Australia's Biggest Telco Sold Routers With Hardcoded Passwords

mask.of.sanity writes "Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."

Re:Comcast routers

[__aaltlg1547]

Some Comcast Xfinity routers have WiFi SSID and WPA encryption key hardcoded. It can be changed via software interface only to be reset when Comcast sends a firmware upgrade.

That's a little different. If Comcast changes my SSID and password, the first thing I'm going to notice is my wireless devices are no longer connected to the network. Where's the security problem in that?

Re:More the reason ...

[Cimexus]

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

Also, people should be avoiding Telstra as a matter of principle anyway :)

Re:More the reason ...

[mjwx]

Or, indeed, try to avoid using the modems/routers sold by telcos/ISPs. The ones they try to sell you usually suck anyway ... I've always preferred to use my own. Bought a good high-end ADSL2+ modem/router quite a few years ago and it's served me well through 3 or 4 ISPs.

This. Most ISP's including good ISP's like iinet and Internode (now part of the iiborg) sell the finest, cheapest Belkin for about twice what you'd pay outright for them. I think an ISP sold Fritzboxes for a while (but they may have become part of the iiborg by now). If you want a quality ADSL modem/router for use with an Oz ISP you need to buy it yourself. Chances are it'll be cheaper than going through an ISP anyway. (you can take my Linksys WRT54G from my cold dead hands, I'd probably die of old age long before it did).

Also, people should be avoiding Telstra as a matter of principle anyway :)

To be fair, Telstra Mobile pre-paid is not bad these days for price, speed and coverage. VHA and Optus both have terrible networks, plus I refuse to do business with Optus on principal. However I'd happily avoid Telstra's other services.

Re:Easy fix

[WaffleMonster]

What's the likelihood this is even a remote exploit? I bet it's a LAN admin password, (the article doesn't say) which means that 99% of the routers are no less secure because of it. (in most cases if you are connected to the LAN, you already have physical access to the router, and there's nothing much that secures it against that)

Welcome to the global good luck alchemy network (GGLAN) where we turn your bad luck into good luck. Glum? Tired? Board? We can help! To get started

<A HREF="http://192.168.1.100/does+something+really+bad">Click here</A>

Re:Comcast routers

[Drakonblayde]

Full Disclosure: I am a network engineer for Comcast. They are indeed hardcoded, but they are unique to each device. When you're deploying customer CPE, it's a damned if you do, damned if you don't situation. Either we provide the same defaults, and no one ever changes them, which leads to an increase in the amount of security incidents, or we don't set them and the customer chooses their own and then forgets them and complains to our support about it because we don't know their passwords. Or they can be hardcoded, with the option to let the customer change them. Most folks don't and just go with the defaults. Since they're unique defaults, this cuts down on the amount of security incidents, and since it's hardcoded, if the customer ever forgets their password, it's as simple as resetting the device to factory default and telling them to look for the sticker (if they did change them) or telling them to just look at the sticker (if they didn't).