Insecure Routers on IOL

MrPinK

Originally posted by secret_squirrel
microsoft responsible for the XP firewall being disabled by default

IOL didn't turn on the remote access, zyxel did. IOL just sold it on. Would you blame PC World for selling you the copy of XP with the firewall turned off?

Its negligent of them to assume a non-computer literate is even gonna rtfm

That's completely ridiculous. They can assume what they like, if someone doesn't follow the given instructions then it's their fault. No company should have to go out of their way to cater for customer idiocy. If you're not computer literate then that's even more reason to rtfm. I don't know much about DIY. If I try to assemble some bookshelves without following the instructions and **** it up, is that anyone's fault but my own?

Isn't this fun?

I'm enjoying it anyway

Xcellor

I don't think this is about going out of their way... IOL never go out of their way to do anything for customer. This was basic ISP responsibility in my estimation. It's laughable they provide a firewall for security... and provide a router that could be tinkered with by anyone Oh such irony...

A simple negotiation with ZyXel about the issue would have made sure all the routers were configured with it OFF as is the default of all the routers I know.

Let's keep the discussion going haha 4 + pages ;P

Xcellor

MrPinK

Originally posted by Xcellor
This was basic ISP responsibility in my estimation. It's laughable they provide a firewall for security...

What makes you think it's their responsibility to secure your computer at all? What security did your ISP provide when you were on 56k? They are good enough to give you a free modem and now all of a sudden they are responsible for your internet security?

and provide a router that could be tinkered with by anyone Oh such irony...

Not quite true. It can be tinkered with by anyone only if you didn't have the common sense to change the default password. You shouldn't have to be told to do this, but just in case, it also tells you to do it in the manual.

Cake Fiend

Most of this post is replies to others, I haven't matched up names to quotes though.

I highly doubt scanning IPs is an offense. It's a perfectly normal network diagnostic check..... Next people will say that pinging a site only has "hostile" intentions....

A quick note here first - there's a huge difference between sending a few ping requests to a site and broadly portscanning an entire range of computers. Port-scanning has always been a bit of a grey area in computer security - it's kind of like checking out a house, testing the windows and doors to see if they're open, but not actually breaking in. You're technically not doing anything wrong, but it's seen as dodgy behaviour all the same. I'm only posting this point to try to clear up some confusion, I'm not saying I personally think portscanning is the devil's work and will kill kittens every time you do it. I could go deeper into this, but portscanning isn't the issue here.

I will be writing to IOL about this, I find it completely retarded that they would ship hardware with the defaults set to allow remote access

For what it's worth, I find it completely retarded that someone would install a router without reading the manual and changing their passwords. But there you go.

So seems if they could configure that then why not play it safe and disable remote access

Then they'd have to guide hundreds of clueless users over the phone in the event of a problem. It's far easier for them to leave remote access on by default (with their default passwords). I'm not saying it's right, I'm just trying to convey IOL's probable point of view. It's a bit of a gamble on their part - the likelyhood that some luddite is going to have to have their router re-configured over the internet is more likely than someone having their router hacked because the passwords were left as default.

If you do not do this or at least change the managment password anyone could come around and muck up your connection settings and lock you out.

IOL probably see this as not much of a concern. And they'd be right IMO. I doubt that so far they have had all that many people ring up because someone has locked them out of their router.

I bet there are still people out there saying that it is the users responsibility. Just think of a bank though, do they make it so easy for people to access your bank details. Take your money etc etc. Nope. A bank is a service institution. An ISP is likewise...

Continuing my above point, there's a huge difference with your analogy. Being able to disconnect someone's internet service temporarily is a hell of a lot less of a deal than being able to wipe out their life savings. For most people, having their internet connection disabled for a few hours/days would be little more than an annoyance.

Bear in mind most users will only follow the manual as far as it takes to get the thing working.

Because I'm a complete bastard, I feel that anyone who gets shafted because they haven't secured something as simple as a DSL router deserves any hassle they get. I don't suffer fools gladly. If you can't be arsed reading through a little manual, or even getting a more technically-minded friend to do it, you're lucky if IOL can be arsed to help you out when you come crying to them.


As for my personal views on the original post: Mnyeh. I don't care a whole lot either way TBH. IOL should be more responsible. But so should their customers. Everyone is in the wrong here. I don't particularly give a crap whether some DSL n00b gets their connection screwed up because they were too lazy/scared to follow simple instructions. Nor am I too concerned with IOL's alleged disregard for security, as it's not a very big risk in the first place.

Ronoc, what you're trying to do is applaudable. Whether you're going about it the right way is another thing. You may have alerted lots of (undeserving IMO) IOL customers to a potential security threat. You may also have alerted lots of lame wannabe crax0rs to a hole in IOL broadband users' routers. It's really not that big a deal either way. Ideally, IOL probably should ship the routers with an instruction sheet just short of threatening the customer with actual physical abuse if they don't change their login information or switch remote administration off. They could include a nice little box in which you can write your new login information so you don't lose it. Maybe they could have a bright yellow sticker that you can put on your router with your login on it, again so you don't lose it.


[Now I'm not thoroughly familiar with how much control someone will have over these particular routers through this security hole. In replying to these posts, I'm assuming they have very little control, pretty much limited to cutting off the user from the internet. If I'm wrong, most of my points are void ]

Disclaimer: I sure as hell have no affinity for, nor allegiance with IOL. I just think they're not completely in the wrong here.


After re-reading the thread, I'll reiterate my main point:

IOL are aware of this problem. They have set out clear guidelines on how to solve this problem for those who actually read the manual. Anyone with a bit of cop on will have done this. Yet they still give out the routers with remote management enabled. Why?

Because the very morons who don't bother / are incapable of securing their routers are the VERY PEOPLE who will most need IOL to be able to manage their router remotely. Yes, it's not an optimal solution. But I've done phone tech support a number of times. It's possibly the most frustrating thing in the world to have to guide an unwilling technophobe through a procedure that is about as complicated as tying shoelaces. I left tech support never to return because of this sh1t. I don't blame IOL at all for trying to make it easier for themselves to fix these ignoramus's routers. Sure, it causes another potential security threat, but as I mentioned above, it's a tradeoff. And it's not really that big of a security threat; this has been blown way out of proportion. I don't know very many people who will die instantly if their router gets cut off for a couple of days.

Ripwave

Originally posted by MrPinK
I'd have to disagree with that. If they were changing the default settings and thereby making it less secure then that's a big problem,

That's exactly what they are doing!

You don't honestly think Zyxel are shipping them with Remote Admin enabled, do you?

MrPinK

Originally posted by Ripwave
You don't honestly think Zyxel are shipping them with Remote Admin enabled, do you?

I don't have said router, but from what I've read here, yes. Someone has quoted from their manual....

1. change your password straight away
2. change your remote management settings to Lan Only

....which would suggest to me that you have to manually disable remote admin.

Xcellor

If you can access the router you can gain access to username and password of the person. Im not really sure if that's particularly important. But theoretically isn't that the way IOL log traffic on an account. So if you use someone elses username and password you could rack up their download limit? Probably very traceable.

True enough... You cant really gain access to a persons computer.. hmm well maybe you can if you are knowledgeable enough. Depends on what files were shared.

I agree with comments that IOL must have enabled this as their "pre-configuration" because I simply for the life of me cant understand a company producing them by default that way. They clearly outline in the help manual to put it for LAN access only... But I can't really understand why they would set it this way, then specify you should have it another way... All very confusing.

I dont think you can blame people for not taking an active interest in reading the manual. It doesn't enthrawl even the techies among us so why should we expect anyone else to sit and try and make sense... I mean even reading that manual will give you little or no understanding if you haven't got basic networking terminology in your head... Such as LAN, WAN etc.

Anyway enough debating the rights and wrongs...
I am right and everyone disagreeing with me is wrong. Sorry it's the truth. Get used to it ;P lol

Xcellor

MrPinK

Originally posted by Xcellor
If you can access the router you can gain access to username and password of the person.

I'd be fairly sure that the password would be *'d out.

I dont think you can blame people for not taking an active interest in reading the manual. It doesn't enthrawl even the techies among us so why should we expect anyone else to sit and try and make sense... I mean even reading that manual will give you little or no understanding if you haven't got basic networking terminology in your head... Such as LAN, WAN etc.

I don't blame people for not bothering to read the manual. I'm sure it's pretty dull and uninteresting. But I don't think they can then blame IOL if someone does access their router because they didn't read it. Whether you know what a LAN is or not, "We STRONGLY RECOMMEND that you set all three forms of management to 'LAN Only'" is pretty clear cut to anyone.

Ripwave

Originally posted by MrPinK
I don't have said router, but from what I've read here, yes. Someone has quoted from their manual....
....which would suggest to me that you have to manually disable remote admin.

I take it back.

http://www.securityfocus.com/bid/6671/discussion/

(Note that this was issued over a year ago, and the 623 should be newer than that, so I'd still have expected ZyXel to have disabled RemoteAdmin by default, but unless someone wants to do a "Factory Rest" on theirs, we may never know).

Here's another story on the issue:
http://www.wired.com/news/infostructure/0,1377,57342,00.html

Ryaner

Ok firstly I'm not too familiar with the actual IOL router so dunno how well these stand on them.

Now I'm not thoroughly familiar with how much control someone will have over these particular routers through this security hole. In replying to these posts, I'm assuming they have very little control, pretty much limited to cutting off the user from the internet. If I'm wrong, most of my points are void

As said it can be very limited. Most router use a NAT table to get multiple pc's connected. They have a function called "Port Forwarding" which basically forwards data on the port to a certain pc. Now everyone know about virus's like blaster worm which shut down your pc etc. They also are very easy to install without causing the shut down system (xp only for this one). Once installed, using a tiny app in linux youy gain access to the c:/ prompt. Basically akin to root access in linux or windows without the gui. User can do whatever they like such as sharing folders etc so they can take whatever data they want. Or delete it.
Older windows system are open to netbios hacks. The stuff is very easy to do.
All this would just need to ports forwarded to the pc in question.

Also people keep talking about hackers using the web interface for doing whatever they do. Anyone ever tried telnetin' into a modem or router? Remote access in alot of cases wont make a difference. Most people use telnet to config the parts of the modem that the vendor doesnt give a web interface for but you can do alot more, alot quicker in it if you know how.

I'd be fairly sure that the password would be *'d out.

You can get programs which remove the stars from view and thus show the password. Thats why the likes of xp in duns uses a different system than of old where the password is kinda encripted in it. (You know the way it looks alot longer than actually is) Even then it still very easy to get the password back.

Also one thing I'm wondering, how many boards users would not have changed these settings on the router? I think most people who would be browsing these boards would have changed them but then again I could be wrong. People can be lazy (ie me) or maybe my view of people here is a bit high?


Once again saying, I havent tested the telnet stuff on iol routers and well, I dont really feel bothered to.

<rant>

Well weve seen it time again with microsoft.

• Firewall not enabled by default
• Allowing users to open exe files from outlook expresss
• Microsoft Update prompting users to dowload updates

You can see how these settings seem fairly reasonable? We know enough at this stage how to fiddle and tweak.

But it has been shown that these options have causes huge problems with worms and exploits. Why do to you ask? Because your average user who uses the net for Web and the ocasional mail hasn't a clue how to fix the above.
You might say, so what?

But poor security affects us all. Not just the poor sucker who got MyDoom. MyDoom for example had a huge affect on internet traffic and email systems. Alot of people have been harping on about the so call "Super Denial of Service " or the one that would DOS the internet. Think about it. Every user in the world that didn't patch a critical update or opened a bogus attachment simultaniously flooding the 13 root domain name servers.. Do not say it couldn't happen because it nearly did
http://news.spamcop.net/pipermail/spamcop-geeks/2002-October/002775.html

Some of biggest worms used exploits that had bug fixes available for months. Yet they still spread like wildfire. Why? Because your average Joe bloggs knows nothing about installing updates.

So what was microsofts solution to the above?
Security by default

• Firewall enabled on new versions of XP
• To open any remotly harmful attachment in OE you must enable it in settings
• New versions of Microsoft Update are not prompting users for updates.

Security by default is the only security that will protect the other 90% of internet users.
</rant>

Xcellor

To repeat what I said, You can in fact get the username and password. The actual password not **********. I verified that the password I got on one account was valid by logging into the usage page and it worked fine...

I won't say here how I got the password but with a bit of sense it isn't easy to figure out....

Ciao,

Xcellor

bk

Originally posted by Sico

[Now I'm not thoroughly familiar with how much control someone will have over these particular routers through this security hole. In replying to these posts, I'm assuming they have very little control, pretty much limited to cutting off the user from the internet. If I'm wrong, most of my points are void ]

I won't go into any details as I don't want to give any noob's any ideas, but yes with access to the router you could gain complete access and control to the users PC, depending on the setup of their PC (which is probably very bad if they can't even figure out to change default username and passwords).

With this sort of control they could steal your credit card details and other personal and confidential data. They could also use your PC as a proxy to carry out other illegal activity on the internet.

You could have the FBI knocking down your door in the morning because they identified your PC as being the one that spread some new virus that cost billions (ok, this one is a bit out there, but it can happen).

Gerry

Ok, a few points.

I only saw this thread today, and would have posted earlier otherwise.
For the first week, I too did not check the settings on the iol router, as I presumed that they would be reasonable. I did change the password however, thats just common sense.

But when I portscanned my own machine ( which I am perfectly entitled to do, I was horrified to discover that NAT was set to portforward EVERY port by default. One of the advantages of NAT is that you get a private ip, and people outside your lan cannot connect to you on ports you explicitly allow. With this default setting of every port forwarded, this security is gone, and the iol "router" is no more secure than a bridge.
i.e. It will let anyone from the outside world connect to your machine, on any port you have open.

I don't care if the routers are configured by a company down in cork. Iol are a big company, and this is a big contract. They should be specifying that nothing is port forwarded by default, or at least, not EVERYTHING. This would also get rid of the admin password problem.
This is iols fault. If I buy a modem in maplin, I don't expect it to be configured. I am buying a service from iol, and so they are in a position to help their customers, and their own reputation.

Sico, you say:

Then they'd have to guide hundreds of clueless users over the phone in the event of a problem. It's far easier for them to leave remote access on by default (with their default passwords). I'm not saying it's right, I'm just trying to convey IOL's probable point of view. It's a bit of a gamble on their part - the likelyhood that some luddite is going to have to have their router re-configured over the internet is more likely than someone having their router hacked because the passwords were left as default.

There are ways around this. In the case of a problem, the user could be guided to enable the remote access. It's about 3 clicks.

When configured properly, the router does a reasonable job of protecting your machine. A portscan reveals that every single port on the machine is "Filtered". I mean ports 0 - 65535. This announces that there is a packet filtering firewall at this ip, but doesn't tell an attacker which services your machine is running, and doesn't let them connect to your machine, which is good.
It is very stupid that iol ship you norton software, when they have a separate piece of hardware that is capable of doing the job better. They could save money by configuring it correctly. I've contacted them several times recently about minor issues, but I get sick of holding. I'll try again today.

Because of my lack of trust in zyxel, I'm going to put a unix firewall machine in as my router instead though.

eth0_

Originally posted by Gerry
I've contacted them several times recently about minor issues, but I get sick of holding. I'll try again today.

Why don't you mail bill dot murphy at esat dot com?

bk

The argument here is between two different ideas in the computer world:

The Microsoft Way:
- All services enabled by default
- Everything open by default.

This is supposed to make life easier for users as they don't have to activate anything, but it lets the PC wide open.

In other words the OS is insecure out of the box and has to be secured by the user.

The OpenBSD way (the name is ironic because it is one of the most secure OS's out there):
- All services disabled by default (and most aren't even installed, they are easy to install however).
- Everything closed by default.

The thinking here is that the OS is secure out of the box and you have to try and work very hard to make it insecure.

The MS way has been completely discounted in the computer security field, everyone in the computer security field, including Microsoft, has learned that you can't expect the Joe Public to follow security guidelines, they just don't understand, care or have the skills. Therefore the agreed approach is that any system should be secure out of the box, any inconvenince caused to customers by this is outweighed by the security benefit gained.

I'm shocked to learn that Zyxel have remote administration and complete NAT port forwarding on by default. This is just awful and it just goes against all security best practices.

Most router manufactures have remote admin disabled by default and NAT port forwarding disabled.

It is unbelievable that Esat give yuo a free copy of Norton Internet Security with its service, but then also gives you a completely unsecure router.

BTW all bb users (weither you are with Eircom, UTV or NS) sohuld check your router settings also, if you haven't already done so.

meatball

Here is what you should have done:
- *ASKED* a few friends who have IOLBB to check whether the routers were being shipped in this state.
- Informed IOL that this was the case and see what their response was.
- Posted this information if you felt it was unsatisfactory.

You should not have portscanned, you should not have posted before giving IOL the information, and you should definitely, DEFINITELY NOT HAVE LOGGED ON TO SOMEBODY ELSE'S ROUTER!

Get off the moral highground you can't see us peasents below..

meatball

Peasants? You and Xcellor are the ones logging into other people's routers like it's nothing. If you really wanted to play the white-hat, you would have done what I said.

Sleipnir

Originally posted by bk
I won't go into any details as I don't want to give any noob's any ideas, but yes with access to the router you could gain complete access and control to the users PC, depending on the setup of their PC (which is probably very bad if they can't even figure out to change default username and passwords).

With this sort of control they could steal your credit card details and other personal and confidential data. They could also use your PC as a proxy to carry out other illegal activity on the internet.

You could have the FBI knocking down your door in the morning because they identified your PC as being the one that spread some new virus that cost billions (ok, this one is a bit out there, but it can happen).

Who has their credit card details stored on file on a computer?
Do you do it?
Why?



One kiddie spends thirty seconds googling for a port scanner and now they think they're Captain Zap.

Sleipnir

Does anyone know the make/model of the router provided by IOL?

Xcellor

Originally posted by meatball


Here is what you should have done:
- *ASKED* a few friends who have IOLBB to check whether the routers were being shipped in this state.
- Informed IOL that this was the case and see what their response was.
- Posted this information if you felt it was unsatisfactory.

You should not have portscanned, you should not have posted before giving IOL the information, and you should definitely, DEFINITELY NOT HAVE LOGGED ON TO SOMEBODY ELSE'S ROUTER! [/B]

Thank you for your amazing insight. However I fail to see what significance asking a few friends would hold. We already know all IOL routers were shipped in the insecure state mentioned in millions of posts previously.

Informed IOL? Well have you ever tried to inform IOL about anything that wasn't written in their on screen script? Have you ever tried to get a response about something that was out of the ordinary? Well I have and you don't get anywhere. They escalate calls which means they log you in the system and forget about you... I've been waiting for a response on a couple of issues for several weeks now.

So why waste time with above two steps. They clearly were pointless because even if IOL did respond, would they issue a letter to everyone on broadband? Unlikely... and if they did how long would that take? A week? Two weeks? I've said it before and I'll say it again, anyone who was wanting to misuse this security loophole will be and would have started a long time before Ronoc posted this message. Hackers are opportunistic sods...

If Esat BT was a perfect company that responded to customer concerns then MAYBE your 2nd suggestion would be appropriate but clearly Esat BT is not. So I believe this thread has been far more successful because anyone with IOL router looking at this will make the changes. Anyone who doesnt? Well they would be in the same situation as before, waiting for IOL to inform them.

Xcellor

bk

Originally posted by Sleipnir
Who has their credit card details stored on file on a computer?

Unfortunately many Joe Blog users do this who don't know any better.

Also if you have control of a machine it would be extremelly easy to install a key logger, then when a user enters their CC details at some ecommerce website, it records their keystrokes and sends them to the cracker.

This is all very simple stuff, nothing complicated, it is hacking 101, it is all well documented on hacker websites and the tools to do it are widely available.

You should see what goes on in the machines of the honeypot project, scary stuff.

Do you do it?
Why?

Of course I don't, don't be stupid.

One kiddie spends thirty seconds googling for a port scanner and now they think they're Captain Zap.

Are you making this comment about me :mad:, or just people in general.

BTW in case anyone thinks I've too much knowledge about computer security and might think I'm some sort of hacker, I'm not, I studied computer security at college and I work as a Software Engineer and have to deal with computer security issues from time to time.

BBTW In case anyone is thinking of trying anything that I have spoken about here, DONT, it is very illegal and you will get caught and you will get locked up.

ZyXEL Prestige 623R-T is the model of the router.

Sleipnir you know nothing about me. I may be a newbie here but I can assure you I have been using the net for the guts of 10 years now, back when getting a computer connected to the net was a fringe activity.

You seem to make no distinction between a hacker/cracker and someone who has an interest in security.

Gerry

Originally posted by eth0_
Why don't you mail bill dot murphy at esat dot com?

Jesus, cos I didn't know that the only way to get support was to email the CEO. Is he the only decision maker in the company?
I'll email him.

Sleipnir

Originally posted by bk

Are you making this comment about me :mad:, or just people in general.

BTW in case anyone thinks I've too much knowledge about computer security and might think I'm some sort of hacker, I'm not, I studied computer security at college and I work as a Software Engineer and have to deal with computer security issues from time to time.

BBTW In case anyone is thinking of trying anything that I have spoken about here, DONT, it is very illegal and you will get caught and you will get locked up.

No, not you directly.

But, if you have such experience then you should know better then to post such vulnerabilities on public forums. It just makes things worse.

wide-range scanning is not illegal in itself but it is considered bad form and although most scans you see on a firewall log are nothing (like I said anyone can download and use one in minutes) they are a pain in the ass.
If one person saw the post and said
"hey, I'll bet I can do that and then I'll be a hacker"
then it's one more pain in the ass.

Before this thread started, one person on boards knew about the hole, now 953 people know about it.
That is not good security practice.

BTW, I do actually work in IT security every day on Checkpoint, Nokia, ISS, Symantec, Trend, Tripwire, nCipher to name but a few. Qualified in some, but not in all (I do have a life y'know!)

eth0_

Originally posted by meatball
Peasants? You and Xcellor are the ones logging into other people's routers like it's nothing. If you really wanted to play the white-hat, you would have done what I said.

Damn right.

bk

Originally posted by Sleipnir
No, not you directly.

Oh, ok, sorry.

But, if you have such experience then you should know better then to post such vulnerabilities on public forums. It just makes things worse.

I didn't post about the vulnerability on a public forum, ronoc did and as you say I never would, I'd always try contacting the ISP admins first and I also didn't do any port scanning.

If you read over my posts you might notice that I have only warned people that the problem is potentially more serious then just having your router settings messed up. I have gone to great pains to not include any specific details or information that might allow some kiddie to figure out what to do, not from my posts anyway. I have only pointed out what could happen, not how to do it or even where to find out.

wide-range scanning is not illegal in itself but it is considered bad form and although most scans you see on a firewall log are nothing (like I said anyone can download and use one in minutes) they are a pain in the ass.
If one person saw the post and said
"hey, I'll bet I can do that and then I'll be a hacker"
then it's one more pain in the ass.

Agreed.

Before this thread started, one person on boards knew about the hole, now 953 people know about it.
That is not good security practice.

Agreed, a little knowledge can be dangerous, however more then one person knew about it. Having spoken to a few people about it last night, more then a few people knew about. For instance I assume any clued in IOL user who saw these settings on their router (and changed them) would assume (without portscanning) that many other IOL users would also be effected.

Ok this is my last word on this as I think this argument is being run into the ground.

My point is this information is already in the public domain. There already have been advisories about the default settings of this particular router. Google it at your leisure.

Ignoring the problem is not the solution. People need to be aware of this problem. It is something that novice users must be made aware of.

At this point over 1000 people have viewed this thread. Of those 1000 some have said that they re-examined some of their settings. That for me is enough.

Those who are content in their own knowlege should think of that.

Xcellor

The only reason I logged onto peoples routers was to ascertain in my own mind that there was indeed a problem. Rather than come on here and spout of that there was.

I could not post messages based on the widespread insecurity of peoples routers if I have not seen it first hand.

What I can't get my head around is that some people on this board would class what Ronoc and I did as wrong.

All we did was recognise a security problem. Checking it out to make sure it was indeed a problem. Then post it on a public forum where anyone with the router in question could make the necessary changes.

I think some people on this board need to recognise the hole was there. Neither Ronoc nor myself made the hole, or exploited it in anyway. All we did was try to make people aware of it using an effective channel. How they choose to act on this information is their own business.

Xcellor