Forgot your password?
typodupeerror
Networking Australia Security Technology

Australia's Biggest Telco Sold Routers With Hardcoded Passwords 154

Posted by Unknown Lamer
from the who-released-the-debug-build dept.
mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."
This discussion has been archived. No new comments can be posted.

Australia's Biggest Telco Sold Routers With Hardcoded Passwords

Comments Filter:
  • Re:Comcast routers (Score:5, Insightful)

    by Shavano (2541114) on Monday November 12, 2012 @11:16PM (#41964013)

    Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

    That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?

  • by Cimexus (1355033) on Monday November 12, 2012 @11:24PM (#41964071)

    Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

    Also, people should be avoiding Telstra as a matter of principle anyway :)

  • by mjwx (966435) on Tuesday November 13, 2012 @12:25AM (#41964369)

    Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

    This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

    Also, people should be avoiding Telstra as a matter of principle anyway :)

    To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

  • Re:Easy fix (Score:5, Insightful)

    by WaffleMonster (969671) on Tuesday November 13, 2012 @12:56AM (#41964539)

    What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

    Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

    <A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>

  • Re:Comcast routers (Score:5, Insightful)

    by Drakonblayde (871676) on Tuesday November 13, 2012 @12:59AM (#41964563)
    Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).

Never ask two questions in a business letter. The reply will discuss the one you are least interested, and say nothing about the other.

Working...