skip to main |
skip to sidebar
Just when I thought that TTNET couldn't make things any worse, they managed to impress me. Looking in my mail server logs (again) I punched in a few of the ip's I got from them, and found something EVEN WORSE than my previous post.
Above is a login screen for an AirTies (Flash Req'd) RT-102 ADSL2+ modem. Being curious, I looked it up on our old friend the default router password list (see previous post). However, I only found a default password for the RT-201 model. Curious, I went to their site. Strangely, the RT-102 does not even appear on their support pages, so I looked up the next-highest model, the RT-103. I didn't find any documentation in english, but I did find a FAQ section, and to quote:I forgot the password for my router, what should I do?
If you have forgotten the password you have defined for logging in to your router using the web interface, you need to reset your router to factory defaults. By going back to factory defaults, all other settings that you may have configured (DSL, Wireless, LAN settings) will also be erased. To reset your router, press and hold the “Reset” button on the back panel for 5 seconds while your router is on. You can then login to the web interface by leaving the password field blank, and reenter all your settings.
AHA! That must be it! I'm presuming there IS a default password at all! How silly of me! So, I leave the password blank, and viola! I'm in! *sigh* Now, at this point, I will admit I'm impressed with the routers capabilities. It supports 12 DSL modes, which is quite impressive.
Sigh. Not only do we see the same horrible mistake as last time, but I'm afraid it gets even more comical.
Perhaps, in turkey, there is no word for security? Perhaps there is no word for common sense? Perhaps I've missed something. Is it so much to ask for at least a minimum password policy, TTNET? Any ISP administrator that allows a password like that deserves to be flogged.But let's look at the situation for a moment. This is a different router than before, with the same problem. The WAN configuration option turned on, and no password set. There is only one conclusion to draw from this: TTNET is doing this on purpose! Sure, the router company is nearly as much at fault, but it appears the TTNET employees are INTENTIONALLY turning on the WAN side configuration at setup!I wish I had more to say about this, but I think the above speaks for itself.
I maintain a mail server, and occasionally check my logs. Occasionally, I investigate hosts that attempt spam, see why they were reject and what lists they were in, etc. Well, yesterday, I found something amusing.
A number of spam have in the past, come from a turkish ISP called TTNET.
Curious to see if a web server was operating on one of the hosts (many spammers have simple "user name/password" logins to a web interface for the various machines or bullshit "unsubscribe" forms), I popped a few IP's in my browser.
What I discovered...
See that? That's a login screen for a router.
I know what some of you are thinking, there's lots of those out there, right? Not with the default password set.
That's right, you can just log on in! In fact, the router even WARNS you to change the password, how thoughtful!
..Well, actually, it just asks you politely. Of course, if you're lazy, stupid, or just a DSL installer for a turkish ISP, you can just mash ignore and pretend you never saw it.
From there, you can do pretty much anything you want including (but not limited too):
- Set up port forwarding to any host in the network.
- Tun on traffic filters (some models)
- Turn on/off view logging (some models)
- Configure VPN settings (some models)
- Change connection settings (notably fun: DNS for all your phishing phantasies)
- VIEW/SET THE DSL USERNAME AND PASSWORD.
What? But they're all ***'d out?
Silly EndUser™. ***'s on webpages that aren't plopped in by auto complete are filled in by the webserver itself! I'll save that for another post, but essentially, the password is in the source, see?
See those massive black squares? That's not porn, that's user information and the associated password! Not exactly a shocker, but it further illustrates the moral of my story here. There were a number of hosts in the IP range of TTNET configured just like this, default passwords with the web interfaces turned on.
I realize turkey is probably not a upper-class high-tech heaven with super-awesome DSL installers, but there are still lessons to be learned here.
- Don't trust the guy getting paid minimum wage to install your service correctly.
- Secure your router, at least change the default password.
- Don't leave the "WAN Configuration Enabled" option on, ever.
- Don't ignore important warnings about password security.
- Device manufacturers do not care about security, be careful with your wallet.
If you work for a device manufacturer (HA HA HA), there's even more to learn here:
- Require a password change before allowing the WAN Configuration option to be turned on.
- Caution users about the horrific gravity of default passwords.
- Don't turn the WAN Configuration option on by default.
- Put the WAN Configuration option on a timer by default (with a stern warning before turning it on permanently).
- Instead of plopping the current password in a field, have a "change password" button with a separate page for setting the WAN password without the current password in it. This relieves the requirement of having to send the password in the form. (Of course, it makes recovery more difficult for us white hats.)
Well, I hope my readers (HA HA HA) learned something useful from this.
Above is a login screen for an AirTies (Flash Req'd) RT-102 ADSL2+ modem. Being curious, I looked it up on our old friend the default router password list (see previous post). However, I only found a default password for the RT-201 model. Curious, I went to their site. Strangely, the RT-102 does not even appear on their support pages, so I looked up the next-highest model, the RT-103. I didn't find any documentation in english, but I did find a FAQ section, and to quote:
