[GLLUG] Am I over-reacting to this?

[Alain Williams]

On Tue, Jan 14, 2014 at 02:10:53PM +0000, John Winters wrote:
> Scenario:
> 
> An ISP offers pre-configured ADSL routers to suit its ADSL lines.
> 
> Before shipping the router, as well as setting up the line parameters and
> login, the ISP makes some hidden configuration changes to the router.
> 
> By default the router offers configuration through its internal LAN
> interface, by means of either http or telnet - i.e. you can use either a
> web browser or a telnet client to configure it.  The web configuration
> interface is a bit limited - anything really sophisticated needs the CLI.
> In addition the router offers the user the option to open up remote
> administration for a limited period.  That is, the router will offer its
> http interface on an unusual port on its external (WAN) interface at the
> request of an internal administrator.
> 
> However, the ISP as part of the configuration changes permanently opens up
> both http and cli interfaces on the external interface of the router, on
> the standard ports 80 and 22.  This change cannot be seen from the web
> interface, which still insists that external administration is disabled,
> and the configuration change is not mentioned in any documentation supplied
> with the router.  The sole protection is password-based login, over
> unencrypted connections.
> 
> I nearly fell off my chair when I discovered this.  Am I over-reacting?

No.

You should shout this from the roof tops; hopefully one of their customers (are
you one ?) will sue them for making them vulnerable to attack. If this stuff is
hidden then it is presumably not as advertised, ...

PS: tell us who these reprobates are.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>