Forgot your password?
typodupeerror
Networking Australia Security Technology

Australia's Biggest Telco Sold Routers With Hardcoded Passwords 154

Posted by Unknown Lamer
from the who-released-the-debug-build dept.
mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."
This discussion has been archived. No new comments can be posted.

Australia's Biggest Telco Sold Routers With Hardcoded Passwords

Comments Filter:
  • Comcast routers (Score:5, Informative)

    by onix (990980) on Monday November 12, 2012 @11:03PM (#41963945)
    Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      All of them using the exact same SSID and WPA (hardcoded) or each device has it's unique SSID and WPA hardcoded, big diff there.

      • Re:Comcast routers (Score:4, Interesting)

        by ppanon (16583) on Monday November 12, 2012 @11:21PM (#41964047) Homepage Journal
        You think that a company that is going to hardcode the SSID/WPA password into firmware updates (instead of keeping your current settings) would go to the trouble of customizing a different firmware file for each user so that they can get a high security hardcoded default? Really?
        • Shaw does.
          • More likely, they do what Bell Canada does, which is to have the firmware read the serial number and apply an algorithm to that in order to create the default SSID/key on each modem. On the 2Wire modems, the default SSID was always BELL{last 3 digits of s/n}. I never did figure out what the algorithm was for the default key, but it is different on every modem, and on the Sagemcom modems, it's a different algorithm to figure out the default SSID as well.

            • by alexandre (53) *

              Not mentionning that Bell forces people to rent a VDSL modem even when they are not their customer! :(

              This is what I've gathered from forums and verified from the latest modem they seem to be shipping for VDSL service:
              http://wiki.reseaulibre.ca/hardware/modem/vdsl/sagemcom/F__64__ST2864/ [reseaulibre.ca]

              If anyone manages to rip Bell's parallel connection from there it'd be nice, though I'm wondering why they are the only one managing the firmware upgrades (and the many backdoors!)

        • by green1 (322787)

          Most residential broadband routers are factory configured with their own unique SSID/WPA key, this information is typed on the sticker on the bottom of the router, and is more or less unique to that specific router. Some companies have a habit of resetting everything to factory defaults when they do firmware upgrades, hence wiping out any custom SSID/WPA key and resetting to the one printed on the bottom of the device.

          Personally I recommend to most customers that if they aren't comfortable messing with the

        • by AmiMoJo (196126) *

          That's why Sky did in the UK. Their routers generated the WPA key from the wifi MAC address and the SSID was hard coded, along with the customer's ADSL login details. Totally insecure.

        • by X0563511 (793323)

          Who says you have to explicitly code it in? It could be derived from the device's S/N or MACs.

    • Re:Comcast routers (Score:5, Insightful)

      by Shavano (2541114) on Monday November 12, 2012 @11:16PM (#41964013)

      Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

      That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?

      • by wvmarle (1070040)

        Average security-illiterate consumer that just wants stuff to work: "I want to connect to my WiFi. Let's check the manual... oh that's network 'mycomcastrouter' and key 'mycomcastkey' as written on a sticker on the bottom of the device. That's easy." Selects network, enters key, connects to his WiFi router, and is happy.

        Note the absence of the "sets up a WiFi password" in the above sequence.

      • by ardor (673957)

        What if the router gets upgraded, but since you aren't using WiFi much (perhaps because you only enabled it for your someone else's laptop), you don't notice the SSID and WPA key got reset?

        • If the wifi use is that occasional, why not just turn it off? Seems like just another security hole. Maybe you're using some combo device instead of a separate WAP. Still seems easier to just unplug the WAP when not in use.
      • by AmiMoJo (196126) *

        Most people don't ever change the password. As long as it is securely generated in the first place that isn't too much of a problem, except that Comcast engineers can probably access your internal network whenever they like.

    • Re:Comcast routers (Score:5, Insightful)

      by Drakonblayde (871676) on Tuesday November 13, 2012 @12:59AM (#41964563)
      Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).
      • Explained this way (the hard-coded password device-specific and printed on a sticker inderneath it), what you sketch here sounds practical and thoroughly reasonable (something you couldn't possibly guess from the usual Slashdot headlines though).
      • Unique != Secure. If the two are in any way related (Key = base 16 encoded SHA1 of SSID + salt, for example) then the key can be broken trivially.

        Basically, I don't trust you (the company) to not be lazy^Wcost-effective in your key generation procedure. There are numerous sites listing tables of default keys for brands of router, ripe for abuse. Those could only have been leaked by an insider (which means you've kept a copy of all of the keys, for some reason) or they weren't truly random, and therefore i
        • by tlhIngan (30335)

          Unique != Secure. If the two are in any way related (Key = base 16 encoded SHA1 of SSID + salt, for example) then the key can be broken trivially.

          Usually the default SSID is based on the WiFi MAC address, while the default password is based on the serial number of the device (which isn't broadcasted over the air, but which the ISP knows since they have to activate it). The serial number is typically the unique ID assigned to the WAN side port...

      • by bhmit1 (2270)

        Hardcoded initial passwords should never be used for anything other than the first access to a device (after a reset) to configure it with the customers own password and settings. It should also not be usable from any public facing interfaces, but that's a side issue. This is no different from being given a temporary password and told to change it when you first login to a computer or web site.

        Leaving default passwords, even if they are unique per device, exposes the security risk that someone will discover

        • by cusco (717999)
          You would be amazed at the number of SECURITY devices which don't even allow you to change the default password, cameras especially. As a policy we recommend to customers that they not purchase Camera X because of this reason, but if that's their company standard that's what we have to install. Even on those which allow password changes none of our competitors change them unless the customer specifically requests it (and not even then if they think the customer won't check). In 90 percent of cases when w
    • by mattr (78516)

      Wonder why Comcast is not in trouble for hacking if they change the password you set yourself...

  • Easy fix (Score:2, Interesting)

    by Artea (2527062)
    Chances are this is the remote admin password for easy customer service. The devices are probably just rebranded Netgears or Belkins. Flash the firmware from the Vendor's support site, and clear off the Telstra "customer friendly" version of the firmware and this becomes a non-issue. I recall even manually adding a variable into the url enabled "advanced mode" to change this stuff without flashing the firmware.
    • by green1 (322787)

      What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

      • Re:Easy fix (Score:5, Insightful)

        by WaffleMonster (969671) on Tuesday November 13, 2012 @12:56AM (#41964539)

        What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

        Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

        <A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>

        • Reminds me of when a spam email went around in the late 90s or early 00s which informed people of a virus infection and if you had an AOL icon on your desktop, you were infected. Hahah. AOL was flooded that day with tech support calls from many who were not able to dial in. Post a similar threat warning on Facebook (fAOLbook?) and we'll have come nearly full circle again.
        • by green1 (322787)

          That's assuming that there is in fact also a way of passing dangerous information to the device by requesting a specific URL, And that you can even enter the username and password through the URL request as well. Sure, that would turn an almost non-issue in to a moderately bad exploit, but it also seems like a large stretch from what was listed.

      • it *looks* like (shitty article) that you can bypass unique wireless passwords with a default admin password.
        • by green1 (322787)

          That's not how I read the article at all, the way I read it was that if you were already connected to the wireless (or wired) network, you could log in to the router with a default password to be able to change the wireless settings. Which is a much less severe problem.

          Of course, as you point out, the article is awful, so there's no real way of telling which one of us is right, or even if we're both wrong and it's something completely different.

  • ... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.
    • by Cimexus (1355033) on Monday November 12, 2012 @11:24PM (#41964071)

      Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

      Also, people should be avoiding Telstra as a matter of principle anyway :)

      • by mjwx (966435) on Tuesday November 13, 2012 @12:25AM (#41964369)

        Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

        This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

        Also, people should be avoiding Telstra as a matter of principle anyway :)

        To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

    • ... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

      For the non-tech that's akin to doing brain surgery, so that changes nothing. For the average tech, downloading a precompiled firmware is still preferable in many cases. Having the source available will allow more eyes on it and the chance to improve it, but still an easy option to 'make firmware' and be done is appealing.

  • Step 1 of 3: Install the BigPond Elite Network Gateway on a Windows computer by using the installation USB stick that came with your kit.

    WTF are these people thinking?

    • by crafty.munchkin (1220528) on Monday November 12, 2012 @11:25PM (#41964083)
      You should've seen the installation tech who came to install Bigpond Cable at our office. He needed a PC to activate it, I brought out my linux laptop - I've never seen anyone so confused. He asked for Internet Explorer, I told him he could have Firefox or Chrome. I think he nearly cried.
      • We have a friend that works for HP, so we got him as our rep for maintaining our business line computer. We were having an issue and he decided the best thing would be to update the firmware (it was fairly out of date). That was when we both realized he had no idea how to do it from a non-windows computer. Turns out all you have to do to "reimage" an hp printer is *litterally* print the firmware file from any computer!
      • by green1 (322787) on Monday November 12, 2012 @11:47PM (#41964211)

        I install ADSL service for a Largish telco. I am always THRILLED when someone brings out a computer that isn't running windows. The reason? Windows machines support our company's software install, which is mandatory, can't be skipped, and takes 15 mins+ to install the first time you open a browser. However, if you are using a Mac, or Linux, or various other devices, the software install fails right away, gives you a warning telling you that your system doesn't meet our minimum requirements, and then without further ado activates the connection so everything works. Net benefit is that it saves me 15+ minutes, and the customers are happier because they don't have 4 more programs installed on their desktop!

        • and you don't get a black mark for a no install?

          • by green1 (322787)

            I think you misunderstood. It's not mandatory that I run some install CD or something like that, it's that the first time you try to access the internet your browser redirects you to a webpage that forces you to install software before it will let you access the internet. For non-windows machines it simply bypasses the software install because it's windows only software. but on windows machines it won't let you access the net unless the software fully installs.
            My ratings for installs are based on several fa

            • by cusco (717999)
              Wow, I haven't seen anything like that since the late '90s. Don't know how many times I killed the 2mb USWest "mandatory" download (after which it would connect fine) on our 28.8 modem, before my wife logged in and let it complete.
              • by green1 (322787)

                On our system, it's not just downloading it, you can't get online until it installs successfully and reports back that it did so. Or you can simply not run Windows (which is my preferred option anyway)
                On a side note, Android phones are a good way around this too (iphones and ipads can't even get far enough to "fail" though so you can't get online that way)

      • by wvmarle (1070040)

        The last few times I had Internet installed at either office or home, the tech always took their own laptop to set it up. So at least he has all the tools he needs at hand. I really don't understand that Bigpond Cable tech didn't carry his own laptop...

    • by SeaFox (739806)

      Forget the platform restrictions. Since when does one need to "install" a piece of hardware that's supposed to function independently of a computer.

      Anytime I see instructions saying I need to install software for a router to work I mentally add "so we can install our spyware on your computer" to the step.

      • by oobayly (1056050)

        Don't ascribe to malice ...

        One of our [self employed] brokers called me over to have a look at his laptop - BT (UK ISP) help centre wanted to update. Out of morbid curiousity I ran it. All it was was an program that launched a URL in Internet Explorer (not the default browser) and took you to their help website (no activex etc). What the fuck did it need to be updated for? All they needed to do is create a http shortcut on the desktop or start menu, but no, some dimwit decided they needed an executable to d

  • by crafty.munchkin (1220528) on Monday November 12, 2012 @11:23PM (#41964063)
    Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this [whirlpool.net.au] for one of their latest privacy blunders...
    • by mjwx (966435) on Tuesday November 13, 2012 @12:27AM (#41964389)

      Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this [whirlpool.net.au] for one of their latest privacy blunders...

      Never blame malice for what can easily be blamed for stupidity.

      Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

      • I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.
        • by mjwx (966435)

          I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.

          Were they Telstra linesmen or contractor linesmen?

          The old Telstra employed ones were good, the contractors are shite. A lot like Aus Post, the old posties used to be decent, the contractors throw parcels out the window of their van, you're lucky if it hits near your front door.

          Unfortunately, shite contractors are what happens when you farm work out to the cheapest contractors.

          I feel like this post should end with a stern warning for young people to vacate my greenery.

          • They were Telstra linesmen for almost all of the visits. The contractors actually bothered to contact me when they were coming - the Telstra tech's just turned up, did the work incorrectly, and then left. The last one who came was a contractor, and he fixed up the patching to the MDF from the building sub-exchange on all six lines. Even he couldn't believe how badly it had been botched. Crossed pairs, pairs tagged incorrectly, and since Telstra only issued one job for one line at a time, this had meant so m
      • by tlhIngan (30335)

        Never blame malice for what can easily be blamed for stupidity.

        Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

        Actually, in this case, it's probably the manufacturer of the router. Basically the ISP says "I want a modem+router for CPE (customer premises equipment), and I'll pay you $20 per unit". Yes, CPE is built down to a price because the ISP do

      • heh, their help desk is hilarious, had to get a dsl password reset, after 30 mins on the line to one of their staff from Papua New Guinea (i believe they actually give them english lessons to get them into the role) and them attempting to sms me the new randomised password 5 times and receiving nothing we were at an impasse. i gave up for the night, called back the next day to get one of their remaining australian staff, he reset the password and told me it over the phone and i was rolling. about a week l
      • I can vouch for the low quality of Telstra (big pond) internet help desk staff. The one I got couldn't really speak English, and she could barely cope even if everything stuck to the script. Unfortunately she seems to have been assigned to my case so it was she who rang me on my mobile number every time. She always wanted to speak to my wife, in whose name the phone was connected, and I was unable to communicate to her that she should ring my wife's number to speak to my wife.

        We had the phone in my wife'

    • by oztiks (921504)

      Funny story about Telstra. Wife called them up concerned that she couldn't find the latest Twilight movie on TBox. Sufficed to say the "accented man" Filipino / Indian guy gave her a bittorrent address and told her she can download the movie from there :)

  • by Xtifr (1323) on Monday November 12, 2012 @11:35PM (#41964139) Homepage

    Don't be coy. What are these passwords? :)

  • You'd think these people would learn.

    But NOOOOOOOOO!

    Why not just pre-infect the fucking things and sell them to a damn botnet...

    Idiots...

  • by Grayhand (2610049) on Monday November 12, 2012 @11:47PM (#41964213)
    Just image all the man hours of hacker's time think saved! If only other companies were as forward thinking.
  • No problem (Score:5, Funny)

    by slazzy (864185) on Monday November 12, 2012 @11:50PM (#41964223) Homepage
    This is why I always change my password to "secret" right away.
  • Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!
    • Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

      It isn't an either/or.

      Hard-coded credentials are a backdoor, whether covert or just buried in fine print; but they are a flawed backdoor because they are far too trivial for malicious 3rd parties to exploit on top of the intended malicious users.

      Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

      Neither is des

      • by bmo (77928)

        >Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

        Until the private key gets leaked.

        Key escrow is always bad.

        --
        BMO

  • I found out last year when me and my girlfriend moved into this apartment together that Sasktel (DSL internet provider for Saskatchewan Canada) apparantly also uses 2wire Routers/gateways and this one was literally screwed into the wall with a mounting bracket. Also disturbing was just doing a quick google search and sure enough in under 30 seconds I found default passwords for 2wire routers/gateways... what a suprise.

    As I have been an Access Communications customer for years with a cable modem and my own r

  • Cisco has backdoors too
    https://www.networkworld.com/community/node/57070 [networkworld.com]

  • by aaaaaaargh! (1150173) on Tuesday November 13, 2012 @04:04AM (#41965237)

    In Portugal, the passwords of the routers of the biggest telecom (TMN) are available and easy to find on the Net, and each router doesn't have just one but usually several admin and root accounts. I guess they think that as long as you can access it only from LAN and via "official channels" that's secure enough.

    • by Inda (580031)
      I thought it was common too.

      There's an app on Google Play that tries default passwords on wireless access points. I forget its name, as I only tried it a few times, and routers I was trying to connect to probably didn;t have this exploit.

      ezNetScan rings a bell.
  • I think Telstra is doing a fine job on screwing .au
    • by fa2k (881632)

      Well sure, but now all Australian hardware has to be banned because this is clearly intentional government spying. Telstra was even part of the Australian government :O

  • * Do not have to wait for customer to come back from lunch to get passwords when in field.
    * No danger of leaving password written down on sticky note
    * Saves money in costly bandwidth due to encrypted data
    * Lowers customer's TCO; no encryption royalties

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...