TTNET, Routers, Default Passwords and YOU!

I maintain a mail server, and occasionally check my logs. Occasionally, I investigate hosts that attempt spam, see why they were reject and what lists they were in, etc. Well, yesterday, I found something amusing.

A number of spam have in the past, come from a turkish ISP called TTNET.

Curious to see if a web server was operating on one of the hosts (many spammers have simple "user name/password" logins to a web interface for the various machines or bullshit "unsubscribe" forms), I popped a few IP's in my browser.

What I discovered...

See that? That's a login screen for a router.

I know what some of you are thinking, there's lots of those out there, right? Not with the default password set.

That's right, you can just log on in! In fact, the router even WARNS you to change the password, how thoughtful!

..Well, actually, it just asks you politely. Of course, if you're lazy, stupid, or just a DSL installer for a turkish ISP, you can just mash ignore and pretend you never saw it.

From there, you can do pretty much anything you want including (but not limited too):

• Set up port forwarding to any host in the network.
• Tun on traffic filters (some models)
• Turn on/off view logging (some models)
• Configure VPN settings (some models)
• Change connection settings (notably fun: DNS for all your phishing phantasies)
• VIEW/SET THE DSL USERNAME AND PASSWORD.

What? But they're all ***'d out?

Silly EndUser™. ***'s on webpages that aren't plopped in by auto complete are filled in by the webserver itself! I'll save that for another post, but essentially, the password is in the source, see?

See those massive black squares? That's not porn, that's user information and the associated password! Not exactly a shocker, but it further illustrates the moral of my story here. There were a number of hosts in the IP range of TTNET configured just like this, default passwords with the web interfaces turned on.

I realize turkey is probably not a upper-class high-tech heaven with super-awesome DSL installers, but there are still lessons to be learned here.

1. Don't trust the guy getting paid minimum wage to install your service correctly.
2. Secure your router, at least change the default password.
3. Don't leave the "WAN Configuration Enabled" option on, ever.
   
4. Don't ignore important warnings about password security.
5. Device manufacturers do not care about security, be careful with your wallet.
   

If you work for a device manufacturer (HA HA HA), there's even more to learn here:

1. Require a password change before allowing the WAN Configuration option to be turned on.
2. Caution users about the horrific gravity of default passwords.
   
3. Don't turn the WAN Configuration option on by default.
4. Put the WAN Configuration option on a timer by default (with a stern warning before turning it on permanently).
5. Instead of plopping the current password in a field, have a "change password" button with a separate page for setting the WAN password without the current password in it. This relieves the requirement of having to send the password in the form. (Of course, it makes recovery more difficult for us white hats.)

Well, I hope my readers (HA HA HA) learned something useful from this.