Related Articles

5 Comments

  1. 4

    bsulli

    They have an administrative port open on the router that you can not turn off that allows them in period. The only way to keep them from signing in to change the passwords which they have done to mine a couple of times it to backup the config which you can do. Set the unit back to factory defaults and login using the default user and password. Restore the config and reset the password. If you want to keep them out all together you have to put an inline firewall and block the port.I believe the port is 4567

    Reply
    1. 4.1

      finid

      Thank you. So they do have a backdoor. An nmap scan of my router showed the following ports:

      80/tcp open http
      443/tcp open https
      4567/tcp open unknown
      8080/tcp open http-proxy
      8443/tcp open https-alt

      When I did that scan several months ago, I wasn’t sure what 4567 was for, but Wikipedia has it down as a Sinatra default server port.

      Time to mess with my FIOS router.

      Reply
  2. 3

    Katie

    For the longest period of time any form of wireless encryption above 128 bit WEP and MAC filtering were in the support scope of Verizon DSL support. WPA became a request only method about 2 years ago. It’s also within normal scope of support to set the password for the modem to “admin”.

    Reply
  3. 2

    Duncan

    Do you know for a fact that they have a higher priority password?

    Because that, especially the “limited instances” part, reads to me like they were using a router that had its factory default password published, some installers weren’t changing it, and this gives them the necessary legal cover to go in and fix it, for those who have never messed with it themselves, thus leaving it at the default.

    Of course that’s the favorable (to them) reading, and the terms now allow them to change it for other reasons too, but it does sound like they give you the new password when they change it, which at a minimum, does not necessarily imply they have a master password aka “back door”, to routers where the owner actually /has/ changed the password.

    Given the general (IOW, IDR whether VZ has been named as a carrier with the problem or not) coverage of routers often installed without changing the password and with remote access on, thus allowing pretty much anyone on the net to go in and screw with it at their whim, retroactively going in to those where the default works and setting up a non-default password, then notifying the user about it, seems the best policy, but I can easily see the lawyers insisting on covering clause in the TOS.

    Further, something like that would need to be carried out with a pretty short notification, because they’re essentially zero-daying themselves. Once the announcement is made, they very likely have literally hours before someone’s exploiting it. So if it were me and there wasn’t a minimum waiting period before the TOS could go into effect, I’d be sending out the notification emails @ 23:59 one day, and starting the password changes at 00:01 the next — two minutes later!

    OTOH, if you have evidence of a tiered password system, with them having the master, that’s a different story indeed. But the TOS change alone “ain’t” it, nor is there any indication in your article that you have anything beyond that TOS change.

    Verizon ain’t no friend of mine, but overplaying your hand as an opponent doesn’t help, either.

    Reply
  4. 1

    David

    Does this apply just to Verizon-supplied routers, or to all routers?

    If the former, it’s easy to avoid by using your own independently sourced router and setting it up with WPA2.

    ISP-supplied routers always seem to be a bad financial deal, and the installers tend to set them up with weak, next-to-useless WEP security.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *