Insecure Routers on IOL

I just did a scan of the IP range for IOL dsl accounts.

There are an enormous amount of routers with their http configuration open to the internet. Worse still many of them still have their default login.

Anyone one that did a self install of their IOL broadband router would you make sure you have disabled remote managment from the WAN. (See the attached Diagram)

If you do not do this or at least change the managment password anyone could come around and muck up your connection settings and lock you out.

Here is the image I forgot to attach.

iano

I just did a scan of the IP range for IOL dsl accounts.

You should be careful that you are not violating your service provider's acceptable usage conditions.

It is not generally considered acceptable to scan other people's IP space without their permission. There is no legitimate reason to be doing this.

That said, it is a pretty sad state of affairs if so many users are so vulnerable due to a lack of information and instructions from their provider!

Well I rang IOL support to ask them but they just put me on hold;)

Sleipnir

yeah generally scanning IP ranges for holes is as bad as leaving the holes open in the first place.

It's pretty dumb to leave a hole like that open but even worse is publishing your findings to the whole world that they are open.

Altough then again, it wouldn't surprise me if IOL did that on purpose so that when a customer rings to complain that their DSL has stopped for no reason (I didn't change a thing!) IOL can login to their box and undo whatever the dumbass customer did!

eth0_

Originally posted by ronoc
I just did a scan of the IP range for IOL dsl accounts.

There are an enormous amount of routers with their http configuration open to the internet. Worse still many of them still have their default login.

That's no concern of Esat's. They supply you with the router, they don't configure it.
And be aware that Esat are well within their rights to cancel your account for port scanning.

Give me a break.

Given your logic an Organisation like Bugtraq is wrong for publishing their findings. I would consider leaving the holes open a far worse problem than scanning for them.
Should we just ignore it and maybe the problem will disappear?

The wrong people undoubtedly know full well the default settings of these routers. This is knowlege that is in the public domain.
All I did was to advise the people reading this board to check their settings, unless you would perfer people to be unaware of the problem until they have been locked out of their router...

Xcellor

I highly doubt scanning IPs is an offense. It's a perfectly normal network diagnostic check..... Next people will say that pinging a site only has "hostile" intentions....

Anyway.. you dont even need to scan IP. Get your own IP add or subtract last digit... and plug into your web browser. Without scanning I found 4 routers with default username and password. I could also attain username and password for each account...

This is of some concern. I will be writing to IOL about this, I find it completely retarded that they would ship hardware with the defaults set to allow remote access........


Xcellor

eth0_

Listen, congrats, you know how to use a port scanner. But it's more dangerous to tell the thousands of people on boards that there is a vulnerability.
You could have sent a mail to esat, or held on the phone for tech support.

But as i've already said, the security config of the router is no concern of Esat's....plenty of makes of routers etc do the same thing out of the box.

eth0_

Originally posted by Xcellor
This is of some concern. I will be writing to IOL about this, I find it completely retarded that they would ship hardware with the defaults set to allow remote access........

I think you would be better contacting zyxel/ericsson. Esat don't config the routers, they don't even send them out. It's an IT company in Cork that sends them out. If you bought a zyxel/ericsson off the shelf it would have the same problem. Not esat's problem.....

Xcellor

Im with you ronoc I believe if a bug is there it should be fixed NOT ignored.... otherwise people will exploit it.

And I disagree completely with eth0_ that this isn't Esats fault... my god what is their fault these days? Seems they can provide crap service, crap customer support, hardware with holes in it and still some feel they are an acceptable company.

Plain and simple with the problems on the Internet with security it is number one responsibility of ISP to ensure safe usage for their clients.

Nuff said,

Xcellor

I never said it was a concern of Esat. Although I should have. Shipping routers with the security settings the was they are is an extremly dumb Idea.
Especially when Windows XP does not enable its firewall on LANs by default.

Bear in mind most users will only follow the manual as far as it takes to get the thing working.

Eth0_ I sugest you check Esats "sparce" Acceptable Usage Policy.

Xcellor

eth_0

That is just pure rubbish... If I am provided with a service or product from a company it is them that are responsible for it. Not the manufacturer.... Basic consumer law.

If a buy a dodgy Apple out of Tesco I dont goto Granny Smith and complain. I complain to Tesco and they fix it.... They may then in turn take the issue to Granny Smith.

Simply put but the same principle applies. I'm sick of Esat with their, "Blame it on anyone else... it's not our fault" approach to dealing with customer problems. They have done it in the past with me saying "Oh but it's Eircom this... and Eircom that..."... I don't give a crap, I DONT PAY EIRCOM FOR DSL I PAY ESAT BT.

eth0_

There *IS* no bug! The routers are supplied unconfigured. It is the customers responsibility to set up the router, it says that in the contract....

This is akin to getting in a flap with dell because they supplied you with a copy of windows 2000 which has a security hole...

iano

I highly doubt scanning IPs is an offense. It's a perfectly normal network diagnostic check.....

As I stated, it is not generally considered acceptable to scan other people's IP space without their permission. You scanning my connection without my permission is hardly much of a diagnostic check!

It uses resources, fills up firewall logs and generally pisses people off.

Sleipnir

it's obvious that all these boxes are supplied with a default password.
What are Esat suppsed to do then, change the password for each person and keep a record of it?

I'm sure it's in the router's manual that
"this box has a default password, we advise you change it"

but most won't read the manual and then complain about "not being told"

Xcellor

I don't agree. They were part configured by IOL.

I didn't have to plug in IP details etc that was all done for me... So seems if they could configure that then why not play it safe and disable remote access... But again Esat really don't care too much... I mean why should they? They are Esat after all...

Xcellor

Xcellor

Sleipnir you are missing the point....

Default username and passwords are acceptable... I mean we arent arguing that...

However by default Remote access was allowed. Meaning anyone with Admin and whatever the password is.... can gain access unless you immediately change the password the second you get connected.

Remote access should have been disabled, plain and simple.

Xcellor

eth0_

Originally posted by Xcellor

I didn't have to plug in IP details etc that was all done for me...

Um no, I think your router auto detected those settings actually.

carbsy

I agree , and the problem isn't just limited to IOL it seems! :rolleyes:

Use yer heads people , and tighten up the ship before ye get locked out!

Sleipnir

And if the user changes the default admin password could someone still get into the config from the outside?

No, they could see the page but not gain access.

Sure it's good practice to shut down unneccessary ports but really, you need to look after your own security.

EDIT

Default username and passwords are acceptable

Wha? :rolleyes:

kida

I must say I'm with eth0_ on this. If you go into Maplins or compustore and bought the same router would you blame them for not disabling this.

If someone is stupid enough not to read the manual and close off all loopholes that is their problem.

I also think it very irresponsible to publish such a security loophole on a public forum - I am sure as we speak havoc is being wreaked. There should even be a case for a mod to delete this post.

Originally posted by iano
As I stated, it is not generally considered acceptable to scan other people's IP space without their permission. You scanning my connection without my permission is hardly much of a diagnostic check!

It uses resources, fills up firewall logs and generally pisses people off.

I can be as unobtrusive as you want. A simple connect on port 80 is all it is. And In fairness your firewall is there to give you those logs so thats a moot point.

Xcellor

eth0_

As I recall... Setting up my router there were details already in place *before* I even connected my phoneline to router... So there was definitely some pre-configuration done to the router for use with IOL BB. So they could have set the remote option off by default. They didn't because they are incompetant...

So basically the router I got wasn't exactly the same as you would buy off the shelf. Even the instruction manual was IOL specific... Therefore IOL supplied it to me with potential security risks involved.

It's a huge oversight on the part of IOL.... However, I doubt IOL will issue a warning. But hey we can but hope....

Xcellor

Sleipnir

Originally posted by kida
I also think it very irresponsible to publish such a security loophole on a public forum - I am sure as we speak havoc is being wreaked. There should even be a case for a mod to delete this post.

Wholeheartedly concur.

MOD!

Xcellor

I really can't believe the attitude that seems to be prevailing here....

"Shussshhhhh keep it quiet.... if no one knows about it... no one will be harmed... "

That's pure crap and anyone with a shred of knowledge about incidences in the past will know you can't keep things like this quiet and this is the best way to let people know... On a bulletin board that is popular. Coz lets face it,, by the time IOL issue a warning (if they believe it is their responsiblity) more damage would have been done...

Shouts go out to RONOC

Xcellor

It is selfish to just consider your own security. If I had not mentioned port mapping (Which is apparently evil) I don't think this post would have stirred up nearly as much controversy.
In that I regret that the original point was missed.
Many people should check their security out cause at the end of the day Its going to be their problem at the end of the day when it goes wrong.

eth0_

Originally posted by Xcellor

Shouts go out to RONOC

Indeed. "Phj33r".

Ronoc - you think if you port scanned a bank or eircom or the FBI for that matter, that that's harmless? Port scanning is seen as a precursor to an attack. You have no reason to port scan a host that doesn't belong to you unless you are looking for security holes to exploit.

BTW didn't know the routers had IOL setup guides and were preconfigged, perhaps this is something IOL should be looking into after all, but I completely disagree with broadcasting the problem to everyone on boards. IOL would take this seriously....

meatball

Supremely irresponsible.

You could have just reminded people to turn of remote administration without port-scanning or implying that there were loads of suckers on IOL just waiting to be ****ed with.

A little knowledge...

Xcellor

Im sure the hackers out there would already be aware of this potential "backdoor".
I mean lets give them a bit of credit.

Posting it on a board is making people aware of the problem so they can remedy it. Most of the exploits that have been discovered in the past are posted on very respectable sites to allow the very same. Sometimes giving very detailed explanations about how you would carry out the "hack".

AntiVirus sites tell you how viruses propogate and where they hide themselves. Should we turn around and give out to the AntiVirus companies saying "HEY WHAT THE HELL YOU GIVING WANNABE HACKERS IDEAS????".

God it's ludicrous.

I would advise all with IOL BB. Disable remote access and change your IOL password...

Xcellor

Originally posted by eth0_
Indeed. "Phj33r".

Ronoc - you think if you port scanned a bank or eircom or the FBI for that matter, that that's harmless? Port scanning is seen as a precursor to an attack. You have no reason to port scan a host that doesn't belong to you unless you are looking for security holes to exploit.

--snip--

Why on earth would I want to scan the FBI?
Portscanning is a very useful tool. I agree it has uses that are undesirable. In this case it shows that people should make sure their routers are configured correctly.

I really think you are dwelling on the portscanning a bit much. I am just letting people know their may be issues with their configurations which by default are _insecure_. A point I hope is not being lost here..