Forgot your password?
typodupeerror
Privacy

Sprint DSL's Security Hole Easy As 1,2,3,4 373

Posted by timothy
from the oh-didn't-you-catch-that dept.
An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.
This discussion has been archived. No new comments can be posted.

Sprint DSL's Security Hole Easy As 1,2,3,4

Comments Filter:
  • Shit (Score:5, Funny)

    by Anonymous Coward on Thursday January 23, 2003 @04:01PM (#5145845)
    Time to change the combo on the luggage again.
    • Re:Shit (Score:3, Funny)

      by deadsaijinx* (637410)
      can anyone say space balls.
      "tell us the combonations to the air lock."
      "fine, i'll tell. its ... 1 . 2 . 3 . 4 . 5..."
      "1,2,3,4,5?! that's the kind of code an idiot would put on their baggage!" (president scrooge arrives)
      ""so whats the combo"
      "the combo is 1,2,3,4,5."
      "woah, what a coincidence. thats the exact same code i have on my luggage!"

      ----i love that movie ----
  • by Amsterdam Vallon (639622) <amsterdamvallon2003@yahoo.com> on Thursday January 23, 2003 @04:02PM (#5145862) Homepage
    The biggest security hole is not buffer overflows, ICMP packet manipulation, or poorly written software.

    The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.

    You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.
    • by Artifex (18308)
      The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.


      Some people [google.com] are pretty opinionated [powells.com] about that, in fact.
      • Some people [google.com] are pretty opinionated [powells.com] about that, in fact.
        Hmmm, Mitnick says... Yes? This coming from a guy that got SOCIALLY RE-ENGINEERED, hehe.
    • by pjrc (134994) <paul@pjrc.com> on Thursday January 23, 2003 @06:43PM (#5147032) Homepage Journal
      people will always be stupid. You can't change that.

      Default setup and settings don't need to (be stupid). That can be changed.

    • by CliffH (64518)
      I think the scariest part about all of this is, most telcos, telecoms, ISPs, anyone who offers these services, will have one password for all. This is not an isolated case by a long shot and at the very least, customers who have their broadband installed should be made aware that their equipment:
      1) Does have a password
      2) This is your password and you should change it
      3) Here are the instructions to change the password or alternatively I/we can do this for you
      4) Once I/we leave here, it is your responsibilty to look after your equipment unless you have a specifc contract with us stating otherwise (managed IP networks, Frame Relay, yada yada)

      Now, we all know that the contracts will absolve the ISP/Telco of any harm caused by this and we all know how well people read those contracts . A simple, "Here's the deal" would suffice and make sure it is one sheet of paper in easy to understand language that all involved can reference.

      Ok, enough ranting.

      • by arkanes (521690) <arkanes@NOsPAM.gmail.com> on Thursday January 23, 2003 @07:16PM (#5147206) Homepage
        They might not get away 100% on this one - I don't have Sprint, but my experience with broadband ISPs and Telco's in general leads me to think that they, like most of the others, think of the modem as belonging to them (which, in some cases it probably does, since they lease them), and they insist on retaining control over it - many of them even get very grumpy if you reset the password on it, to the point of cancelling your service.

        Ah ha. From the Sprint DSL website: "Modem remains the property of Sprint and must be returned to Sprint if FastConnect DSL service is discontinued."

        I can't find a copy of thier user agreement on the website (I really hate companies that don't let you see that until AFTER you're mostly commited to buying. How am I supposed to make a decision if they won't tell me thier policies?) but I suspect that (unless they changed it right before this became public) that it's standard boilerplate, which wouldn't include anything about the customer having to maintain those modems.

  • by kenthorvath (225950) on Thursday January 23, 2003 @04:03PM (#5145865)
    President Skroob: "What's the combination?"

    Colonel Sandurz: "1-2-3-4-5."

    Skroob: "1-2-3-4-5?"

    Sandurz: "Yes."

    Skroob: "That's amazing! I've got the same combination on my luggage!"

  • by Uninvited Guest (237316) on Thursday January 23, 2003 @04:03PM (#5145868)
    Who needs a social engineer to get the password, when we have the fine folks at Sprint around.
  • Home users (Score:5, Interesting)

    by Ogrez (546269) on Thursday January 23, 2003 @04:03PM (#5145882)
    Yeah.. but 90% of home users cant remeber their email password, do you really want them changing the password on the hardware... It comes with the default password, its impractical for the isp to change them all, and should the user change it, then forget it, its a hour long tech support call to fix it. Replace user, press any key to continue.
    • Re:Home users (Score:5, Informative)

      by taliver (174409) on Thursday January 23, 2003 @04:34PM (#5146197)
      Not really a problem.

      Lots of switches and other equipment comes with hardware passwords. When these are lost, you can call the company and get a password by reading off a serial number identifier off of the equipment. When you enter that password, the machine is reset and all information previously on it is gone.

      That would be good enough for most users in any event.
      • Smoking? (Score:3, Insightful)

        by Bios_Hakr (68586)
        What are you smoking....and can I have some?

        Disclaimer: I work with Cisco equipment most of the time. I also have worked with long-haul telecommunications gear like Fore Systems ATM, ADNX/Promina, and other gear.

        First, having a 'master code' would be dumb. The master code would get out quickly and then you would have people shutting down equipment remotely. Even having a password based on the serial number of a specific peice of equipment would create a logistical nightmare.

        Most of the equipment I have seen has a console port and a reset switch. If you reboot the equipment, you have about 15 to 30 seconds where you can drop in a break code. The break code will not clear the memory, but it does boot in a clean mode where you can reset passwords or make config changes.
    • oh that is so bullshit

      Earthlink used Zyxel 645 too, all their passwords are changed (tried to get in, can't).

      besides, who in their right mind (general populance, now) would go into their modem? to do what? if they had to, do you think they would sell at all? (in this "plug and play is good" world)

      of course - Zyxels 645 are actually pretty nice if you do get inside and flash a "proper" bios - you can set it up as a rounter directly, saving you some bux on that D-Link; but no web-configure, though.
  • by Dolemite_the_Wiz (618862) on Thursday January 23, 2003 @04:05PM (#5145899) Journal
    This is Sprint, the ISP who doesn't do a thing about hackers originating from their domain.

    I don't know how many times in the past I've tracked hackers at work to Sprint's networks.

    Getting a reply or action from Sprint Security is non-existent. I guess it takes an article published in 'Wired' to get action from them.

    Sprint and Prodigy are renown for not working with customers in addressing secuity issues.

    Dolemite
    _________________________________
    • by Zaknafein500 (303608) on Thursday January 23, 2003 @05:12PM (#5146461) Homepage
      Sprint just laid off several thousand employees from its HQ here locally. My guess is the staff that runs the abuse@ account were the first to go.

      My question is, why are these things even listening on the external interface? I set one of these boxes up for a friend recently, and I couldn't find a single way to block tftp/telnet/http from the outside. What's worse, is that these modems are quite clearly running Netgear firmware, which by default doesn't not allow conections externally So, someone at either ZyXEL or Sprint actively decided that these boxes should allow administrative control from anywhere.
      • Which is why I send my spam/hacker reports to abuse@, support@, and sales@. And be persistant. abuse@ might not net you anything, but support@ is usually staffed by someone. And if all else fails, someone in sales@ will get confused because they know nothing about computers and forward it to someone who can but doesn't usually mess with such things. And even if nothing happens, you're causing them to waste time and money by processing your emails.
  • by Lord_Slepnir (585350) on Thursday January 23, 2003 @04:08PM (#5145932) Journal
    Can j00 0wnz0r me now? g0000d!
  • 1234 (Score:5, Insightful)

    by qoncept (599709) on Thursday January 23, 2003 @04:08PM (#5145933) Homepage
    How does it really matter what the default password was? If the default password was -8*k|-- it would still be just as easy to gain access to. The flaw is in not requiring the user to change it.
    • Re:1234 (Score:5, Insightful)

      by kiwimate (458274) on Thursday January 23, 2003 @04:25PM (#5146111) Journal
      The flaw is in not requiring the user to change it.

      Sorry, but I disagree. It goes higher than that. This is a piece of equipment provided by Sprint to paying customers in order to facilitate the network service. Therefore, it's incumbent upon Sprint to modify the default password, not the user. The user is paying for a complete service, and as such should have a reasonable expectation of at least moderate safeguards in place, particularly given the well-known dangers of a permanent Internet connection.

      By the way, just to point something out: lots of other hardware/software comes with default passwords. Remember the SQL Server worm a few months ago? (Sorry, can't recall the name of the worm.) It could only get in if you didn't change the default sa password away from blank. It's not just MS, either -- Sybase has exactly the same default logon name and password, and Oracle has a default logon name of system with a default password of manager.

      However, that's a different situation -- a company buys a database server with the expectation of having to perform post-purchase configuration. Did you sign up for DSL or cable service, get a modem as part of the package, and expect to have to perform some final configuration?
      • > [...] and Oracle has a default logon name of system with a default password of manager.

        "SYSTEM/MANAGER"? Why, that's the stupidest password ever! It's the kind of password some VMS administrator might put on his DECserver's luggage!

        • Re:1234 (Score:3, Informative)

          by arkanes (521690)
          I thought the Oracle one was scott/tiger. At least, thats what the Net8 tools try when you attempt to verify a connection...
      • Re:1234 (Score:3, Interesting)

        by CaptainZapp (182233)
        By the way, just to point something out: lots of other hardware/software comes with default passwords. Remember the SQL Server worm a few months ago? (Sorry, can't recall the name of the worm.) It could only get in if you didn't change the default sa password away from blank. It's not just MS, either -- Sybase has exactly the same default logon name and password, and Oracle has a default logon name of system with a default password of manager.

        Oh boy, how much do I agree. The difference however seems to be that Sybase makes it excessively clear that you must change the sa password after installation (even better: create an account with appropriate privileges and lock down sa) in their installation/configuration manual for the respective platform.

        Evenb though I think Microsoft is a deeply unethical and dishonest company, which screws its customers from front, back and the side and have an abyssimal track record regarding security they didn't deserve the bad press regarding this "hole".

        The Sprint issue seems very different though, from what I read they provide the DSL modem as an applicance, which they own and maintain and should be held responsible for their incompetence or lazyness.

        If I as a database consultant set up SQL Server (or any other database engine for that matter) it is my professional responsibilty to apply basic industry standard security practices to the product, which I installed. If I ship you a CD with postgresql on it it's your responsibility to read the installation manual and apply such fundamental changes yourself. It's that simple.

    • Re:1234 (Score:5, Insightful)

      by SlashdotLemming (640272) on Thursday January 23, 2003 @04:26PM (#5146130)
      The flaw is in not requiring the user to change it.

      The flaw IS requiring the user to change it. Why is remote administration even enabled by default?

      Ignorant users should always be protected, while those in the know should have power. The feature should be disabled by default, and if someone knows it exists and wants to use it, they should be able to do so.
  • by guido1 (108876) on Thursday January 23, 2003 @04:09PM (#5145943)
    "We recommend that customers change the (administrative) password to increase security..." said Sprint FastConnect spokeswoman Laura Tigges.

    Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.


    They recommend you change it, but don't mention how? (It is listed in the modem manual, which is apparently not provided by Sprint.)

    Oh, even better... In February they plan on shipping modems with this disabled. In February. Not now.

    • On the other hand...

    This has been around for a while. I wonder how many users have actually been affected.
  • Randomize (Score:3, Funny)

    by Jason1729 (561790) on Thursday January 23, 2003 @04:09PM (#5145944)
    ZyXel should set it so the password is randomized by default. That way, it might not be possible for the user to get in, but at least it will be more secure. For boosted security, they could make it re-randomize the password every hour.

    Jason
    ProfQuotes [profquotes.com]
    • by grub (11606)

      For boosted security, they could make it re-randomize the password every hour.

      Yes, that makes a lot of sense, randomly change the password and lock out the user after an hour. Or were you suggesting something even more brilliant: change the password and display it on the user's screen?

      Sheeeesh.
  • by jandrese (485) <kensama@vt.edu> on Thursday January 23, 2003 @04:10PM (#5145947) Homepage Journal
    How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch? They didn't even tell people HOW to change the password.

    So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?
    • Well, you make it so they HAVE to change the password to gain internet connectivity This comes from a security paranoid linux user who also likes OpenBSD
      • I happen to agree with you on your choice of OSes and I don't think of myself as paranoid but rather what I like to call "right" and I suspect you are also. :)

        In any case the problem here is that they don't want people to change the passwords and they want them to be the default or at least a well known password and any well known password *will* become public. This is of course because the vast majority of their lusers will fsck up changing the passwords and it will be a support nightmare. Also if they can get into the router, please for the love of gawd quit calling them modems, it is much easier for them to provide support. Of course the password leaked and now they need to put a good spin on it and in Amerika what better way to put a good spin on it than to blame the customer.

        Yes we do in fact live in a sad fscked up world.

    • How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch?

      So let me get this straight. You're supposed to administer your own DSL modem ... but if you administer your own cable modem, you run the risk of the police busting down your door. Do I have it right?

      What a confusing world we live in.


    • I got a Zyxel DSL router from my ISP and the first thing I did was change the password. As I bet anyone concerned with security at all does. But lets face it most users are running Windows so what does it matter that your modem can be 0wned when your friggin' computer can be as well?

      Not that the story isn't important, if Sprint is so unconcerned as to let these modems out the door unprogrammed what's to say their whole operation isn't infiltrated?
  • by wulfhere (94308) <[gro.snamffuh] [ta] [mit]> on Thursday January 23, 2003 @04:10PM (#5145951) Homepage
    I work for an ISP. Lots and lots of equipment comes with widely known default passwords. We have always considered it our resonsiblity to our customers to change the default password on any piece of equipment they buy from us. Things like this are exactly why national ISP's will NEVER have customer service that compares favorably to a local ISP.
  • 10 Print "1234"
    20 Print "Brought to you by the 133t Animal Kracker"
    30 Print "Go 0wnz some modems!"
    40 END

    f34r my sk1LLZ!

    BTW: The Animal Kracker was the name I used when I was 13 and using Locksmith 3.0 to copy Apple II games. Ahh.. the innocence of youth...;)

  • by ortholattice (175065) on Thursday January 23, 2003 @04:12PM (#5145966)
    They know the IP addresses of all the modems. Create a db with a random string assigned to each IP, then write a script to change the passwords (of all of the ones have the default password) in one fell swoop. They'll have the db of passwords if they need to login for maintenance. The customer doesn't even have to know about it. Any admin can do this trivially. Instead, they are just going to lamely post instructions on their web site, which probably 1% of customers are going to read. Am I missing something?
  • security (Score:2, Insightful)

    by phantomwolph (552305)
    Why is it that ppl will spend a fortune securing their homes and cars and leave their computers wide open? Unfortunatly all these stories wind up on the tech sites but Joe six pack only reads the sports section of the newspaper.
  • About a month ago, I had to help my on-site person hack into one of those Zyxel modems since they had a fixed IP, and the modem came NAT pre-enabled. Why does the world want NAT enabled?!?!

    ttyl
    Farrell
  • I've used Zyxel (sp?) dsl modems before, and iirc their admin interfaces were only inwardly pointing (only accessable via the ethernet i/f) Is this the case and Wired is overstating the problem, or is the outward admin IF turned on and Sprint are dumbasses? Or is there no way to set it and my memory is shot?
    • You're correct By default, they (at least the Zyxel 64x series) only accepts telnet connections from the ethernet interface. It CAN be set up to accept telnet connections from anywhere. If Sprint did this, and did not change the default password, I smell a lawsuit brewing...
  • by t0qer (230538) on Thursday January 23, 2003 @04:18PM (#5146029) Homepage Journal
    Jobless, and too smart for my own good, i'm tempted to try and find some routers. Just tempted, I never do bad stuff like comprimise others networks.

    Why didn't sprint fix this quietly and quickly though? It seems to me it would have been easy just to write a script to go to each modem, change the password to something random, store it somewhere safe like a customer info database and been done with it.

    Now that it's been published on wired, and worse yet here, the exploit is going to be used by many people who want to just break in because they are "bored"
  • Zyxel's fault? (Score:5, Insightful)

    by dcavens (178673) on Thursday January 23, 2003 @04:18PM (#5146036)
    As someone who just (10 seconds ago) changed the default password on their DSL router, I'm actually rather surprised. I had assumed (wrongly, I guess) that the routers would only allow telnet sessions from IP addresses that it manages (via NAT i.e 192.68.x.x..).

    Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?
  • by Malc (1751)
    When I signed up for US Worst's (now Qwest/MSN) DSL about four years ago, the Cisco 675 modem they were shipping came with a default password. You could telnet in to the modem from over the internet, reconfigure it so that the user couldn't connect to the web and then change the admin password so they couldn't fix it! >:) To make it even easier, all the DSL IPs had hostnames containing "dsl", so a simple DNS zone transfer saved having to scan for the modems/routers.
  • To only allow remote access once the password had been changed by the user.
  • xDSL passwords (Score:2, Interesting)

    by Lord Prox (521892)
    I have been doing xDSL installs for a few years and I have noticed a strange thing...

    All of your big boy companies have crappy passwords. PacBell (now SBC say their commercials) I have found to be the worst... When I notify the customer they all have the same reaction *blank_look*what password*/blank_look*.

    In contrast some of the smaller xDSL providers seem to be more on the ball with these things.

    I usually change the password and write down the password and network info then tape it to the top of the modem with my company tech support number. What really gets me mad is the big boy providers never even bother to tell their clients about the need to change the password... I mean how goddamn hard is it to tell em that.

    One more thing... one more luggage joke and I'm going to have to kill someone...


    Vidomi [vidomi.com] Killer media player and network distributed video encoder.
  • Pacific Bell (Score:3, Informative)

    by Leme (303299) <jboyce.ci@redding@ca@us> on Thursday January 23, 2003 @04:25PM (#5146103)
    Has the same exact issue. All of the Caymen & Efficient routers are usually setup with the default password. Which by a quick google search, is easily obtainable.

    This only applies to business customers who ordered the router option instead of a bridge.

    • Bellsouth supplies Cayman routers to their business DSL users and they don't even have a password set by default. You have to log in and set it, and no one ever does. They REQUIRE businesses to pay for the install ($200 IIRC). I asked one of their installers to set the password... she was hesitant to do so because that would make it harder for them to get in. Well duh. What really funny is that you don't even need to scan for those routers; they have a default interface served by a webserver. So, a simple Google search for text on the admin page will turn up LOTS of those routers... no scanning required. And yes, the kiddies know about the problem, I found out about it on a wannabe hacker site (neworder.box.sk, I think). And no, I'm not a script kiddie, I've just found that it pays to keep an eye on them.
  • as the saying goes (Score:2, Insightful)

    by natefanaro (304646)
    Your security is only as good as your dumbest user.

    A buddy of mine and I have been uttering those words for years.
  • by nochops (522181) on Thursday January 23, 2003 @04:29PM (#5146155)
    Wired found that more than 90% of the modems they polled were using that default password

    Isn't this wrong?
    Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.

    When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.

    They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.

    I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.

    Anyone care to comment?
    • Maybe Wired only scanned 10 modems.

      Or, maybe they called their ISP, identified who they were and what they were doing, and got permission to perform the scan.

      Or maybe they signed up for a specific plan that allows scanning like that.

      Travis
    • I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.

      Simple:
      1) they have more money than you.
      2) they didn't get caught.
    • Isn't DMCA beutiful? :P

      Yo Grark
    • how exactly do you come to the conclusion that your ISP was "keeping an eye on you"? I mean, what evidence did you see...

      % wget http://some.site.out.there/foo
      --15:23:09-- http://some.site.out.there/
      => `foo'
      Connecting to 1.2.3.4:80... connected!
      HTTP request sent, awaiting response... 200 OK
      Length: 666 [text/html]

      0K -> .....we... ...are.... .watching. ..you..... [100%]
    • Many routers serve an admin interface webpage with NO password set by default (see my earlier comment about Caymen routers supplied by Bellsouth and others). You can do a Google search for these: if Google found the default page and not "enter username and password" the router is vulnerable. You never have to touch it or connect to it to know, you just have to look at the Google cache. Is that wrong? I don't think so. Sort of like if you're walking around in public with a "kick me" sign on your back, and find it funny but never bother you, can you have me prosecuted for knowing that it was there? What if I tell you about it so that you can remove it? Or would you rather wait for someone to kick you?
  • Spammers Love 'Em! (Score:5, Interesting)

    by The Turd Report (527733) <the_turd_report@hotmail.com> on Thursday January 23, 2003 @04:33PM (#5146188) Homepage Journal
    Spammers set up NAT to re-direct incoming port 33 traffic to AOL mail server on port 25. This way, they can still spam via a port25 blocked dial-up. Just telnet to the rooted router on port 33 and you are auto-majicly sent to AOL's mail server. Spam away!
  • ...what are we fightin' 4?
    Don't ask me I don't give a damn.
    Next stop is big Bagdad.
  • What Sprint Told Me (Score:5, Informative)

    by harlows_monkeys (106428) on Thursday January 23, 2003 @04:50PM (#5146301) Homepage
    I quickly found this problem on my Sprint DSL, and checked a few other addresses "near" mine to see if I had just overlooked something during setup where I was supposed to change the password, and found that most modems were wide open. I informated Sprint, and here was their response:

    Thank you for your recent e-mail. I appreciate the opportunity to address your inquiry.

    You have reached local password reset only. Please contact your local telephone company for further assistance.

    We appreciate your business. If we can be of further assistance concerning
    your Sprint service, please visit us at http://www.sprint.com, or you may email us at customer.servicenet@mail.sprint.com.


    Aside from the total lack of security by default, and their insistance on routing everything from the Seattle area through Fort Worth, which is 100ms away on Sprintlink, they have been pretty good. :-/
  • by teslatug (543527) on Thursday January 23, 2003 @04:51PM (#5146309)
    Just set the password to the last 4 digits of the serial number of the modem. No need to remember, easy to find for the users, not so easy for the hackers.
  • by harlows_monkeys (106428) on Thursday January 23, 2003 @04:58PM (#5146363) Homepage
    Note that if you put the modem into bridging mode, you don't have this problem. Unfortunately, most people probably leave it in routing mode, because the modem then handles PPPoE and provides access to your computer via DHCP and NAT.

    If you have PPPoE software on your OS, you can put the modem in bridging mode, and then it won't have an IP address, and so won't be remotely administratable from the WAN side. (It still takes 192.168.1.1 on the LAN side, so you can still administrate locally).

    Surprisingly (at least, I was surprised...I had expected Sprint to be one of those providers that doesn't tell you much), on Sprint's support site, they have detailed instructions for switching to bridging mode, both for people with dynamic IP and those with static IP. (Look under the section on configuring for use with game consoles).

  • as I gaze at my brand new ZyXEL Prestige 645 DSL bridge that arrived a mere two weeks ago with my DirectTV -> Speakeasy DSL transition.

    and I wonder...
    • Stop wondering. First off, Speakeasy ships their modems with telnet and FTP disabled, so there's no way to access it whether from the outside or the inside of your network. Second off, if someone does manage to get into your modem, it's going to be useless to them as Speakeasy does not use PPPoE, therefore they do not store any kind of user info in the modem.

      For Sprint, this is a much bigger issue, as Sprint does store the user's e-mail address/password combo in the modem.
  • by twixel (30362)
    They don't mention that the telnet interface is by default only accessible from the inside of the network.

  • by Anonymous Coward
    Interestingly, we just conducted a non-scientific survey for a class project about passwords that people use. This included things like luggage, email, voicemail, etc., from your typical teenaged high schooler.

    Results collected:

    30% used 123 or abc equivalent depending on length*
    19% used their name or combo (like JDoe or JohnD)
    16% used a date or part of (not b-day)
    9% used their birthday (or part of)
    6% used their name backwards
    5% used a pet name
    15% other**

    * 63% of the people who used 123(4) used it on their luggage.

    ** 3% of this other was something like "asdf" or "qwerty" or "jkl;" (presumably for computer related passwords). other also included stuff like phone numbers, names of other people, street addresses, and just some checked the box 'other' with no explanation.

    100% used a xx-xx-xx type numerical combination for their lockers. not including those who jam theirs always open :p
  • People NEVER, as a group, take that extra step.

    They ALWAYS take the dumb, easy way. How do you think Bill Gates made all his money?

    • Argh. Agreed here, people will stop at whichever step is the easiest.

      When I was working a helpdesk, we had a 4-step process for installing one particular piece of software, which involved:

      1. downloading
      2. doubleclicking a package
      3. selecting an update option
      4. restarting windows.

      invariably, steps 1 and 2 would be completed, and since the software was then installed and sitting on the desktop, users jump into their play mode and steps 3 and 4 were ignored entirely. some days it seemed 90% of problems were directly related to not running the update option (which then prompted a restart anyway)

      All of this despite the instructions with red writing clearly saying ALL FOUR STEPS MUST BE RUN.

      Of course, with a slightly better installer step 2 would start the prompting to step 3, instead of needing user interaction, which would be far more reliable than trusting a user to read instructions - which is the point I suppose.
  • Not Zyxel's fault (Score:5, Insightful)

    by Doogman (30146) on Thursday January 23, 2003 @05:12PM (#5146466)
    I'm using a Zyxel 645r router supplied by my local mom & pop DSL provider. Sprint provides the DSL connection but they are my internet provider. Yes they did change the default password and they even support Linux, but I'm digressing.

    As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.

    So did Sprint disable the filter and not change the password? That would be rather strange...
  • If it is, you just violated the DMCA by publishing an encrypted password. Off to jail for you can be as easy as: 1-2-3-4.
  • by Drakonian (518722) on Thursday January 23, 2003 @05:14PM (#5146480) Homepage
    Linksys has similarly easy password in their Gateways/Routers/Firewalls. No username and password is "admin". These routers are configurable remotely too - thank god that feature is off by default. I seem to recall them having a serious overflow bug too that would allow exploitation anyway.
  • This is nothing new (Score:5, Interesting)

    by estate (127345) on Thursday January 23, 2003 @05:16PM (#5146493)
    Use of the default password has been going on since time immemorial. Apparently Richard Feynmann who worked on the Manhatten Project (which developped the first atom bomb) had a reputation as an expert safecracker because very few people on the project changed the combination of the safes from the way it had been programmed at the factory.

    Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.

    Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!
  • I just had Spring DSL installed at my house YESTERDAY. I asked the tech about login info, user manual, etc for the Zyxel modem so I could get in & configure it, change admin logins, etc - his response was, "Oh, you don't need to do that, it's preconfigured already." So apparently their techs don't believe there's a need to secure them??

    Greaaaaaaaaat.
  • by VValdo (10446) on Thursday January 23, 2003 @05:50PM (#5146702)
    First thing I did with my ZyXEL Prestige 600 is change that damned default password.

    To do this, at least on my 600:

    1. Telnet in (make sure you have vt100). On my LAN, the Zyxel is set at 192.168.1.1 -- I don't know how Sprint has it.
    2. Use the default 1234 password, and then hit return to log in.
    3. At the menu, type "23" and return. 23 is the option for the "System Password" page.
    4. Now type the old and new password (twice) using the TAB key to skip fields. Don't pick something obvious.
    5. Go down to where it says "Enter here to CONFIRM or ESC to CANCEL" and hit ENTER/RETURN to save your new password. (You may be asked to confirm that you want to do this.)
    6. When you get back to the main menu, exit your telnet session by typing "99".
    7. Try telnetting in again using 1234 and make sure it doesn't work. Now try to use your new password.
    8. Profit.

    I'm guessing that if these aren't the exact instructions for the later Prestiges, it'll be pretty close.

    Even better than changing passwords is to disable remote login from outside the local network. (I hear this is the default on new Prestige modems). Or, depending on how insecure your LAN is, you can assign particular IPs permission to get in and block all others. This is accomplished using a "filter", just like a w/ a firewall.

    To block incoming telnet sessions on the WAN, check out this page [securiteam.com]. This page also offers a "probe" [dragon.roe.ch] you can use to discover vulnerable modems.

    Finally, check this list [phenoelit.de] for common default passwords. This is an important page, so check it for any equipment you might be using.

    W
  • ...that although Sprint provides my physical DSL, I actually use a different ISP. I bought a 'dumb' modem from ebay, and am very glad I did. Web interface for a simple bridge? No thanks.
  • by dbc (135354) on Thursday January 23, 2003 @06:56PM (#5147089)
    They refused to let customers have the DSL modem password, so that they wouldn't screw it up. While waiting on hold for oh, about 3 hours, to get a tech to fix one of their screw ups, I downloaded the manual. I figured out how to fix the problem, and then, just for grins, tried the factory password. It worked. I fixed the problem. About that time the tech answered. I told him how I fixed the problem. He asked me not to change the password, as it was their policy to leave them *all* at the factory default so that they could easily acess them. They had actually thought about the problem, and made an active management decision to require fsck'ed up security. Sheesh.
  • Damned if we do... (Score:3, Insightful)

    by gizmonic (302697) on Thursday January 23, 2003 @08:06PM (#5147495) Homepage
    ...damned if we don't!

    So, let me get this straight. If I do not access my DSL/Cablemodem and change the settings, it's my fault for having a unsecure system. Yet, if I do access my DSL/Cablemodem and change the settings, I can expect the FBI to come barreling through my front door [slashdot.org] with guns drawn?

    Nice.

    I remember when society used to have common sense. I miss those days.

Vitamin C deficiency is apauling.

Working...