Sprint DSL's Security Hole Easy As 1,2,3,4 373
An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.
As I've always said (Score:5, Insightful)
The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.
You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.
Not Sprint's fault... (Score:1, Insightful)
1234 (Score:5, Insightful)
Total negligence by sprint. (Score:5, Insightful)
Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.
They recommend you change it, but don't mention how? (It is listed in the modem manual, which is apparently not provided by Sprint.)
Oh, even better... In February they plan on shipping modems with this disabled. In February. Not now.
This has been around for a while. I wonder how many users have actually been affected.
Re:Not Sprint's fault... (Score:5, Insightful)
Re:Not Sprint's fault... (Score:5, Insightful)
1) turning off remote administration [it just helps their tech support be lazy anyways]
2) have the password for their equipment match their normal account password (or a randomly generated password created when the DSL is setup and logged into their account information)
3) at least explaining in the manual, after its all setup, do steps a,b,c to change the password after the account is functional for security reasons
I understand that people are computer dumb but I'm car dumb and I'd appreciate a mechanic telling me that when I retrieve my car from the shop, to make sure I fill up all the fluids in car.
security (Score:2, Insightful)
Re:Totally unprofessional (Score:5, Insightful)
Why didn't sprint fix this quickly? (Score:3, Insightful)
Why didn't sprint fix this quietly and quickly though? It seems to me it would have been easy just to write a script to go to each modem, change the password to something random, store it somewhere safe like a customer info database and been done with it.
Now that it's been published on wired, and worse yet here, the exploit is going to be used by many people who want to just break in because they are "bored"
Zyxel's fault? (Score:5, Insightful)
Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?
Re:1234 (Score:5, Insightful)
Sorry, but I disagree. It goes higher than that. This is a piece of equipment provided by Sprint to paying customers in order to facilitate the network service. Therefore, it's incumbent upon Sprint to modify the default password, not the user. The user is paying for a complete service, and as such should have a reasonable expectation of at least moderate safeguards in place, particularly given the well-known dangers of a permanent Internet connection.
By the way, just to point something out: lots of other hardware/software comes with default passwords. Remember the SQL Server worm a few months ago? (Sorry, can't recall the name of the worm.) It could only get in if you didn't change the default sa password away from blank. It's not just MS, either -- Sybase has exactly the same default logon name and password, and Oracle has a default logon name of system with a default password of manager.
However, that's a different situation -- a company buys a database server with the expectation of having to perform post-purchase configuration. Did you sign up for DSL or cable service, get a modem as part of the package, and expect to have to perform some final configuration?
Re:1234 (Score:5, Insightful)
The flaw IS requiring the user to change it. Why is remote administration even enabled by default?
Ignorant users should always be protected, while those in the know should have power. The feature should be disabled by default, and if someone knows it exists and wants to use it, they should be able to do so.
Re:What is the big deal for Sprint to fix this? (Score:3, Insightful)
as the saying goes (Score:2, Insightful)
A buddy of mine and I have been uttering those words for years.
Re:Totally unprofessional (Score:3, Insightful)
Re:Not Sprint's fault... (Score:1, Insightful)
This is fucking insane and absolute negligence. I wouldn't think that my modem would have a password. My account, yes. My email, yes. My computer, yes. But MY MODEM?
Re:How are they supposed to know? (Score:2, Insightful)
Note that this is only a problem in routing mode (Score:5, Insightful)
If you have PPPoE software on your OS, you can put the modem in bridging mode, and then it won't have an IP address, and so won't be remotely administratable from the WAN side. (It still takes 192.168.1.1 on the LAN side, so you can still administrate locally).
Surprisingly (at least, I was surprised...I had expected Sprint to be one of those providers that doesn't tell you much), on Sprint's support site, they have detailed instructions for switching to bridging mode, both for people with dynamic IP and those with static IP. (Look under the section on configuring for use with game consoles).
Re:Not Sprint's fault... (Score:5, Insightful)
How are people supposed to change a password that they don't even know exists? If you install on Windows using the install CD from Sprint, the existence of that password is hidden. The install program deals with configuring the modem.
Re:Home users (Score:5, Insightful)
Not Zyxel's fault (Score:5, Insightful)
As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.
So did Sprint disable the filter and not change the password? That would be rather strange...
Linksys has a similar problem (Score:4, Insightful)
Re:Wired is polling modems? (Score:4, Insightful)
It's not illegal, and I adamantly support people's right to portscan people. However, a better analogy would be if the loitering was being done late at night in a neighborhood that was victim to a number of break-ins at night: It's not illegal, and there could be *entirely* legitimate reasons for doing it, but it's obviously going to look like you're trying to break in. (Off-topic: You can't really hang a "No portscannning" sign on your server)
What Wired did was either (depending on how you interpret the phrase "polled"):
- tried logging into people's routers with this password (blatant 'cracking')
- sent out a "poll" (as in a Slashdot Poll) to its readers asking Sprint customers to check their router and report back to Wired
In one case, I'd like to see more outrage, dropped subscriptions, and police involvement -- the fact that they're a respected magazine in no way gives them the attempt to try to crack routers en masse. On the other hand, if it's the second type of "poll," we're making a massive deal out of nothing.
Smoking? (Score:3, Insightful)
Disclaimer: I work with Cisco equipment most of the time. I also have worked with long-haul telecommunications gear like Fore Systems ATM, ADNX/Promina, and other gear.
First, having a 'master code' would be dumb. The master code would get out quickly and then you would have people shutting down equipment remotely. Even having a password based on the serial number of a specific peice of equipment would create a logistical nightmare.
Most of the equipment I have seen has a console port and a reset switch. If you reboot the equipment, you have about 15 to 30 seconds where you can drop in a break code. The break code will not clear the memory, but it does boot in a clean mode where you can reset passwords or make config changes.
Re:As I've always said (Score:5, Insightful)
Default setup and settings don't need to (be stupid). That can be changed.
Re:As I've always said (Score:3, Insightful)
1) Does have a password
2) This is your password and you should change it
3) Here are the instructions to change the password or alternatively I/we can do this for you
4) Once I/we leave here, it is your responsibilty to look after your equipment unless you have a specifc contract with us stating otherwise (managed IP networks, Frame Relay, yada yada)
Now, we all know that the contracts will absolve the ISP/Telco of any harm caused by this and we all know how well people read those contracts . A simple, "Here's the deal" would suffice and make sure it is one sheet of paper in easy to understand language that all involved can reference.
Ok, enough ranting.
Re:As I've always said (Score:5, Insightful)
Ah ha. From the Sprint DSL website: "Modem remains the property of Sprint and must be returned to Sprint if FastConnect DSL service is discontinued."
I can't find a copy of thier user agreement on the website (I really hate companies that don't let you see that until AFTER you're mostly commited to buying. How am I supposed to make a decision if they won't tell me thier policies?) but I suspect that (unless they changed it right before this became public) that it's standard boilerplate, which wouldn't include anything about the customer having to maintain those modems.
Damned if we do... (Score:3, Insightful)
So, let me get this straight. If I do not access my DSL/Cablemodem and change the settings, it's my fault for having a unsecure system. Yet, if I do access my DSL/Cablemodem and change the settings, I can expect the FBI to come barreling through my front door [slashdot.org] with guns drawn?
Nice.
I remember when society used to have common sense. I miss those days.
Surely You're Joking, Mr. Estate!. (Score:2, Insightful)
I propose we say instead:
"Richard Feynmann, a guy who achieved much more than working on the Manhatten Project"
- or just ignore me.