Sprint DSL's Security Hole Easy As 1,2,3,4

An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.

DMCA

[Anonymous Coward]

Is talking about security holes legal under the dmca?

Home users

[Ogrez]

Yeah.. but 90% of home users cant remeber their email password, do you really want them changing the password on the hardware... It comes with the default password, its impractical for the isp to change them all, and should the user change it, then forget it, its a hour long tech support call to fix it. Replace user, press any key to continue.

How are they supposed to know?

[jandrese]

How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch? They didn't even tell people HOW to change the password.

So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?

Local vs. National ISP

[wulfhere]

I work for an ISP. Lots and lots of equipment comes with widely known default passwords. We have always considered it our resonsiblity to our customers to change the default password on any piece of equipment they buy from us. Things like this are exactly why national ISP's will NEVER have customer service that compares favorably to a local ISP.

What is the big deal for Sprint to fix this?

[ortholattice]

They know the IP addresses of all the modems. Create a db with a random string assigned to each IP, then write a script to change the passwords (of all of the ones have the default password) in one fell swoop. They'll have the db of passwords if they need to login for maintenance. The customer doesn't even have to know about it. Any admin can do this trivially. Instead, they are just going to lamely post instructions on their web site, which probably 1% of customers are going to read. Am I missing something?

Re:Not Sprint's fault...

[jovlinger]

erm yes it is.

I've had DSL for over a year and this is the first I hear about my modem even HAVING a password. For what?

And I'm in the upper n-th percentile of computer litteracy. Unless verizon and sprint differ significantly in how they do DSL, there's no WAY that Sprint's customers would have even known this password existed.

I don't understand how hard it could be....

[DrSpookles]

To only allow remote access once the password had been changed by the user.

xDSL passwords

[Lord Prox]

I have been doing xDSL installs for a few years and I have noticed a strange thing...

All of your big boy companies have crappy passwords. PacBell (now SBC say their commercials) I have found to be the worst... When I notify the customer they all have the same reaction *blank_look*what password*/blank_look*.

In contrast some of the smaller xDSL providers seem to be more on the ball with these things.

I usually change the password and write down the password and network info then tape it to the top of the modem with my company tech support number. What really gets me mad is the big boy providers never even bother to tell their clients about the need to change the password... I mean how goddamn hard is it to tell em that.

One more thing... one more luggage joke and I'm going to have to kill someone...


Vidomi [vidomi.com] Killer media player and network distributed video encoder.

Wired is polling modems?

[nochops]

Wired found that more than 90% of the modems they polled were using that default password

Isn't this wrong?
Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.

When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.

They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.

I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.

Anyone care to comment?

Spammers Love 'Em!

[The Turd Report]

Spammers set up NAT to re-direct incoming port 33 traffic to AOL mail server on port 25. This way, they can still spam via a port25 blocked dial-up. Just telnet to the rooted router on port 33 and you are auto-majicly sent to AOL's mail server. Spam away!

Re:Isn't anyones fault.

[jon doh!]

what if the DSL provider installed the modem for you? is it then their responsibility to change the password? how about to at least prompt you to change it, maybe verify before they leave that you've changed it?

Why not use the serial number?

[teslatug]

Just set the password to the last 4 digits of the serial number of the modem. No need to remember, easy to find for the users, not so easy for the hackers.

A strange loosening in my bowels...

[slarti]

as I gaze at my brand new ZyXEL Prestige 645 DSL bridge that arrived a mere two weeks ago with my DirectTV -> Speakeasy DSL transition.

and I wonder...

Interesting non-scientific Password Surevey

[Anonymous Coward]

Interestingly, we just conducted a non-scientific survey for a class project about passwords that people use. This included things like luggage, email, voicemail, etc., from your typical teenaged high schooler.

Results collected:

30% used 123 or abc equivalent depending on length*
19% used their name or combo (like JDoe or JohnD)
16% used a date or part of (not b-day)
9% used their birthday (or part of)
6% used their name backwards
5% used a pet name
15% other**

* 63% of the people who used 123(4) used it on their luggage.

** 3% of this other was something like "asdf" or "qwerty" or "jkl;" (presumably for computer related passwords). other also included stuff like phone numbers, names of other people, street addresses, and just some checked the box 'other' with no explanation.

100% used a xx-xx-xx type numerical combination for their lockers. not including those who jam theirs always open :p

Re:This is a suprise to everyone?

[Zaknafein500]

Sprint just laid off several thousand employees from its HQ here locally. My guess is the staff that runs the abuse@ account were the first to go.

My question is, why are these things even listening on the external interface? I set one of these boxes up for a friend recently, and I couldn't find a single way to block tftp/telnet/http from the outside. What's worse, is that these modems are quite clearly running Netgear firmware, which by default doesn't not allow conections externally So, someone at either ZyXEL or Sprint actively decided that these boxes should allow administrative control from anywhere.

This is nothing new

[estate]

Use of the default password has been going on since time immemorial. Apparently Richard Feynmann who worked on the Manhatten Project (which developped the first atom bomb) had a reputation as an expert safecracker because very few people on the project changed the combination of the safes from the way it had been programmed at the factory.

Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.

Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!

Re:obligatory reference

[goatasaur]

"...each time you build one, you need to go in and adjust it for a new password..." Those are salient points. I guess a better point is, what was stopping Sprint from *forcing* users to change their passwords before their first login? If hooking up DSL is like I think it is, wouldn't a tech have to walk them through the initial setup? Could they not choose an alternate password then?

Sprint Install Techs say "no need"

[Lockster]

I just had Spring DSL installed at my house YESTERDAY. I asked the tech about login info, user manual, etc for the Zyxel modem so I could get in & configure it, change admin logins, etc - his response was, "Oh, you don't need to do that, it's preconfigured already." So apparently their techs don't believe there's a need to secure them??

Greaaaaaaaaat.

Re:How are they supposed to know?

[Ichijo]

How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch?

So let me get this straight. You're supposed to administer your own DSL modem ... but if you administer your own cable modem, you run the risk of the police busting down your door. Do I have it right?

What a confusing world we live in.

Re:Totally unprofessional

[Prior Restraint]

I did NOT give them permission to access my network.

Your network? You're the one accessing Sprint's network. Does the modem even belong to you? I was under the impression that DSL customers leased modems.

It would have been suficient to take Sprint's word for it and post the story. There was no need to go snooping where they don't belong.

Um, are you familiar with the phrase "investigative journalism"? If they had heard about this default passowrd from some other source, and Sprint had issued a denial, would it have been sufficient to take Sprint's word for it?

My former DSL ISP was even more stupid

[dbc]

They refused to let customers have the DSL modem password, so that they wouldn't screw it up. While waiting on hold for oh, about 3 hours, to get a tech to fix one of their screw ups, I downloaded the manual. I figured out how to fix the problem, and then, just for grins, tried the factory password. It worked. I fixed the problem. About that time the tech answered. I told him how I fixed the problem. He asked me not to change the password, as it was their policy to leave them *all* at the factory default so that they could easily acess them. They had actually thought about the problem, and made an active management decision to require fsck'ed up security. Sheesh.

Re:1234

[CaptainZapp]

By the way, just to point something out: lots of other hardware/software comes with default passwords. Remember the SQL Server worm a few months ago? (Sorry, can't recall the name of the worm.) It could only get in if you didn't change the default sa password away from blank. It's not just MS, either -- Sybase has exactly the same default logon name and password, and Oracle has a default logon name of system with a default password of manager.

Oh boy, how much do I agree. The difference however seems to be that Sybase makes it excessively clear that you must change the sa password after installation (even better: create an account with appropriate privileges and lock down sa) in their installation/configuration manual for the respective platform.

Evenb though I think Microsoft is a deeply unethical and dishonest company, which screws its customers from front, back and the side and have an abyssimal track record regarding security they didn't deserve the bad press regarding this "hole".

The Sprint issue seems very different though, from what I read they provide the DSL modem as an applicance, which they own and maintain and should be held responsible for their incompetence or lazyness.

If I as a database consultant set up SQL Server (or any other database engine for that matter) it is my professional responsibilty to apply basic industry standard security practices to the product, which I installed. If I ship you a CD with postgresql on it it's your responsibility to read the installation manual and apply such fundamental changes yourself. It's that simple.

duh

[astrotek]

and at cox.net (cable) formly @home the default password for all email and web services is password

its not like this type of stuff is uncommon.