Australia's Biggest Telco Sold Routers With Hardcoded Passwords

mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."

Comcast routers

[onix]

Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

Re:

[Anonymous Coward]

All of them using the exact same SSID and WPA (hardcoded) or each device has it's unique SSID and WPA hardcoded, big diff there.

Re:Comcast routers

[ppanon]

You think that a company that is going to hardcode the SSID/WPA password into firmware updates (instead of keeping your current settings) would go to the trouble of customizing a different firmware file for each user so that they can get a high security hardcoded default? Really?

Re:

[DarwinSurvivor]

Shaw does.

Re:

[realityimpaired]

More likely, they do what Bell Canada does, which is to have the firmware read the serial number and apply an algorithm to that in order to create the default SSID/key on each modem. On the 2Wire modems, the default SSID was always BELL{last 3 digits of s/n}. I never did figure out what the algorithm was for the default key, but it is different on every modem, and on the Sagemcom modems, it's a different algorithm to figure out the default SSID as well.

Re:

[alexandre]

Not mentionning that Bell forces people to rent a VDSL modem even when they are not their customer! :(

This is what I've gathered from forums and verified from the latest modem they seem to be shipping for VDSL service:
http://wiki.reseaulibre.ca/hardware/modem/vdsl/sagemcom/F__64__ST2864/ [reseaulibre.ca]

If anyone manages to rip Bell's parallel connection from there it'd be nice, though I'm wondering why they are the only one managing the firmware upgrades (and the many backdoors!)

Re:

[Type44Q]

Cradlepoint routers each have a unique password encoded in the firmware...

Re:

[green1]

Most residential broadband routers are factory configured with their own unique SSID/WPA key, this information is typed on the sticker on the bottom of the router, and is more or less unique to that specific router. Some companies have a habit of resetting everything to factory defaults when they do firmware upgrades, hence wiping out any custom SSID/WPA key and resetting to the one printed on the bottom of the device.

Personally I recommend to most customers that if they aren't comfortable messing with the

Re:

[green1]

But can this login page be accessed from the WAN side of the device? if so, it's a serious security flaw. If not, it's not that big a deal as you likely already have physical access to the device anyway.

Re:

[green1]

Possibly, but not necessarily. I have yet to find any way of doing that for the devices we use (I'm not saying it isn't possible, but the searches I've done so far have come up blank)
And if there is in fact no way to link the 2 (say that the SSID and WPA key truly are randomly generated separately) then how is this still a bad practice?

Re:

[AmiMoJo]

That's why Sky did in the UK. Their routers generated the WPA key from the wifi MAC address and the SSID was hard coded, along with the customer's ADSL login details. Totally insecure.

Re:

[X0563511]

Who says you have to explicitly code it in? It could be derived from the device's S/N or MACs.

Re:

[bleh-of-the-huns]

The hard coded default.. is not actually hard coded. The Actiontecs just use the mac address as the default password, and I believe the Serial number as the SSID (I forgot, I have not used it in years, I completely bypassed it with the use of a dlink MOCA adapter to my FBSD firewall.

Re:Comcast routers

[__aaltlg1547]

Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?

Re:

[wvmarle]

Average security-illiterate consumer that just wants stuff to work: "I want to connect to my WiFi. Let's check the manual... oh that's network 'mycomcastrouter' and key 'mycomcastkey' as written on a sticker on the bottom of the device. That's easy." Selects network, enters key, connects to his WiFi router, and is happy.

Note the absence of the "sets up a WiFi password" in the above sequence.

Re:

[wvmarle]

Yes; for the very fact that the user thinks the password protects them, while in reality it's not so much. More and more users these days are aware of the idea of password protecting wifi networks. Routers should simply require the user to set a password (or intentionally open up the network) on first installation - using some kind of setup tool and network cable.

Re:

[ardor]

What if the router gets upgraded, but since you aren't using WiFi much (perhaps because you only enabled it for your someone else's laptop), you don't notice the SSID and WPA key got reset?

Re:

[StuartHankins]

If the wifi use is that occasional, why not just turn it off? Seems like just another security hole. Maybe you're using some combo device instead of a separate WAP. Still seems easier to just unplug the WAP when not in use.

Re:

[AmiMoJo]

Most people don't ever change the password. As long as it is securely generated in the first place that isn't too much of a problem, except that Comcast engineers can probably access your internal network whenever they like.

Re:Comcast routers

[Drakonblayde]

Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).

Sounds like a reasonable way to proceed

[golodh]

Explained this way (the hard-coded password device-specific and printed on a sticker inderneath it), what you sketch here sounds practical and thoroughly reasonable (something you couldn't possibly guess from the usual Slashdot headlines though).

Re:

[L4t3r4lu5]

Unique != Secure. If the two are in any way related (Key = base 16 encoded SHA1 of SSID + salt, for example) then the key can be broken trivially.

Basically, I don't trust you (the company) to not be lazy^Wcost-effective in your key generation procedure. There are numerous sites listing tables of default keys for brands of router, ripe for abuse. Those could only have been leaked by an insider (which means you've kept a copy of all of the keys, for some reason) or they weren't truly random, and therefore i

Re:

[tlhIngan]

Unique != Secure. If the two are in any way related (Key = base 16 encoded SHA1 of SSID + salt, for example) then the key can be broken trivially.

Usually the default SSID is based on the WiFi MAC address, while the default password is based on the serial number of the device (which isn't broadcasted over the air, but which the ISP knows since they have to activate it). The serial number is typically the unique ID assigned to the WAN side port...

Re:

[bhmit1]

Hardcoded initial passwords should never be used for anything other than the first access to a device (after a reset) to configure it with the customers own password and settings. It should also not be usable from any public facing interfaces, but that's a side issue. This is no different from being given a temporary password and told to change it when you first login to a computer or web site.

Leaving default passwords, even if they are unique per device, exposes the security risk that someone will discover

Re:

[cusco]

You would be amazed at the number of SECURITY devices which don't even allow you to change the default password, cameras especially. As a policy we recommend to customers that they not purchase Camera X because of this reason, but if that's their company standard that's what we have to install. Even on those which allow password changes none of our competitors change them unless the customer specifically requests it (and not even then if they think the customer won't check). In 90 percent of cases when w

Re:

[redback]

ATM Machine

Re:

[mattr]

Wonder why Comcast is not in trouble for hacking if they change the password you set yourself...

Re:

[r1348]

Funny, last week I updated the firmware of my Fritz!Box and it magically kept all the custom settings I made, including my wireless password...

Re:

[wed128]

Thats how *Comcast's shitty* hardware works.

FTFY. There are better ways of doing things...

Re:

[geminidomino]

Full disclosure: I am not an engineer Comcast, but a lowly technician. When a firmware update goes through, it resets defaults on everything. Thats how hardware works.

Reason 0xF21C to never use Comcast as a provider.

Re:Comcast routers

[WaffleMonster]

No one serious about security would use Comcast anyway.

Like your choice of ISP magically changes the reality of Internet being a fully untrusted and untrustworthy network.

Always assume your pipe is compromised and use end-to-end security if you care about the confidentiality and integrity of any data you transmit over the Internet.

I don't know anyone in the tech field that uses them

LOL I know of many network engineers who work for first and second tier operators who use comcast at home.

CenturyLink is so reliable that they own the market for professionals. I used Comcast for a while, but the 200+ msec ping made SSH unusable

YMMV... my pings are about 30ms to google and 20ms when using comcast as a WAN link to our corporate office.

like everyone else that needs a reliable connection, gave up on them years ago. They don't try and don't care.

These comments are pointless. If you look for it there will always be someone saying megaco x is horrible because y happened or megaco a is great because b happened. Our personal experiences mean squat. You would be on better footing by citing the results of a customer satisfaction survey.

Re:

[Wandering Voice]

Yes Century Link cares, only as far as receiving your payment, however. I had Qwest when I first moved into Denver area. A month later, Century Link took over and disregarded the install payment plan we had arranged with Qwest, and received a disconnection notice as our first contact from Century Link.

I made a payment with the credit card over the phone for $100, and said I can pay the other $30 with my next bill. OK says the CSR, and 10 days later my net and phone are disconnected. Finally finding a paypho

Re:

[cusco]

Century Link **IS** Qwest. Some executive decided that changing the name would somehow magically improve revenues, so USWest became Qwest which became Century Link.

Re:

[cusco]

In my neighborhood, only three miles from downtown Bellevue, Comcast was the ONLY high speed connection available until last year. When dealing with existing infrastructure in established neighborhoods you frequently don't have much choice.

Easy fix

[Artea]

Chances are this is the remote admin password for easy customer service. The devices are probably just rebranded Netgears or Belkins. Flash the firmware from the Vendor's support site, and clear off the Telstra "customer friendly" version of the firmware and this becomes a non-issue. I recall even manually adding a variable into the url enabled "advanced mode" to change this stuff without flashing the firmware.

Re:

[green1]

What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

Re:Easy fix

[WaffleMonster]

What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

<A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>

Re:

[Wandering Voice]

Reminds me of when a spam email went around in the late 90s or early 00s which informed people of a virus infection and if you had an AOL icon on your desktop, you were infected. Hahah. AOL was flooded that day with tech support calls from many who were not able to dial in. Post a similar threat warning on Facebook (fAOLbook?) and we'll have come nearly full circle again.

Re:

[green1]

That's assuming that there is in fact also a way of passing dangerous information to the device by requesting a specific URL, And that you can even enter the username and password through the URL request as well. Sure, that would turn an almost non-issue in to a moderately bad exploit, but it also seems like a large stretch from what was listed.

Re:

[kiddygrinder]

it *looks* like (shitty article) that you can bypass unique wireless passwords with a default admin password.

Re:

[green1]

That's not how I read the article at all, the way I read it was that if you were already connected to the wireless (or wired) network, you could log in to the router with a default password to be able to change the wireless settings. Which is a much less severe problem.

Of course, as you point out, the article is awful, so there's no real way of telling which one of us is right, or even if we're both wrong and it's something completely different.

More the reason ...

[lsllll]

... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

Re:More the reason ...

[Cimexus]

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

Also, people should be avoiding Telstra as a matter of principle anyway :)

Re:More the reason ...

[mjwx]

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

Also, people should be avoiding Telstra as a matter of principle anyway :)

To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

Re:

[Midnight Thunder]

... for Open Source. Compile it yourself if you want to, or download it from a reputable place and trust it.

For the non-tech that's akin to doing brain surgery, so that changes nothing. For the average tech, downloading a precompiled firmware is still preferable in many cases. Having the source available will allow more eyes on it and the chance to improve it, but still an easy option to 'make firmware' and be done is appealing.

If you have a MAC...

[Nutria]

Step 1 of 3: Install the BigPond Elite Network Gateway on a Windows computer by using the installation USB stick that came with your kit.

WTF are these people thinking?

Re:If you have a MAC...

[crafty.munchkin]

You should've seen the installation tech who came to install Bigpond Cable at our office. He needed a PC to activate it, I brought out my linux laptop - I've never seen anyone so confused. He asked for Internet Explorer, I told him he could have Firefox or Chrome. I think he nearly cried.

Re:

[DarwinSurvivor]

We have a friend that works for HP, so we got him as our rep for maintaining our business line computer. We were having an issue and he decided the best thing would be to update the firmware (it was fairly out of date). That was when we both realized he had no idea how to do it from a non-windows computer. Turns out all you have to do to "reimage" an hp printer is *litterally* print the firmware file from any computer!

HP printer firmware upgrade via print ?

[johnjones]

are you serious ?

so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

is this only over USB or Networked as well ?

(this is not a bad solution to upgrade the firmware but I bet they dont sign their firmware only use a magic hexcode to initiate the upgrade )

regards

John

Re:HP printer firmware upgrade via print ?

[dbIII]

so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

That sounds like HP all right. A simple nmap portscan kills their Jetdirect cat5 to parallel boxes dead. Not factory reset dead, but desolder a chip and replace it with a new one dead.

Re:

[azalin]

fun times. That reminds me of the (far less lasting) joke of sending a raytracer written in postsrcipt to the printer. Took about half an hour for the single page to print.

Re:

[girlinatrainingbra]

Is that kind of problem the reason that they invented PDF format so that PS programs that might run for too long got truncated into known-to-stop printing commands?

Re:

[ediron2]

I'm hearing similar rumblings for a high end LG fridge. Think we're going to be seeing more of this as time goes by...

Re:

[DarwinSurvivor]

It's a network printer and yes, I was amazed at how rediculously insecure it was as well. Even if they DID sign it, and I'm certain they don't, all it takes is for HP to release 1 buggy version, which would be signed, for someone to screw up a printer. BTW, you can also print (and update the firmware) over an unprotected FTP port which is enabled by default.

In other words, thou shalt firewall thine printers!

Re:

[Shimbo]

so your telling me that I can screw your entire print service and DOS it by sending it a print job ?

..and halt and catch fire, possibly. http://redtape.nbcnews.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say [nbcnews.com]

HP do now support code signing, whereas previously they had code singeing. And of course, everyone with a networked HP printer has applied the patches, right?

Re:

[kiddygrinder]

that is kinda ingeneous

Re:If you have a MAC...

[green1]

I install ADSL service for a Largish telco. I am always THRILLED when someone brings out a computer that isn't running windows. The reason? Windows machines support our company's software install, which is mandatory, can't be skipped, and takes 15 mins+ to install the first time you open a browser. However, if you are using a Mac, or Linux, or various other devices, the software install fails right away, gives you a warning telling you that your system doesn't meet our minimum requirements, and then without further ado activates the connection so everything works. Net benefit is that it saves me 15+ minutes, and the customers are happier because they don't have 4 more programs installed on their desktop!

Re:

[Joe_Dragon]

and you don't get a black mark for a no install?

Re:

[green1]

I think you misunderstood. It's not mandatory that I run some install CD or something like that, it's that the first time you try to access the internet your browser redirects you to a webpage that forces you to install software before it will let you access the internet. For non-windows machines it simply bypasses the software install because it's windows only software. but on windows machines it won't let you access the net unless the software fully installs.
My ratings for installs are based on several fa

Re:

[cusco]

Wow, I haven't seen anything like that since the late '90s. Don't know how many times I killed the 2mb USWest "mandatory" download (after which it would connect fine) on our 28.8 modem, before my wife logged in and let it complete.

Re:

[green1]

On our system, it's not just downloading it, you can't get online until it installs successfully and reports back that it did so. Or you can simply not run Windows (which is my preferred option anyway)
On a side note, Android phones are a good way around this too (iphones and ipads can't even get far enough to "fail" though so you can't get online that way)

Re:

[wvmarle]

The last few times I had Internet installed at either office or home, the tech always took their own laptop to set it up. So at least he has all the tools he needs at hand. I really don't understand that Bigpond Cable tech didn't carry his own laptop...

Re:

[crafty.munchkin]

Well, that WAS an option, but I was hoping to actually complete the install, rather than have him crying in a corner and reporting it couldn't be done... ;)

Re:

[SeaFox]

Forget the platform restrictions. Since when does one need to "install" a piece of hardware that's supposed to function independently of a computer.

Anytime I see instructions saying I need to install software for a router to work I mentally add "so we can install our spyware on your computer" to the step.

Re:

[oobayly]

Don't ascribe to malice ...

One of our [self employed] brokers called me over to have a look at his laptop - BT (UK ISP) help centre wanted to update. Out of morbid curiousity I ran it. All it was was an program that launched a URL in Internet Explorer (not the default browser) and took you to their help website (no activex etc). What the fuck did it need to be updated for? All they needed to do is create a http shortcut on the desktop or start menu, but no, some dimwit decided they needed an executable to d

Re:

[Maow]

Those are *completely* absurd statements that indicate an *utter* lack of comprehension as to how computer and peripherals actually are and how they work.

Besides being stupidly paranoid.

Then explain why a router would need any software on a PC to make the router run?

DHCP should be all that's needed, and it ought to be part of a base install of all systems out there.

Re:

[Nutria]

You need to re-read the OP.

The Windows-only software is needed to install updated router firmware. The firmware that comes factory-installed on the router doesn't need Windows.

(That's still an incompetent updating method; other routers have had browser-based updating for 10 years.)

Re:

[crafty.munchkin]

You clearly haven't encountered Telstra, and all their incompetence.

Re:

[Neil Boekend]

Isn't that usually done with a simple webinterface?

Re:

[SeaFox]

They could.

I know from personal experience that they generally are not good, and are more work than just telling the user how to access the web-based admin interface.
Is there any reason this easy setup wizard couldn't be just part of the web admin? Nope.

Not surprised at all.

[crafty.munchkin]

Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this [whirlpool.net.au] for one of their latest privacy blunders...

Re:Not surprised at all.

[mjwx]

Telstra are a notoriously dodgy company with a history of being idiots when it comes to customer's privacy and account security. Have a read of this [whirlpool.net.au] for one of their latest privacy blunders...

Never blame malice for what can easily be blamed for stupidity.

Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

Re:

[crafty.munchkin]

I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.

Re:

[mjwx]

I agree re helpdesk, and I'd like to agree with you re linesmen, however at my former employer, it took 13 visits by linesmen to get 6 lines installed at new premises, over the course of 3 months. It was an absolute disaster.

Were they Telstra linesmen or contractor linesmen?

The old Telstra employed ones were good, the contractors are shite. A lot like Aus Post, the old posties used to be decent, the contractors throw parcels out the window of their van, you're lucky if it hits near your front door.

Unfortunately, shite contractors are what happens when you farm work out to the cheapest contractors.

I feel like this post should end with a stern warning for young people to vacate my greenery.

Re:

[crafty.munchkin]

They were Telstra linesmen for almost all of the visits. The contractors actually bothered to contact me when they were coming - the Telstra tech's just turned up, did the work incorrectly, and then left. The last one who came was a contractor, and he fixed up the patching to the MDF from the building sub-exchange on all six lines. Even he couldn't believe how badly it had been botched. Crossed pairs, pairs tagged incorrectly, and since Telstra only issued one job for one line at a time, this had meant so m

Re:

[tlhIngan]

Never blame malice for what can easily be blamed for stupidity.

Telstra's consumer level staff are notoriously incompetent. Their linesmen are generally OK (thanks to the union pushing for training) but their helpdesk/home support is an insult to trained monkeys everywhere.

Actually, in this case, it's probably the manufacturer of the router. Basically the ISP says "I want a modem+router for CPE (customer premises equipment), and I'll pay you $20 per unit". Yes, CPE is built down to a price because the ISP do

Re:

[kiddygrinder]

heh, their help desk is hilarious, had to get a dsl password reset, after 30 mins on the line to one of their staff from Papua New Guinea (i believe they actually give them english lessons to get them into the role) and them attempting to sms me the new randomised password 5 times and receiving nothing we were at an impasse. i gave up for the night, called back the next day to get one of their remaining australian staff, he reset the password and told me it over the phone and i was rolling. about a week l

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[oztiks]

Funny story about Telstra. Wife called them up concerned that she couldn't find the latest Twilight movie on TBox. Sufficed to say the "accented man" Filipino / Indian guy gave her a bittorrent address and told her she can download the movie from there :)

Re:

[realityimpaired]

I would object to the label of dodgy when clearly we have a transatlantic network that is sufficient for you to post on slashdot with.

Assuming you actually do work for Telstra, I can judge the company as quite dodgy, and completely incompetent based on this statement alone: Australia is in the Pacific, not the Atlantic, and if your network is transatlantic, you clearly have no idea what the hell you're doing.

So what are they?

[Xtifr]

Don't be coy. What are these passwords? :)

Re:

[WGFCrafty]

12345

Re:

[oodaloop]

That's the kind of password an idiot would use on his luggage!

Re:So what are they?

[Macgrrl]

I thought they picked something secure like Hunter2?

Re:

[leathered]

I thought they picked something secure like *******?

I don't get it, why would you want ******* as a password?

What's the IP block for D'OH!

[Chas]

You'd think these people would learn.

But NOOOOOOOOO!

Why not just pre-infect the fucking things and sell them to a damn botnet...

Idiots...

Merely a time saving measure

[Grayhand]

Just image all the man hours of hacker's time think saved! If only other companies were as forward thinking.

No problem

[slazzy]

This is why I always change my password to "secret" right away.

Re:

[ArcadeNut]

Damn it! Now I have to change my password! Thanks!

A flaw, really?

[JayTech]

Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

Re:

[fuzzyfuzzyfungus]

Just a simple flaw? That's what they want you to believe. Hard-coded passwords are NOT a flaw, they are an intention back door for... company engineers... company spies... the government... Just sayin'!

It isn't an either/or.

Hard-coded credentials are a backdoor, whether covert or just buried in fine print; but they are a flawed backdoor because they are far too trivial for malicious 3rd parties to exploit on top of the intended malicious users.

Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

Neither is des

Re:

[bmo]

>Something like, say, an SSH client with a hardcoded public key, to which The Man holds the matching private key, is a non-flawed intentional backdoor; because it keeps unintended 3rd party malice to a minimum, while still letting the backdoor users in.

Until the private key gets leaked.

Key escrow is always bad.

--
BMO

Re:

[bmo]

>If The Man's copy of private key gets leaked then security is lost, but that's true however many people had it to begin with.

"Three can keep a secret, if two of them are dead." - Benjamin Franklin.

I reiterate: key escrow is always bad.

--
BMO

Sasktel is the same

[xQuarkDS9x]

I found out last year when me and my girlfriend moved into this apartment together that Sasktel (DSL internet provider for Saskatchewan Canada) apparantly also uses 2wire Routers/gateways and this one was literally screwed into the wall with a mounting bracket. Also disturbing was just doing a quick google search and sure enough in under 30 seconds I found default passwords for 2wire routers/gateways... what a suprise.

As I have been an Access Communications customer for years with a cable modem and my own r

Cisco

[BlackPignouf]

Cisco has backdoors too
https://www.networkworld.com/community/node/57070 [networkworld.com]

Isn't that common practice?

[aaaaaaargh!]

In Portugal, the passwords of the routers of the biggest telecom (TMN) are available and easy to find on the Net, and each router doesn't have just one but usually several admin and root accounts. I guess they think that as long as you can access it only from LAN and via "official channels" that's secure enough.

Re:

[Inda]

I thought it was common too.

There's an app on Google Play that tries default passwords on wireless access points. I forget its name, as I only tried it a few times, and routers I was trying to connect to probably didn;t have this exploit.

ezNetScan rings a bell.

Why worry about Huawei?

[gtirloni]

I think Telstra is doing a fine job on screwing .au

Re:

[fa2k]

Well sure, but now all Australian hardware has to be banned because this is clearly intentional government spying. Telstra was even part of the Australian government :O

This saves a lot of time and money

[sl4shd0rk]

* Do not have to wait for customer to come back from lunch to get passwords when in field.
* No danger of leaving password written down on sticky note
* Saves money in costly bandwidth due to encrypted data
* Lowers customer's TCO; no encryption royalties