Hard-coded credentials in DSL SOHO routers
Recently there has been news from CERT that warns of the presence of hard-coded credentials in DSL SOHO routers. Tod Beardsley, security engineering manager at Rapid7, has recently made a statement on these events. He stated:
“Hardcoded credentials are one of the most well-known common vulnerabilities for
SOHO routers from nearly every vendor. These are not software bugs in the
traditional sense, but specific username and passwords that are trivial to exploit,
very rapidly, across thousands to millions of these devices.
These backdoors are usually not reachable directly from the Internet; the attacker
must be on the local network in order to use them to reconfigure devices. However,
this shouldn’t necessarily be comforting. While attackers must be “local,” most of
these credentials are usable on the configuration web interface, and a common
technique is to use a cross-site scripting (XSS) attack on a given website to
silently force the user (on the inside network) to log in to the device and commit
changes on the attacker’s behalf.
Attackers on free, public WiFi are also on the local network, and can make
configuration changes to a router that can affect anyone else connected to that
Once an attacker has administrative control over the router, the opportunity for
mischief and fraud are nearly limitless. He can do anything from setting up custom
DNS configurations, which will poison the local network’s name resolution, to
completely replacing the firmware with his own, enabling him to snoop and redirect
any and all traffic at will.
Backdoor credentials like these are certainly not new; simply Googling the Observa
Telecom hidden administrator account password, 7449airocon, turns up nearly 400 hits
on sites ranging from legitimate router security research blogs to sites dedicated
to criminal activity. I’m glad that CERT/CC is bringing attention to this problem.
Manufacturers must make every effort to at least allow end-users to change these
passwords, and ideally, passwords would be generated, randomly, on first boot or
firmware restore. Until manufacturers stop using default passwords on the devices
users rely on for Internet connectivity, we will continue to see opportunistic
attacks on home and small business routers.”