[GLLUG] Am I over-reacting to this?

John Winters john at sinodun.org.uk
Tue Jan 14 14:10:59 UTC 2014


Scenario:

An ISP offers pre-configured ADSL routers to suit its ADSL lines.

Before shipping the router, as well as setting up the line parameters and
login, the ISP makes some hidden configuration changes to the router.

By default the router offers configuration through its internal LAN
interface, by means of either http or telnet - i.e. you can use either a
web browser or a telnet client to configure it.  The web configuration
interface is a bit limited - anything really sophisticated needs the CLI.
In addition the router offers the user the option to open up remote
administration for a limited period.  That is, the router will offer its
http interface on an unusual port on its external (WAN) interface at the
request of an internal administrator.

However, the ISP as part of the configuration changes permanently opens up
both http and cli interfaces on the external interface of the router, on
the standard ports 80 and 22.  This change cannot be seen from the web
interface, which still insists that external administration is disabled,
and the configuration change is not mentioned in any documentation supplied
with the router.  The sole protection is password-based login, over
unencrypted connections.

I nearly fell off my chair when I discovered this.  Am I over-reacting?

John




More information about the GLLUG mailing list