The Security Ledger

Hard Coded Password Sinks Fleet of DSL Routers

A flaw in a common DSL router affects devices from a wide range of vendors.

In-brief: A hard coded firmware password could provide remote hackers with access to a wide range of home broadband routers, underscoring the risk posed by shared hardware and software, according to an alert from Carnegie Mellon University’s CERT this week. 

A hard coded firmware password that was known to affect DSL routers by the Chinese firm ZTE Corp. actually affects a far wider range of devices, exposing them to remote compromise, according to an alert from Carnegie Mellon University’s CERT this week.

DSL routers sold under the ASUS, DIGICOM, Observa Telecom and Philippine Long Distance Telephone (PLDT) brands run firmware that contains the hard-coded password  allowing an attacker who can remotely connect to the devices to log in with administrator credentials, according to the CERT Vulnerability Note, which was released on Tuesday.

[Read: why terrible home router security matters to the Internet of Things.]

The devices in question use different administrator account names by default. But presuming the attacker knows the correct administrator default for the device, she could combine that with the default password to gain access to the device using the Telnet service. The default password is “XXXXairocon,” where “XXXX” refers to the last four digits of the device’s MAC address, CERT said.

Affected devices include the ASUS DSL-N12E, the DIGICOM DG-5524T, the Observa Telecom RTA01N the Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293, and the ZTE ZXV10 W300.

The vulnerability was first disclosed in February, 2014 after it was spotted in the ZTE devices. The new Vulnerability Note expands the list of affected devices.

Home routers and wireless gateways are considered the ‘canary in the coal mine’ for Internet of Things risk. The powerful, low-cost Internet-connected devices are often loosely managed and share components such as firmware and other software. They can be an easy mark for hackers, who have increasingly turned to them as alternatives to better-secured home PCs and laptops.

Unlike those devices, which are actively managed, software updates and security patches are rarely deployed for home routers, which are often managed, at least indirectly by carriers.

In just one recent example, the firm Allegro Software in December urged its customers to apply a 10 year-old software update to address vulnerabilities affecting an embedded web server found in some 12 million broadband routers by manufacturers including Linksys, D-Link, Huawei, TP-Link, ZTE and Edimax.

CERT said that there is no solution for the hardcoded password problem. It recommends using firewall rules to block access to the Telnet service on the device from any untrusted sources and to block SNMP service on the device.

Spread the word!