[GLLUG] WAS: Re: Am I over-reacting to this?
cehunter at gb-x.org
Mon Jan 20 21:36:06 UTC 2014
On 20/01/14 13:47, Dylan wrote:
> On 20/01/14 13:40, John Edwards wrote:
>> On Mon, Jan 20, 2014 at 01:27:08PM +0000, Jean van Wyngaardt wrote:
>>> In the news today..
>> Technical details here:
>> But the description of this problem is different to John Winters'.
>> This is the leakage of security information (including admin password
>> and WPA keys) through the HTTP web interface, but it seems to only be
>> available on the LAN side of the router by default.
> Surely, in order to "push" an upgrade (which is presumably a software
> update) these routers must have some kind of WAN facing login as well?
They mostly do. I've only looked at a few routers - the Bebox, the
Huawei TalkTalk effort and a couple of Thomson ones used by other ISPs,
and they're all able to be "upgraded" remotely. Typically, there's a
high-numbered port that's left partially open! Their default admin
passwords are generally inane ("Talk1234" was a particularly memorable
one!) and they often have an obvious secondary "root" user name too.
In every instance, I have replaced the supplied "free" router with my
own. In every instance, my router has far outperformed the crippled
junk that ISPs supply!
More information about the GLLUG