Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Insecure Routers on IOL

  • 02-03-2004 4:07pm
    #1
    Posts: 3,620 ✭✭✭


    I just did a scan of the IP range for IOL dsl accounts.

    There are an enormous amount of routers with their http configuration open to the internet. Worse still many of them still have their default login.

    Anyone one that did a self install of their IOL broadband router would you make sure you have disabled remote managment from the WAN. (See the attached Diagram)

    If you do not do this or at least change the managment password anyone could come around and muck up your connection settings and lock you out.


«1

Comments

  • Posts: 3,620 ✭✭✭ [Deleted User]


    Here is the image I forgot to attach.


  • Registered Users, Registered Users 2 Posts: 197 ✭✭iano


    I just did a scan of the IP range for IOL dsl accounts.
    You should be careful that you are not violating your service provider's acceptable usage conditions.

    It is not generally considered acceptable to scan other people's IP space without their permission. There is no legitimate reason to be doing this.

    That said, it is a pretty sad state of affairs if so many users are so vulnerable due to a lack of information and instructions from their provider!


  • Posts: 3,620 ✭✭✭ [Deleted User]


    Well I rang IOL support to ask them but they just put me on hold;)


  • Registered Users, Registered Users 2 Posts: 5,513 ✭✭✭Sleipnir


    yeah generally scanning IP ranges for holes is as bad as leaving the holes open in the first place.

    It's pretty dumb to leave a hole like that open but even worse is publishing your findings to the whole world that they are open.

    Altough then again, it wouldn't surprise me if IOL did that on purpose so that when a customer rings to complain that their DSL has stopped for no reason (I didn't change a thing!) IOL can login to their box and undo whatever the dumbass customer did!


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    Originally posted by ronoc
    I just did a scan of the IP range for IOL dsl accounts.

    There are an enormous amount of routers with their http configuration open to the internet. Worse still many of them still have their default login.

    That's no concern of Esat's. They supply you with the router, they don't configure it.
    And be aware that Esat are well within their rights to cancel your account for port scanning.


  • Advertisement
  • Posts: 3,620 ✭✭✭ [Deleted User]


    Give me a break.

    Given your logic an Organisation like Bugtraq is wrong for publishing their findings. I would consider leaving the holes open a far worse problem than scanning for them.
    Should we just ignore it and maybe the problem will disappear?

    The wrong people undoubtedly know full well the default settings of these routers. This is knowlege that is in the public domain.
    All I did was to advise the people reading this board to check their settings, unless you would perfer people to be unaware of the problem until they have been locked out of their router...


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    I highly doubt scanning IPs is an offense. It's a perfectly normal network diagnostic check..... Next people will say that pinging a site only has "hostile" intentions....

    Anyway.. you dont even need to scan IP. Get your own IP add or subtract last digit... and plug into your web browser. Without scanning I found 4 routers with default username and password. I could also attain username and password for each account...

    This is of some concern. I will be writing to IOL about this, I find it completely retarded that they would ship hardware with the defaults set to allow remote access........


    Xcellor


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    Listen, congrats, you know how to use a port scanner. But it's more dangerous to tell the thousands of people on boards that there is a vulnerability.
    You could have sent a mail to esat, or held on the phone for tech support.

    But as i've already said, the security config of the router is no concern of Esat's....plenty of makes of routers etc do the same thing out of the box.


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    Originally posted by Xcellor
    This is of some concern. I will be writing to IOL about this, I find it completely retarded that they would ship hardware with the defaults set to allow remote access........

    I think you would be better contacting zyxel/ericsson. Esat don't config the routers, they don't even send them out. It's an IT company in Cork that sends them out. If you bought a zyxel/ericsson off the shelf it would have the same problem. Not esat's problem.....


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Im with you ronoc I believe if a bug is there it should be fixed NOT ignored.... otherwise people will exploit it.

    And I disagree completely with eth0_ that this isn't Esats fault... my god what is their fault these days? Seems they can provide crap service, crap customer support, hardware with holes in it and still some feel they are an acceptable company.

    Plain and simple with the problems on the Internet with security it is number one responsibility of ISP to ensure safe usage for their clients.

    Nuff said,

    Xcellor


  • Advertisement
  • Posts: 3,620 ✭✭✭ [Deleted User]


    I never said it was a concern of Esat. Although I should have. Shipping routers with the security settings the was they are is an extremly dumb Idea.
    Especially when Windows XP does not enable its firewall on LANs by default.

    Bear in mind most users will only follow the manual as far as it takes to get the thing working.

    Eth0_ I sugest you check Esats "sparce" Acceptable Usage Policy.


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    eth_0

    That is just pure rubbish... If I am provided with a service or product from a company it is them that are responsible for it. Not the manufacturer.... Basic consumer law.

    If a buy a dodgy Apple out of Tesco I dont goto Granny Smith and complain. I complain to Tesco and they fix it.... They may then in turn take the issue to Granny Smith.

    Simply put but the same principle applies. I'm sick of Esat with their, "Blame it on anyone else... it's not our fault" approach to dealing with customer problems. They have done it in the past with me saying "Oh but it's Eircom this... and Eircom that..."... I don't give a crap, I DONT PAY EIRCOM FOR DSL I PAY ESAT BT.


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    There *IS* no bug! The routers are supplied unconfigured. It is the customers responsibility to set up the router, it says that in the contract....

    This is akin to getting in a flap with dell because they supplied you with a copy of windows 2000 which has a security hole...


  • Registered Users, Registered Users 2 Posts: 197 ✭✭iano


    I highly doubt scanning IPs is an offense. It's a perfectly normal network diagnostic check.....
    As I stated, it is not generally considered acceptable to scan other people's IP space without their permission. You scanning my connection without my permission is hardly much of a diagnostic check!

    It uses resources, fills up firewall logs and generally pisses people off.


  • Registered Users, Registered Users 2 Posts: 5,513 ✭✭✭Sleipnir


    it's obvious that all these boxes are supplied with a default password.
    What are Esat suppsed to do then, change the password for each person and keep a record of it?

    I'm sure it's in the router's manual that
    "this box has a default password, we advise you change it"

    but most won't read the manual and then complain about "not being told"


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    I don't agree. They were part configured by IOL.

    I didn't have to plug in IP details etc that was all done for me... So seems if they could configure that then why not play it safe and disable remote access... But again Esat really don't care too much... I mean why should they? They are Esat after all...

    Xcellor


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Sleipnir you are missing the point....

    Default username and passwords are acceptable... I mean we arent arguing that...

    However by default Remote access was allowed. Meaning anyone with Admin and whatever the password is.... can gain access unless you immediately change the password the second you get connected.

    Remote access should have been disabled, plain and simple.

    Xcellor


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    Originally posted by Xcellor

    I didn't have to plug in IP details etc that was all done for me...

    Um no, I think your router auto detected those settings actually.


  • Registered Users, Registered Users 2 Posts: 2,091 ✭✭✭carbsy


    I agree , and the problem isn't just limited to IOL it seems! :rolleyes:

    Use yer heads people , and tighten up the ship before ye get locked out!


  • Registered Users, Registered Users 2 Posts: 5,513 ✭✭✭Sleipnir


    And if the user changes the default admin password could someone still get into the config from the outside?

    No, they could see the page but not gain access.

    Sure it's good practice to shut down unneccessary ports but really, you need to look after your own security.

    EDIT
    Default username and passwords are acceptable


    Wha? :rolleyes:


  • Advertisement
  • Closed Accounts Posts: 1,456 ✭✭✭kida


    I must say I'm with eth0_ on this. If you go into Maplins or compustore and bought the same router would you blame them for not disabling this.

    If someone is stupid enough not to read the manual and close off all loopholes that is their problem.

    I also think it very irresponsible to publish such a security loophole on a public forum - I am sure as we speak havoc is being wreaked. There should even be a case for a mod to delete this post.


  • Posts: 3,620 ✭✭✭ [Deleted User]


    Originally posted by iano
    As I stated, it is not generally considered acceptable to scan other people's IP space without their permission. You scanning my connection without my permission is hardly much of a diagnostic check!

    It uses resources, fills up firewall logs and generally pisses people off.

    I can be as unobtrusive as you want. A simple connect on port 80 is all it is. And In fairness your firewall is there to give you those logs so thats a moot point.


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    eth0_

    As I recall... Setting up my router there were details already in place *before* I even connected my phoneline to router... So there was definitely some pre-configuration done to the router for use with IOL BB. So they could have set the remote option off by default. They didn't because they are incompetant...

    So basically the router I got wasn't exactly the same as you would buy off the shelf. Even the instruction manual was IOL specific... Therefore IOL supplied it to me with potential security risks involved.

    It's a huge oversight on the part of IOL.... However, I doubt IOL will issue a warning. But hey we can but hope....

    Xcellor


  • Registered Users, Registered Users 2 Posts: 5,513 ✭✭✭Sleipnir


    Originally posted by kida
    I also think it very irresponsible to publish such a security loophole on a public forum - I am sure as we speak havoc is being wreaked. There should even be a case for a mod to delete this post.

    Wholeheartedly concur.

    MOD!


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    I really can't believe the attitude that seems to be prevailing here....

    "Shussshhhhh keep it quiet.... if no one knows about it... no one will be harmed... "

    That's pure crap and anyone with a shred of knowledge about incidences in the past will know you can't keep things like this quiet and this is the best way to let people know... On a bulletin board that is popular. Coz lets face it,, by the time IOL issue a warning (if they believe it is their responsiblity) more damage would have been done...

    Shouts go out to RONOC

    Xcellor


  • Posts: 3,620 ✭✭✭ [Deleted User]


    It is selfish to just consider your own security. If I had not mentioned port mapping (Which is apparently evil) I don't think this post would have stirred up nearly as much controversy.
    In that I regret that the original point was missed.
    Many people should check their security out cause at the end of the day Its going to be their problem at the end of the day when it goes wrong.


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    Originally posted by Xcellor

    Shouts go out to RONOC

    Indeed. "Phj33r".

    Ronoc - you think if you port scanned a bank or eircom or the FBI for that matter, that that's harmless? Port scanning is seen as a precursor to an attack. You have no reason to port scan a host that doesn't belong to you unless you are looking for security holes to exploit.

    BTW didn't know the routers had IOL setup guides and were preconfigged, perhaps this is something IOL should be looking into after all, but I completely disagree with broadcasting the problem to everyone on boards. IOL would take this seriously....


  • Closed Accounts Posts: 90 ✭✭meatball


    Supremely irresponsible.

    You could have just reminded people to turn of remote administration without port-scanning or implying that there were loads of suckers on IOL just waiting to be ****ed with.

    A little knowledge...


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Im sure the hackers out there would already be aware of this potential "backdoor".
    I mean lets give them a bit of credit.

    Posting it on a board is making people aware of the problem so they can remedy it. Most of the exploits that have been discovered in the past are posted on very respectable sites to allow the very same. Sometimes giving very detailed explanations about how you would carry out the "hack".

    AntiVirus sites tell you how viruses propogate and where they hide themselves. Should we turn around and give out to the AntiVirus companies saying "HEY WHAT THE HELL YOU GIVING WANNABE HACKERS IDEAS????".

    God it's ludicrous.

    I would advise all with IOL BB. Disable remote access and change your IOL password...

    Xcellor


  • Advertisement
  • Posts: 3,620 ✭✭✭ [Deleted User]


    Originally posted by eth0_
    Indeed. "Phj33r".

    Ronoc - you think if you port scanned a bank or eircom or the FBI for that matter, that that's harmless? Port scanning is seen as a precursor to an attack. You have no reason to port scan a host that doesn't belong to you unless you are looking for security holes to exploit.

    --snip--

    Why on earth would I want to scan the FBI?
    Portscanning is a very useful tool. I agree it has uses that are undesirable. In this case it shows that people should make sure their routers are configured correctly.

    I really think you are dwelling on the portscanning a bit much. I am just letting people know their may be issues with their configurations which by default are _insecure_. A point I hope is not being lost here..


  • Registered Users, Registered Users 2 Posts: 10,846 ✭✭✭✭eth0_


    Originally posted by ronoc


    Why on earth would I want to scan the FBI?

    JESUS! It was a hypothetical example!
    Portscanning can get you into a lot of trouble, as I found out when I was a 15 year old n00b.


  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,274 Mod ✭✭✭✭bk


    Originally posted by kida
    I must say I'm with eth0_ on this. If you go into Maplins or compustore and bought the same router would you blame them for not disabling this.

    Modems and routers are usually sold with remote administration turned off by default. This looks like the guys who configure the routers messed up.


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Portscanning....

    It's like the force it can be used for good or for the darkside...

    Valid point being made by rbnoc.

    Question: Without portscanning would we even be aware of the fact soooooooo many IOL users have not changed their default settings.

    Answer: No

    Question: Would the problem still have existed without being brought up here?

    Answer: Yes. and undoubtedly anyone who hacks would already have known about it. So therefore saying it out in the open like this is harmless. It is beneficial because most of the people posting on here are at this moment saying "CRAP I've got to change my password...." and the rest who don't... Well is believe that is IOL's responsibility because they shipped poorly configured hardware..

    Xcellor


  • Closed Accounts Posts: 90 ✭✭meatball


    Don't leave us hanging eth0...


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Originally posted by bk
    Modems and routers are usually sold with remote administration turned off by default. This looks like the guys who configure the routers messed up.

    Yes but IOL preconfigured the router. But in their wisdom decided to leave Remote Access on. Regardless of whether ZyXel are to blame... I got my router from IOL, it was configured by IOL and therefore I hold IOL responsible....

    Xcellor


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Originally posted by eth0_
    JESUS! It was a hypothetical example!
    Portscanning can get you into a lot of trouble, as I found out when I was a 15 year old n00b.

    How did you get in trouble? I can't think of too many ISP's that would fuss about a portscan... Unless of course you ran into an over zealous systems administrator that believes he is God...

    Portscanning gives you info. It's what you do with that info that determines the validity for getting that info.

    Xcellor


  • Posts: 3,620 ✭✭✭ [Deleted User]


    Well its like the advice to turn on your firewall.
    You get one but it may not be on by default.
    I just think there are ppl here who may have no Idea that their routers are not configured properly.


  • Closed Accounts Posts: 90 ✭✭meatball


    "I can't think of too many ISP's that would fuss about a portscan..."

    LOL Why, how many have you worked for?


  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,274 Mod ✭✭✭✭bk


    Originally posted by Xcellor
    Yes but IOL preconfigured the router. But in their wisdom decided to leave Remote Access on. Regardless of whether ZyXel are to blame... I got my router from IOL, it was configured by IOL and therefore I hold IOL responsible....

    Xcellor

    Ehm, yes, that is exactly what I'm saying, obviously not clearly.

    I would expect that the manufacturer of the modem/router had remote administration disabled by default, but IOL (or whoever it gets to configure these) messed up and enabled it.


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Speaking from personal experience....

    I was bloody shocked when I saw that I could access my router from outside my LAN... I simply couldn't believe it. That means for the first week my router was completlely open to anyone who knew my IP. I'm no expert but I know my stuff about computers... and I probably never would have checked only that I was bored one day.

    I never thought for a second that when I tried to log onto my IP I would get a username and password box popping up. Even with the way I feel about IOL... I didn't think they were *that* incompetant.

    I bet there are still people out there saying that it is the users responsibility. Just think of a bank though, do they make it so easy for people to access your bank details. Take your money etc etc. Nope. A bank is a service institution. An ISP is likewise...

    Xcellor


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Originally posted by meatball
    "I can't think of too many ISP's that would fuss about a portscan..."

    LOL Why, how many have you worked for?


    No but i've portscanned many times and never had a problem with it. There seems to be this notion that portscanning can only be used for hacking... That is completely out of line....

    Xcellor


  • Closed Accounts Posts: 1,502 ✭✭✭MrPinK


    Originally posted by kida
    I also think it very irresponsible to publish such a security loophole on a public forum - I am sure as we speak havoc is being wreaked. There should even be a case for a mod to delete this post.
    How do you think most security problems are found and fixed? All he did was warn IOL users that they may be at risk and what they should do if they are. I'd want to know if there was a possible secuirty problem with my setup. How can it be better if this thread be deleted and many users remain oblivious to such a big security hole in their system?


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    Originally posted by MrPinK
    How do you think most security problems are found and fixed? All he did was warn IOL users that they may be at risk and what they should do if they are. I'd want to know if there was a possible secuirty problem with my setup. How can it be better if this thread be deleted and many users remain oblivious to such a big security hole in their system?

    Finally!! Someone who sees the sense in what he did.... I think 90% that have posted here would rather be ignorant to the fact people could be screwing around with their router... But I bet you that they'd be the ones moaning when they were locked out. And im sure they would be less than happy if they knew people knew about it and didn't warn them....

    Truth is... anyone who looks at Broadband forum will see this topic and make the adjustments to their router. So it's done it's job despite the negative viewpoints and the "stick the head in sand" attitude of some here...

    Xcellor


  • Posts: 3,620 ✭✭✭ [Deleted User]


    If I hadn't mentioned scanning I'd say this thread would have drifted into obsurity.
    I almost wish it had :rolleyes:


  • Closed Accounts Posts: 3,357 ✭✭✭secret_squirrel


    This thread prompted me to re-examine my router settings to double check this...fortunately remote admin is off.

    Kudos to ronoc. I cant believe there are so many people are getting on their high horse about portscanning, the only way you can prevent security holes is through education, which involves telling people about risks not keeping silent.

    And I'd lay good odds that the record of his port scan is lying on a IOL log somewhere in amoungst millions of others. They are as common as muck ffs.


  • Registered Users, Registered Users 2 Posts: 2,821 ✭✭✭Xcellor


    A bit of lively debate is good...

    It's worrying though. I feel some here have a very strange attitude to a serious problem.

    Ignorance isn't bliss when your router is locked and you don't have the expertise to fix it. I would hazard to guess 90% of the people on BB now have never used a router before they received theirs from whatever ISP. Therefore it really should have been dummy proof with the most basic of security options already predefined.

    In their help guide they say,

    "We strongly recommend that you set all three forms of management to LAN only"

    So they were aware of the situation but still decided to keep it as ALL...

    I question their logic...

    Xcellor


  • Closed Accounts Posts: 90 ✭✭meatball


    You come home, there is a stranger poking around your door. You confront him, and he says he was only trying to make sure your door was locked so your house was safe. How would you react? Would you thank him for his valuble service? Or call the police?


  • Posts: 3,620 ✭✭✭ [Deleted User]


    Nice Analogy.
    But what port is the door of the house??;)


  • Closed Accounts Posts: 1,502 ✭✭✭MrPinK


    Originally posted by meatball
    You come home, there is a stranger poking around your door. You confront him, and he says he was only trying to make sure your door was locked so your house was safe. How would you react? Would you thank him for his valuble service? Or call the police?
    Don't you just love it when people try to compare these things to real world examples? :)

    You are leaving your home, a stranger comes up to you as you walk out of your garden. He tells you that he's noticed that you've left your front window wide open. How would you react? Would you thank him for his valuble service and close the window? Or tell him to piss off and not be so nosey?


  • Closed Accounts Posts: 90 ✭✭meatball


    Flawed. He didn't *notice* that these ports were open in the course of normal activity.


  • Advertisement
Advertisement