Sprint DSL's Security Hole Easy As 1,2,3,4 373
An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.
Shit (Score:5, Funny)
Re:Shit (Score:3, Funny)
"tell us the combonations to the air lock."
"fine, i'll tell. its
"1,2,3,4,5?! that's the kind of code an idiot would put on their baggage!" (president scrooge arrives)
""so whats the combo"
"the combo is 1,2,3,4,5."
"woah, what a coincidence. thats the exact same code i have on my luggage!"
----i love that movie ----
As I've always said (Score:5, Insightful)
The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.
You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.
Re:As I've always said (Score:3, Informative)
Some people [google.com] are pretty opinionated [powells.com] about that, in fact.
Re:As I've always said (Score:2)
Re:As I've always said (Score:5, Insightful)
Default setup and settings don't need to (be stupid). That can be changed.
Re:As I've always said (Score:3, Insightful)
1) Does have a password
2) This is your password and you should change it
3) Here are the instructions to change the password or alternatively I/we can do this for you
4) Once I/we leave here, it is your responsibilty to look after your equipment unless you have a specifc contract with us stating otherwise (managed IP networks, Frame Relay, yada yada)
Now, we all know that the contracts will absolve the ISP/Telco of any harm caused by this and we all know how well people read those contracts . A simple, "Here's the deal" would suffice and make sure it is one sheet of paper in easy to understand language that all involved can reference.
Ok, enough ranting.
Re:As I've always said (Score:5, Insightful)
Ah ha. From the Sprint DSL website: "Modem remains the property of Sprint and must be returned to Sprint if FastConnect DSL service is discontinued."
I can't find a copy of thier user agreement on the website (I really hate companies that don't let you see that until AFTER you're mostly commited to buying. How am I supposed to make a decision if they won't tell me thier policies?) but I suspect that (unless they changed it right before this became public) that it's standard boilerplate, which wouldn't include anything about the customer having to maintain those modems.
Obligatory Space Balls Quote... (Score:4, Funny)
Colonel Sandurz: "1-2-3-4-5."
Skroob: "1-2-3-4-5?"
Sandurz: "Yes."
Skroob: "That's amazing! I've got the same combination on my luggage!"
Wasn't it Skoorb? (Score:3, Informative)
So, who needs Kevin Mitnick? (Score:5, Funny)
Home users (Score:5, Interesting)
Re:Home users (Score:5, Informative)
Lots of switches and other equipment comes with hardware passwords. When these are lost, you can call the company and get a password by reading off a serial number identifier off of the equipment. When you enter that password, the machine is reset and all information previously on it is gone.
That would be good enough for most users in any event.
Smoking? (Score:3, Insightful)
Disclaimer: I work with Cisco equipment most of the time. I also have worked with long-haul telecommunications gear like Fore Systems ATM, ADNX/Promina, and other gear.
First, having a 'master code' would be dumb. The master code would get out quickly and then you would have people shutting down equipment remotely. Even having a password based on the serial number of a specific peice of equipment would create a logistical nightmare.
Most of the equipment I have seen has a console port and a reset switch. If you reboot the equipment, you have about 15 to 30 seconds where you can drop in a break code. The break code will not clear the memory, but it does boot in a clean mode where you can reset passwords or make config changes.
Re:Home users (Score:2)
Earthlink used Zyxel 645 too, all their passwords are changed (tried to get in, can't).
besides, who in their right mind (general populance, now) would go into their modem? to do what? if they had to, do you think they would sell at all? (in this "plug and play is good" world)
of course - Zyxels 645 are actually pretty nice if you do get inside and flash a "proper" bios - you can set it up as a rounter directly, saving you some bux on that D-Link; but no web-configure, though.
Re:Home users (Score:5, Insightful)
This is a suprise to everyone? (Score:3, Informative)
I don't know how many times in the past I've tracked hackers at work to Sprint's networks.
Getting a reply or action from Sprint Security is non-existent. I guess it takes an article published in 'Wired' to get action from them.
Sprint and Prodigy are renown for not working with customers in addressing secuity issues.
Dolemite
_________________________________
Re:This is a suprise to everyone? (Score:5, Interesting)
My question is, why are these things even listening on the external interface? I set one of these boxes up for a friend recently, and I couldn't find a single way to block tftp/telnet/http from the outside. What's worse, is that these modems are quite clearly running Netgear firmware, which by default doesn't not allow conections externally So, someone at either ZyXEL or Sprint actively decided that these boxes should allow administrative control from anywhere.
Re:This is a suprise to everyone? (Score:2)
New Sprint Ad (Score:5, Funny)
1234 (Score:5, Insightful)
Re:1234 (Score:5, Insightful)
Sorry, but I disagree. It goes higher than that. This is a piece of equipment provided by Sprint to paying customers in order to facilitate the network service. Therefore, it's incumbent upon Sprint to modify the default password, not the user. The user is paying for a complete service, and as such should have a reasonable expectation of at least moderate safeguards in place, particularly given the well-known dangers of a permanent Internet connection.
By the way, just to point something out: lots of other hardware/software comes with default passwords. Remember the SQL Server worm a few months ago? (Sorry, can't recall the name of the worm.) It could only get in if you didn't change the default sa password away from blank. It's not just MS, either -- Sybase has exactly the same default logon name and password, and Oracle has a default logon name of system with a default password of manager.
However, that's a different situation -- a company buys a database server with the expectation of having to perform post-purchase configuration. Did you sign up for DSL or cable service, get a modem as part of the package, and expect to have to perform some final configuration?
Re:1234 (Score:2)
"SYSTEM/MANAGER"? Why, that's the stupidest password ever! It's the kind of password some VMS administrator might put on his DECserver's luggage!
Re:1234 (Score:3, Informative)
Re:1234 (Score:3, Interesting)
Oh boy, how much do I agree. The difference however seems to be that Sybase makes it excessively clear that you must change the sa password after installation (even better: create an account with appropriate privileges and lock down sa) in their installation/configuration manual for the respective platform.
Evenb though I think Microsoft is a deeply unethical and dishonest company, which screws its customers from front, back and the side and have an abyssimal track record regarding security they didn't deserve the bad press regarding this "hole".
The Sprint issue seems very different though, from what I read they provide the DSL modem as an applicance, which they own and maintain and should be held responsible for their incompetence or lazyness.
If I as a database consultant set up SQL Server (or any other database engine for that matter) it is my professional responsibilty to apply basic industry standard security practices to the product, which I installed. If I ship you a CD with postgresql on it it's your responsibility to read the installation manual and apply such fundamental changes yourself. It's that simple.
Re:1234 (Score:5, Insightful)
The flaw IS requiring the user to change it. Why is remote administration even enabled by default?
Ignorant users should always be protected, while those in the know should have power. The feature should be disabled by default, and if someone knows it exists and wants to use it, they should be able to do so.
Total negligence by sprint. (Score:5, Insightful)
Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.
They recommend you change it, but don't mention how? (It is listed in the modem manual, which is apparently not provided by Sprint.)
Oh, even better... In February they plan on shipping modems with this disabled. In February. Not now.
This has been around for a while. I wonder how many users have actually been affected.
Randomize (Score:3, Funny)
Jason
ProfQuotes [profquotes.com]
Re:Randomize (Score:2, Funny)
For boosted security, they could make it re-randomize the password every hour.
Yes, that makes a lot of sense, randomly change the password and lock out the user after an hour. Or were you suggesting something even more brilliant: change the password and display it on the user's screen?
Sheeeesh.
Re:Randomize (Score:2)
Jason
ProfQuotes [profquotes.com]
How are they supposed to know? (Score:5, Interesting)
So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?
Re:How are they supposed to know? (Score:2, Insightful)
Re:How are they supposed to know? (Score:2)
In any case the problem here is that they don't want people to change the passwords and they want them to be the default or at least a well known password and any well known password *will* become public. This is of course because the vast majority of their lusers will fsck up changing the passwords and it will be a support nightmare. Also if they can get into the router, please for the love of gawd quit calling them modems, it is much easier for them to provide support. Of course the password leaked and now they need to put a good spin on it and in Amerika what better way to put a good spin on it than to blame the customer.
Yes we do in fact live in a sad fscked up world.
Re:How are they supposed to know? (Score:3, Interesting)
So let me get this straight. You're supposed to administer your own DSL modem ... but if you administer your own cable modem, you run the risk of the police busting down your door. Do I have it right?
What a confusing world we live in.
Re:How are they supposed to know? (Score:2)
I got a Zyxel DSL router from my ISP and the first thing I did was change the password. As I bet anyone concerned with security at all does. But lets face it most users are running Windows so what does it matter that your modem can be 0wned when your friggin' computer can be as well?
Not that the story isn't important, if Sprint is so unconcerned as to let these modems out the door unprogrammed what's to say their whole operation isn't infiltrated?
Local vs. National ISP (Score:5, Interesting)
Keygen for ZyXel Prestige 642 and 645 modems (Score:2)
20 Print "Brought to you by the 133t Animal Kracker"
30 Print "Go 0wnz some modems!"
40 END
f34r my sk1LLZ!
BTW: The Animal Kracker was the name I used when I was 13 and using Locksmith 3.0 to copy Apple II games. Ahh.. the innocence of youth...;)
What is the big deal for Sprint to fix this? (Score:5, Interesting)
Re:What is the big deal for Sprint to fix this? (Score:3, Insightful)
Re: (Score:2)
Except you don't have the list of all their IPs (Score:2)
security (Score:2, Insightful)
This is old.. (Score:2)
ttyl
Farrell
Stupid question (Score:2)
Re:Stupid question (Score:2)
Why didn't sprint fix this quickly? (Score:3, Insightful)
Why didn't sprint fix this quietly and quickly though? It seems to me it would have been easy just to write a script to go to each modem, change the password to something random, store it somewhere safe like a customer info database and been done with it.
Now that it's been published on wired, and worse yet here, the exploit is going to be used by many people who want to just break in because they are "bored"
Zyxel's fault? (Score:5, Insightful)
Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?
They're not the first (Score:2, Informative)
I don't understand how hard it could be.... (Score:2, Interesting)
xDSL passwords (Score:2, Interesting)
All of your big boy companies have crappy passwords. PacBell (now SBC say their commercials) I have found to be the worst... When I notify the customer they all have the same reaction *blank_look*what password*/blank_look*.
In contrast some of the smaller xDSL providers seem to be more on the ball with these things.
I usually change the password and write down the password and network info then tape it to the top of the modem with my company tech support number. What really gets me mad is the big boy providers never even bother to tell their clients about the need to change the password... I mean how goddamn hard is it to tell em that.
One more thing... one more luggage joke and I'm going to have to kill someone...
Vidomi [vidomi.com] Killer media player and network distributed video encoder.
Re:xDSL passwords (Score:2)
Pacific Bell (Score:3, Informative)
This only applies to business customers who ordered the router option instead of a bridge.
Re:Pacific Bell (Score:2)
as the saying goes (Score:2, Insightful)
A buddy of mine and I have been uttering those words for years.
Wired is polling modems? (Score:5, Interesting)
Isn't this wrong?
Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.
When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.
They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.
I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.
Anyone care to comment?
Re:Wired is polling modems? (Score:2)
Or, maybe they called their ISP, identified who they were and what they were doing, and got permission to perform the scan.
Or maybe they signed up for a specific plan that allows scanning like that.
Travis
Re:Wired is polling modems? (Score:2)
Simple:
1) they have more money than you.
2) they didn't get caught.
Re:Wired is polling modems? (Score:2)
Yo Grark
keeping their eye on you? (Score:3, Funny)
% wget http://some.site.out.there/foo
--15:23:09-- http://some.site.out.there/
=> `foo'
Connecting to 1.2.3.4:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 666 [text/html]
0K ->
Re:Wired is polling modems? (Score:2)
Re:Wired is polling modems? (Score:4, Insightful)
It's not illegal, and I adamantly support people's right to portscan people. However, a better analogy would be if the loitering was being done late at night in a neighborhood that was victim to a number of break-ins at night: It's not illegal, and there could be *entirely* legitimate reasons for doing it, but it's obviously going to look like you're trying to break in. (Off-topic: You can't really hang a "No portscannning" sign on your server)
What Wired did was either (depending on how you interpret the phrase "polled"):
- tried logging into people's routers with this password (blatant 'cracking')
- sent out a "poll" (as in a Slashdot Poll) to its readers asking Sprint customers to check their router and report back to Wired
In one case, I'd like to see more outrage, dropped subscriptions, and police involvement -- the fact that they're a respected magazine in no way gives them the attempt to try to crack routers en masse. On the other hand, if it's the second type of "poll," we're making a massive deal out of nothing.
Re:Wired is polling modems? (Score:2)
Spammers Love 'Em! (Score:5, Interesting)
Well, its 1, 2, 3... (Score:2)
Don't ask me I don't give a damn.
Next stop is big Bagdad.
What Sprint Told Me (Score:5, Informative)
Thank you for your recent e-mail. I appreciate the opportunity to address your inquiry.
You have reached local password reset only. Please contact your local telephone company for further assistance.
We appreciate your business. If we can be of further assistance concerning
your Sprint service, please visit us at http://www.sprint.com, or you may email us at customer.servicenet@mail.sprint.com.
Aside from the total lack of security by default, and their insistance on routing everything from the Seattle area through Fort Worth, which is 100ms away on Sprintlink, they have been pretty good.
Why not use the serial number? (Score:5, Interesting)
Note that this is only a problem in routing mode (Score:5, Insightful)
If you have PPPoE software on your OS, you can put the modem in bridging mode, and then it won't have an IP address, and so won't be remotely administratable from the WAN side. (It still takes 192.168.1.1 on the LAN side, so you can still administrate locally).
Surprisingly (at least, I was surprised...I had expected Sprint to be one of those providers that doesn't tell you much), on Sprint's support site, they have detailed instructions for switching to bridging mode, both for people with dynamic IP and those with static IP. (Look under the section on configuring for use with game consoles).
A strange loosening in my bowels... (Score:2, Interesting)
and I wonder...
Re:A strange loosening in my bowels... (Score:2)
For Sprint, this is a much bigger issue, as Sprint does store the user's e-mail address/password combo in the modem.
Re:A strange loosening in my bowels... (Score:2)
Much ado about nothing (Score:2, Informative)
Interesting non-scientific Password Surevey (Score:2, Interesting)
Results collected:
30% used 123 or abc equivalent depending on length*
19% used their name or combo (like JDoe or JohnD)
16% used a date or part of (not b-day)
9% used their birthday (or part of)
6% used their name backwards
5% used a pet name
15% other**
* 63% of the people who used 123(4) used it on their luggage.
** 3% of this other was something like "asdf" or "qwerty" or "jkl;" (presumably for computer related passwords). other also included stuff like phone numbers, names of other people, street addresses, and just some checked the box 'other' with no explanation.
100% used a xx-xx-xx type numerical combination for their lockers. not including those who jam theirs always open
When are they going to learn? (Score:2)
They ALWAYS take the dumb, easy way. How do you think Bill Gates made all his money?
Re:When are they going to learn? (Score:2)
When I was working a helpdesk, we had a 4-step process for installing one particular piece of software, which involved:
1. downloading
2. doubleclicking a package
3. selecting an update option
4. restarting windows.
invariably, steps 1 and 2 would be completed, and since the software was then installed and sitting on the desktop, users jump into their play mode and steps 3 and 4 were ignored entirely. some days it seemed 90% of problems were directly related to not running the update option (which then prompted a restart anyway)
All of this despite the instructions with red writing clearly saying ALL FOUR STEPS MUST BE RUN.
Of course, with a slightly better installer step 2 would start the prompting to step 3, instead of needing user interaction, which would be far more reliable than trusting a user to read instructions - which is the point I suppose.
Not Zyxel's fault (Score:5, Insightful)
As the router ships from Zyxel, it has a filter disabling Telnet access from the WAN (internet). So even if you did have my router's password, you couldn't just telnet into it and get all the PPPoE data.
So did Sprint disable the filter and not change the password? That would be rather strange...
Yeah...but is it encrypted? (Score:2)
Linksys has a similar problem (Score:4, Insightful)
This is nothing new (Score:5, Interesting)
Perhaps the problem arises because we have so many passwords to remember. My solution is to have one password for most of my accounts, which I share with nobody. This led to a nasty family argument, when I refused to tell my passwword to my daughter so that she could logon to my linux box at home. That was solved by giving her an account of her own.
Another possibility is that most people are simply unaware of the need for security. I got a taste of this when I taught an introductory course on Unix to a group at one company who shared files with each other. When I asked how they did it, they told me that each one of them posted a little yellow sticky with their userid and password on their monitors so whoever had to could simply log on as them!!
Sprint Install Techs say "no need" (Score:2, Interesting)
Greaaaaaaaaat.
My ZyXEL 600 had this problem... (Score:5, Informative)
To do this, at least on my 600:
1. Telnet in (make sure you have vt100). On my LAN, the Zyxel is set at 192.168.1.1 -- I don't know how Sprint has it.
2. Use the default 1234 password, and then hit return to log in.
3. At the menu, type "23" and return. 23 is the option for the "System Password" page.
4. Now type the old and new password (twice) using the TAB key to skip fields. Don't pick something obvious.
5. Go down to where it says "Enter here to CONFIRM or ESC to CANCEL" and hit ENTER/RETURN to save your new password. (You may be asked to confirm that you want to do this.)
6. When you get back to the main menu, exit your telnet session by typing "99".
7. Try telnetting in again using 1234 and make sure it doesn't work. Now try to use your new password.
8. Profit.
I'm guessing that if these aren't the exact instructions for the later Prestiges, it'll be pretty close.
Even better than changing passwords is to disable remote login from outside the local network. (I hear this is the default on new Prestige modems). Or, depending on how insecure your LAN is, you can assign particular IPs permission to get in and block all others. This is accomplished using a "filter", just like a w/ a firewall.
To block incoming telnet sessions on the WAN, check out this page [securiteam.com]. This page also offers a "probe" [dragon.roe.ch] you can use to discover vulnerable modems.
Finally, check this list [phenoelit.de] for common default passwords. This is an important page, so check it for any equipment you might be using.
W
It's a good thing... (Score:2)
My former DSL ISP was even more stupid (Score:4, Interesting)
Damned if we do... (Score:3, Insightful)
So, let me get this straight. If I do not access my DSL/Cablemodem and change the settings, it's my fault for having a unsecure system. Yet, if I do access my DSL/Cablemodem and change the settings, I can expect the FBI to come barreling through my front door [slashdot.org] with guns drawn?
Nice.
I remember when society used to have common sense. I miss those days.
Re:Not Sprint's fault... (Score:5, Insightful)
Re:Not Sprint's fault... (Score:5, Insightful)
1) turning off remote administration [it just helps their tech support be lazy anyways]
2) have the password for their equipment match their normal account password (or a randomly generated password created when the DSL is setup and logged into their account information)
3) at least explaining in the manual, after its all setup, do steps a,b,c to change the password after the account is functional for security reasons
I understand that people are computer dumb but I'm car dumb and I'd appreciate a mechanic telling me that when I retrieve my car from the shop, to make sure I fill up all the fluids in car.
Re:Not Sprint's fault... (Score:2)
Re:Not Sprint's fault... (Score:5, Interesting)
I've had DSL for over a year and this is the first I hear about my modem even HAVING a password. For what?
And I'm in the upper n-th percentile of computer litteracy. Unless verizon and sprint differ significantly in how they do DSL, there's no WAY that Sprint's customers would have even known this password existed.
Re:Not Sprint's fault... (Score:5, Insightful)
How are people supposed to change a password that they don't even know exists? If you install on Windows using the install CD from Sprint, the existence of that password is hidden. The install program deals with configuring the modem.
Re:Not Sprint's fault... (RTFA) (Score:5, Informative)
Now, who's fault isn't it again?
Re:Totally unprofessional (Score:5, Insightful)
Re:Totally unprofessional (Score:2)
Re:Totally unprofessional (Score:2)
Wrong story, pal.
That's RIAA.
Re:Totally unprofessional (Score:3, Insightful)
Re:Totally unprofessional (Score:3, Interesting)
I did NOT give them permission to access my network.
Your network? You're the one accessing Sprint's network. Does the modem even belong to you? I was under the impression that DSL customers leased modems.
It would have been suficient to take Sprint's word for it and post the story. There was no need to go snooping where they don't belong.
Um, are you familiar with the phrase "investigative journalism"? If they had heard about this default passowrd from some other source, and Sprint had issued a denial, would it have been sufficient to take Sprint's word for it?
Re:Unrelated, but much more serious security hole (Score:4, Funny)
Um.... (Score:2)
Re:DMCA (Score:2)
Re:Isn't anyones fault. (Score:2, Interesting)
Ugh... (Score:2)
Giving the same default password to all your customers and then not forcing them to change it, not even showing them how to change it, is ignorant and careless. A company that has been in the tech business as long as Sprint should have known this.
Re:obligatory reference (Score:3, Interesting)