I for one am shocked- SHOCKED- to believe large ISPs installing home network devices would simply leave them set to DEFAULT PASSWORDS.
Or that ANY home user would TOLERATE that situation.
A router-to-router bot first detected two years ago has evolved - and now has the capability to reconfigure the firewalls of its victims. The Lightaidra malware captured by security researcher TimelessP (@TimelessP) is an IRC-based mass router scanner/exploiter that's rare because it spreads through consumer network devices …
For all I know there is a hard-wired password in my car that will make it engage reverse gear on the motorway. But I am not an expert on cars.
Equally, the vast majority of computers and routers are sold to non-experts.
In Britain the Trades Description Act requires that items sold retail be "basically fit for purpose". Whether a weak password breaks that law is debatable.
ISP's when leasing equipment to the end user, technically would have an obligation to keep it up to date for security purposes. That includes no default passwords and providing firmware updates to close security loopholes.
The last "Residential Gateway" device I received from ATT a couple of months ago was actually secured fairly well on the defaults front. It was a forced upgrade off the old one that wasn't supported any longer. That old one when I got it wasn't secured in the slightest. So I'm at least seeing progress on this front. Hopefully other ISP's are also *starting* to finally take at least basic security seriously...
It's a shocking thought but BT home routers don't have a standard default password and do get updated automatically.
On the subject of default passwords every manufacturer could do what BT and some other ISP do and ship each router with a different default password. Sure it dores't prevent the device being hacked, but it does make it that bit harder. Malware authors like other crime tend to go after the low hanging fruit so just making things a little bit harder is sometimes all it takes to stay secure.
Fairly simple, the update doesn't overwrite the passwords database ;) The box pulls rather than being pushed to, so simple enough really.
Well, I say database. If you've ever rooted one you'll find it's actually an XML file containing all sorts of config.
BT's not a shining example though, they have services open by default (and potentially accessible by anyone on the internet) using HTTP basic auth. They also rather spectacularly fucked up with their 'different default wireless keys and passwords' a while back by using the routers serial for the wifi and neglecting to think about the fact the access point was helpfully broadcasting it's serial number.
Anybody remember about the researcher who created a botnet to map out the Internet? 420,000 nodes, just on cameras alone.
It doesn't matter how many times this happens, the hardware manufacturers need to start requiring passwords on their devices, and ones that are "strong." My Cisco ISA550 requires a password that is stronger than logging into their website! And yes, it has to be changed on the first login. And why do they keep opening up ports by default? "This router keeps you safe!" Really? Really?? It doesn't keep you safe, and it doesn't keep anyone else safe, either!
Maybe the manufacturers could be fined under the truth in advertising laws. These are insecurity routers!
ISP routers with remote admin turned on, and everyone has the same password. Takes 5 minutes to find the password posted online by one of their "your a contractor not staff, no benefits for you" support people.
Stuff that is OLD, buy a new one (about 1.5 years) and no longer supported/patched.
Can't wait for the internet of things.
If every router sold, by default had EVERYTHING facing WAN closed perhaps there would be fewer problems. Better still lets have some liability attached to products we BUY. I just installed the newer firmware and you have to "acknowledge we don't accept any responsibility".
When I install Linux, fair enough my responsibility. But they are making money selling this stuff, and they should be compelled to support best practices - at least, y'know, competent.
If the $CORP started being responsible (i.e. liable) for competent security, perhaps $BADGUY would not have it so easy...
P.