-069... and done (Score:2)
So... pretty much any router sold by a telco is set up for remote management via the TR-069 spec. Even if you had already changed the password, they can still get in; it's something far different that accessing the admin interface through the WAN and almost certainly buried in their TOS.
I worked on a Qwest DSL connection for a friend and replaced their POS Actiontec with something more functional. When it came time to switch packages to a higher speed, the connection simply stopped working. Apparently Qwest
They were kinder than you deserved (Score:5, Funny)
After three years, they changed the password to something you could easily find just by looking at the device.
I would have changed the password to something totally random, and made you sit through four hours of voice menus on the phone to figure out what the new one was, for fear you would change it back.
Verizon deserves a medal for restraint on this one.
DNS hijacking for fun and profit (Score:3, Informative)
That would be the security used by the TR-069 spec for CPE remote management. If implemented correctly by hardware manufacturer and service provider, it's almost certainly more secure than any of the computers you have connected to the internet, even if you're not the kind of person that leaves a default password set on their router...
Seriously, having the default admin password set has been a bad idea with routers for a very long time. Think along the lines of a webpage doing a redirect attempt to the local gateway address with different providers default router passwords and then changing a setting like your DNS server...
Sound unrealistic? Already happened on a large scale years ago. Didn't work if you had changed your password or at least had a unique one in place like the device serial number.
So rest assured that what they did has actually increased the security of your network and has left no gaping hole in it's place.
A matter of necessity (Score:4, Informative)
TR-069 TR-098 (Score:4, Insightful)
Not taking sides here but for an explanation of what is going on, you might want to look at Motive's HDM (home device management) application which works with TR69 enabled devices. I am not a Verizon customer so I don't know what the service EULA looks like but if this was a Verizon supplied device then it is likely enabled for some home device management system and such management is OKd in the service agreement. Again, I am just making some assumptions here and not saying this is kosher.
TR69 devices register with a pre-determined server when they are powered on and go through an ISP determined process to do things like password setting. If you could sniff the line side, you should see an initial HTTPS session briefly set up, pass some traffic, and then shut down.
You might want to google TR-098 which is the Internet Gateway device specification within TR-069
http://www.broadband-forum.org/technical/download/TR-098_Amendment-2.pdf [broadband-forum.org]
http://www.actiontec.com/products/datasheets/MI424WR%20Verizon%20FiOS%20Router%20Datasheet.pdf [actiontec.com]
Companies like Verizon and (I believe) British Telecom have gone this route to drive down help desk costs by enabling managed firmware upgrades and remote parameter setting of a subscribers device. ie Subscriber calls and complains "my internet is broken"; Tier I help desk remotely resets the subscriber's router to the original configuration and voila: the internet is unbroken!
HDM systems also gather metrics from the subscriber routers.
As far as the ISP is concerned, your FIOS/Cable/DSL router is the same as a TV set top box or satellite receiver. Cable and IP STBs are capable of sending back extremely detailed stats of anything that happens on the box, including your viewing habits.
From the ISP point of view, this gives them a powerful tool to deal with systemic failures due to firmware bugs, network attacks, and user finger problems. It also provides a method of getting network stats back from the field devices so that an overall picture of network health can be evaluated. Most subscribers will have no clue what is going on and mostly don't give a fig.
Safest approach is to assume that the access layer router is owned (in the control sense) by your provider and put your own security layer below it. Be warned that you likely can't put your IP TV STB behind your own security layer unless you make sure it can pass multicast.
Again, I am not saying this is hunky-dory but it is what I have seen.
Port 4567 can't be disabled (Score:3, Insightful)
Router security (Score:3, Insightful)
Re:first post! (Score:5, Funny)
All I see is:
if you were first instead of *********, you would not have had any trouble. I had lots of trouble deciphering the summary, though...
Re: (Score:2, Informative)
In other words it's part of the ISP-Owned CPE. This is typical of customers purchasing leased line services.
And the OP naively assumed that the equipment being in their house automatically transferred legal ownership of it?
The ISP usually owns the router, and everything after the Telco demarcation up to the customer's cable, which is referred to as "CPE" (Customer-Premises Equipment)
This is useful to the ISP for various reasons, it can assist with troubleshooting. It can enable the ISP to implement
Re: (Score:2)
Try this with telnet. There's a pretty good chance that 4567 isn't an http port.
Re: (Score:3, Insightful)
Then you're to blame threefold: 1) By your own admission, you let a noob stand in for you: If you'd cared to have it done correctly, you should have scheduled the installation around your availability so as to ensure that it met your requirements. 2) You apparently didn't do anything to correct matters afterwards, despite the fact that it wasn't to your satisfaction, and 3) Now you're whining about it on S
Re: (Score:3, Informative)
if you had changed the password yourself, this wouldn't have happened.
I like how the fourth, fifth, tenth, whatever, redundant post saying this same sentiment STILL gets modded insightful. You know, mods, we DO have a '-1 Redundant' mod.
Re: (Score:3, Insightful)
Good job using so much caps dude. Calm down. Yelling doesn't make you look good. There's two ways to look at this:
- Verizon is doing people a favor by securing their routers a little more
- Verizon has a backdoor
FYI the option to backdoor isn't set by the tech per-se. The tech runs a program that executes several scripts. Whether the default firmware for these devices has this option on by default OR if the script does it I am not sure of. But it's normal practice for them to have this setup as is. The issue
Re: (Score:3, Interesting)
Mmm. I suggest working out in the call center trenches for a few months before you call anything a tier 1 agent does a "power trip."
On the other hand, good for you, with your router.