Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[Todd Stiers <todd.stiers () gmail com>]

[OP here]

Just some minor follow up:

 - The tech was able to swap out their RG with the modem-only one that I
had sent (after making a couple phone calls). It didn't seem like they
could provision a user-supplied modem remotely for some reason, but it also
sounded like maybe this wasn't something they normally do, if ever.

 - The outgoing RG was an Evolution Digital EVO3000GW. The screenshots that
dropped were meant to show me attempting an admin password change, and it
not letting me.

 - AFAIK, no WAN ports were open, but UPnP was on by default. I neglected
to do a port scan on the WAN port before the equipment swap, but that
probably would've been prudent.

 - Sorry for not being clear about this before, but I'm fairly remote (~5
hour drive), so my mom was acting as remote [somewhat arthritic] hands in
all this.

 - Since I'm remote, I had previously sent a raspberry pi that is running
both pi-hole (to mitigate the possibility of her or her partner clicking on
a malicious ad or pop-up that may compel them to inadvertently connect with
a call center scammer again) and ZeroTier. I use ZT to log in to this
device, which double NAT breaks, which is why I brought that up. Totally
understandable that most average customers don't use this, and a double-NAT
situation is probably fine for my mom's demographic. That said, to be sure,
the much bigger issue is that they're provisioning CPE with an unchangeable
"password."

 - I understand that this forum may not be quite the right fit for a post
like this, and am looking for others that may be more appropriate. My hope
is that this eventually gets to someone at Yondoo, or parent Mid-Atlantic
Broadband (AS29914), since something like this probably falls outside of
the wheelhouse of their tier 1 support, which was all we could get a hold
of.

Thanks to everyone who's responded -- I value all of your input.

Cheers,
Todd

On Wed, Feb 8, 2023 at 5:09 PM Jason R. Rokeach via NANOG <nanog () nanog org>
wrote:

> It’s been a while, but attacks that take advantage of this are (or at
> least in the past have been) real.
>
>
> https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html
>
>
> <https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html>
> https://www.digitaltrends.com/web/javascript-malware-mobile/
>
> I recall when this stuff first started to come out, leaning on RG vendors
> to fix their firmware to make their default passwords unpredictable based
> on information readily available on the LAN.
> In this case we’re not even talking about taking action this
> sophisticated… It seems to me that, having a customer willing and ready to
> secure themselves, preventing them from doing so is wildly inappropriate.
>
>
> On Wed, Feb 8, 2023 at 7:57 PM, Eric Kuhnke <eric.kuhnke () gmail com> wrote:
>
> I agree, but if we start listing every massive security vulnerability that
> can be found on the intra-home LAN in consumer-grade routers and home
> electronics equipment, or things that people operate in their homes with
> the factory-default passwords, we'd be here all month in a thread with 300
> emails.
>
> I'm sure this ISP will realize what a silly thing they did if and when
> some sort of worm or trojan tries a set of default logins/passwords on
> whatever is the default gateway of the infected PC, and does something like
> rewrite the IPs entered for DNS servers to send peoples' web browsing to
> advertising for porn/casinos/scams, male anatomy enlargement services or
> something.
>
>
>
> On Wed, Feb 8, 2023 at 3:28 PM William Herrin <bill () herrin us> wrote:
>
> > On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <eric.kuhnke () gmail com> wrote:
> > > I would hope that this router's admin "password" interface is only
> > accessible from the LAN side.
> > > This is bad, yes, but not utterly catastrophic.
> >
> > It means that any compromised device on the LAN can access the router
> > with whatever permissions the password grants. While there are
> > certainly worse security vulnerabilities, I'm reluctant to describe
> > this one as less than catastrophic. Where there's one grossly ignorant
> > security vulnerability there are usually hundreds.
> >
> > Regards,
> > Bill Herrin
> >
> >
> > --
> > For hire. https://bill.herrin.us/resume/