Yondoo provided router, has "password" as admin pw, won't let us change it

[TACACS Macaque via NANOG <nanog () nanog org>]

Apparently iCloud’s hide my email implementation can only be used with one recipient, so here was my reply to Josh 
(apologies to him for the spam), for posterity:

Hi,

Thanks for your reply.

Double NAT tends to break things like ZeroTier.

But even if that wasn’t a problem for us, I think the more pressing concern here is that the default admin password for 
the router is “password”, and you can’t change it without a tech coming out to change it for you, and shelling out $50.

Who knows how many residential routers are in their fleet that are “password” protected; seems like a disaster waiting 
to happen.

The model was an Evolution Digital EVO3000GW — thankfully they were able to swap it out with a non-router modem that I 
had sent to her over the weekend, but not without making a few phone calls, first. It didn’t seem like they could 
provision the new modem remotely.

If anyone has a more security-focused forum they could recommend for a post like this, I’ll be happy to take my inquiry 
elsewhere.

Cheers,
Todd


> On Feb 8, 2023, at 8:06 AM, Josh Luthman <josh () imaginenetworksllc com <mailto:josh () imaginenetworksllc com>> 
> wrote:
>
> What's the problem with double NAT?  I can't imagine an elderly mom trying to host Xbox games - which is 95% of the 
> problem with double NAT these days (the other 5% being Ubiquiti bros having to access their Unifi router from 
> anywhere).
>
> Your screenshots didn't come through, I suspect it's stripped via the mailing list, but there's no model number 
> specified anywhere.
>
> NANOG really isn't the best place for this, but I don't know where else you would be able to go besides what you've 
> already done:  Yondoo support.
>
> On Tue, Feb 7, 2023 at 9:17 AM TACACS Macaque via NANOG <nanog () nanog org <mailto:nanog () nanog org>> wrote:
> > Hi,
> >
> > Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this.
> >
> > My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, 
> > without providing the ability to change the admin password from "password" on it.
> >
> >
> >
> > ​
> >
> > Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out 
> > and change it. Which is obviously less than ideal.
> >
> > That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire 
> > security implications... e.g., DNS server settings can be pointed at whatever someone wants here.
> >
> > My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took 
> > control over her laptop before she called for backup. So I'm just a little concerned that we have no control over 
> > changing this router's admin password — from “password” — in a pinch, without waiting for a truck roll && shelling 
> > out $50.
> >
> > I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in hopes that they'll let us bring our own. 
> > She does have Google Wifi, but we can't even put their router into bridge mode. So she would be double NATed and 
> > have no control over changing the admin password on the first router.
> >
> > Anyone have any experience with Yondoo? I've tried reaching out to them on multiple fronts, but have yet to hear 
> > back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use 
> > our own modem and then take it from there.
> >
> > Thanks,
> > Todd