Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this.
My mom’s ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, without providing the ability to change the admin password from “password” on it.
Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out and change it. Which is obviously less than ideal.
That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire security implications… e.g., DNS server settings can be pointed at whatever someone wants here.
My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took control over her laptop before she called for backup. So I’m just a little concerned that we have no control over changing this router’s admin password — from “password” — in a pinch, without waiting for a truck roll && shelling out $50.
I’ve sent her a DOCSIS 3.1 modem that doesn’t have a router built-in, in hopes that they’ll let us bring our own. She does have Google Wifi, but we can’t even put their router into bridge mode. So she would be double NATed and have no control over changing the admin password on the first router.
Anyone have any experience with Yondoo? I’ve tried reaching out to them on multiple fronts, but have yet to hear back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use our own modem and then take it from there.
What’s the problem with double NAT? I can’t imagine an elderly mom trying to host Xbox games - which is 95% of the problem with double NAT these days (the other 5% being Ubiquiti bros having to access their Unifi router from anywhere).
Your screenshots didn’t come through, I suspect it’s stripped via the mailing list, but there’s no model number specified anywhere.
NANOG really isn’t the best place for this, but I don’t know where else you would be able to go besides what you’ve already done: Yondoo support.
The first router would still be vulnerable, and through it the second router.
I would hope that this router’s admin “password” interface is only accessible from the LAN side. It’s not listening to the world for a login with “password”, right? Have you port scanned its WAN interface and tried connecting to it to see what’s listening?
This is bad, yes, but not utterly catastrophic. Generally in a situation where somebody has physical access to a home Netgear/Linksys/TP-Link/whatever type router, they could physically push the factory reset button and gain access to its admin interface to reconfigure it however they wanted anyways.
I think there’s a value for discussion in nanog about how to provision and set up residential last mile services that work right, but this isn’t exactly a wider spread network operational issue unless you’ve discovered thousands of CPEs that can be accessed by “password” from the outside Internet.
It means that any compromised device on the LAN can access the router
with whatever permissions the password grants. While there are
certainly worse security vulnerabilities, I'm reluctant to describe
this one as less than catastrophic. Where there's one grossly ignorant
security vulnerability there are usually hundreds.
I agree, but if we start listing every massive security vulnerability that can be found on the intra-home LAN in consumer-grade routers and home electronics equipment, or things that people operate in their homes with the factory-default passwords, we’d be here all month in a thread with 300 emails.
I’m sure this ISP will realize what a silly thing they did if and when some sort of worm or trojan tries a set of default logins/passwords on whatever is the default gateway of the infected PC, and does something like rewrite the IPs entered for DNS servers to send peoples’ web browsing to advertising for porn/casinos/scams, male anatomy enlargement services or something.
It’s been a while, but attacks that take advantage of this are (or at least in the past have been) real.
I recall when this stuff first started to come out, leaning on RG vendors to fix their firmware to make their default passwords unpredictable based on information readily available on the LAN.
In this case we’re not even talking about taking action this sophisticated… It seems to me that, having a customer willing and ready to secure themselves, preventing them from doing so is wildly inappropriate.
Apparently iCloud’s hide my email implementation can only be used with one recipient, so here was my reply to Josh (apologies to him for the spam), for posterity:
Thanks for your reply.
Double NAT tends to break things like ZeroTier.
But even if that wasn’t a problem for us, I think the more pressing concern here is that the default admin password for the router is “password”, and you can’t change it without a tech coming out to change it for you, and shelling out $50.
Who knows how many residential routers are in their fleet that are “password” protected; seems like a disaster waiting to happen.
The model was an Evolution Digital EVO3000GW — thankfully they were able to swap it out with a non-router modem that I had sent to her over the weekend, but not without making a few phone calls, first. It didn’t seem like they could provision the new modem remotely.
If anyone has a more security-focused forum they could recommend for a post like this, I’ll be happy to take my inquiry elsewhere.
Just some minor follow up:
The tech was able to swap out their RG with the modem-only one that I had sent (after making a couple phone calls). It didn’t seem like they could provision a user-supplied modem remotely for some reason, but it also sounded like maybe this wasn’t something they normally do, if ever.
The outgoing RG was an Evolution Digital EVO3000GW. The screenshots that dropped were meant to show me attempting an admin password change, and it not letting me.
AFAIK, no WAN ports were open, but UPnP was on by default. I neglected to do a port scan on the WAN port before the equipment swap, but that probably would’ve been prudent.
Sorry for not being clear about this before, but I’m fairly remote (~5 hour drive), so my mom was acting as remote [somewhat arthritic] hands in all this.
Since I’m remote, I had previously sent a raspberry pi that is running both pi-hole (to mitigate the possibility of her or her partner clicking on a malicious ad or pop-up that may compel them to inadvertently connect with a call center scammer again) and ZeroTier. I use ZT to log in to this device, which double NAT breaks, which is why I brought that up. Totally understandable that most average customers don’t use this, and a double-NAT situation is probably fine for my mom’s demographic. That said, to be sure, the much bigger issue is that they’re provisioning CPE with an unchangeable “password.”
I understand that this forum may not be quite the right fit for a post like this, and am looking for others that may be more appropriate. My hope is that this eventually gets to someone at Yondoo, or parent Mid-Atlantic Broadband (AS29914), since something like this probably falls outside of the wheelhouse of their tier 1 support, which was all we could get a hold of.
Thanks to everyone who’s responded – I value all of your input.
I am also a big fan of installing cake (sqm-scripts) in front cable devices.