Optus cable routers let anyone change passwords, says tech

Optus DSL Modems also insecure

Optus DSL Modems also insecure

The Sagemcom ADSL routers supplied by Optus also have fairly significant and easy to find security holes, not the least of which is that anyone can log into the router and perform admin tasks without supplying any credentials. The admin passwords are hardcoded into the javascript of some of the pages, in plain text, and can also be retrieved from an undocumented interface that dumps out all of the configuration information, including passwords (both in the clear and as base64 encoded text (IIRC). The password does appear to be changed by firmware updates from time to time, but it is straightforward to retrieve the information.

It's quite easy to pull information about the router, and there are forum threads on Optus' web site as well as whirlpool on this topic. Furthermore, parental controls are prominently displayed on the main page of the router interface, but are completely useless, because anyone on the network can change them.

When I contacted Optus about my concerns, they were dismissive of any security issues, as the firmware is in their opinion working by design, and is therefore not defective. When pressed, Optus support blamed the device manufacturer for the firmware, despite it obviously being an Optus-specific software implementation, and suggested I contact Sagemcom directly.

Nothing's changed since the beginning it seems.

I was one of the very first beta-testers for the Optus cable modem service. Twenty odd years makes the details fuzzy, but essentially they implemented an alpha free content service as a Windows file share with a netmask of 255.255.255.0. (If i've got that right.) In other words, anyone who had file sharing turned on on their machine, was wide open to every other person on their subnet.

AC just in case there's an NDA I forget signing.