trying to change Vodafone Gigabox admin password

Ricta

Hi,

has anyone succeeded in changing the admin password of a Vodafone Gigabox fibre router? I have gone through the motions filling in the required fields in the settings screen, it eventually tells me to check my email for a mail with a link to activate the new password, but I never get an email, I checked the spam folder.

Stone

Ricta wrote: »

Hi,

has anyone succeeded in changing the admin password of a Vodafone Gigabox fibre router? I have gone through the motions filling in the required fields in the settings screen, it eventually tells me to check my email for a mail with a link to activate the new password, but I never get an email, I checked the spam folder.

I have the same problem - would love to learn the solution :P

WilliamC

I dont know anyone who has successfully done this
I spent a bit of time on with support and still couldnt get it done - you have to enter an email address for verification before the password is applied - it is suppose to send a verification link to your email but it never does. This doesn't go to SPAM before anyone asks -



I suspect Vodafone will have massive problems in a year when they realize no one has been able to change their router password and that the default one is actually printed onto the box - meaning anyone who has seen or has access to the router could login to the router.

What was even a bit more worrying was that when onto support they originally thought i meant the WiFi password - they were able to tell me over the phone what my WiFi password was. Great to have WPA2 security when anyone in Vodafone can look at what your wifi password is.

Must say I am a bit untrusting of the Gigabox.

Has anyone else successfully changed their router admin password?
Is it normal that your ISP would have ure WiFI WPA password - even if you have changed from the default?

ED E

WilliamC wrote: »

I dont know anyone who has successfully done this
I spent a bit of time on with support and still couldnt get it done - you have to enter an email address for verification before the password is applied - it is suppose to send a verification link to your email but it never does. This doesn't go to SPAM before anyone asks -



I suspect Vodafone will have massive problems in a year when they realize no one has been able to change their router password and that the default one is actually printed onto the box - meaning anyone who has seen or has access to the router could login to the router.

What was even a bit more worrying was that when onto support they originally thought i meant the WiFi password - they were able to tell me over the phone what my WiFi password was. Great to have WPA2 security when anyone in Vodafone can look at what your wifi password is.

Must say I am a bit untrusting of the Gigabox.

Has anyone else successfully changed their router admin password?
Is it normal that your ISP would have ure WiFI WPA password - even if you have changed from the default?

It's called pinhole management. Standard for all ISPs except small guys who don't want to license the management node.

If you don't want ISP access BYOD.

WilliamC

ED E wrote: »

It's called pinhole management. Standard for all ISPs except small guys who don't want to license the management node.

If you don't want ISP access BYOD.

I don't mind ISP access - I would just hope they would be more careful with my security details - and also allow me some security on my side to help prevent unauthorised access by changing the defaults which is basic security 101 but I get you're point on Byod and you're probobly right

I have had eircom and sky in the past and both allowed me to change the router admin password with minimal effort - after 3 calls and 2 Web chats with Vodafone I still have the default and no one seems to know how to complete - the change password page seems to just not operate and I believe several other users all having the same issue
On the WiFi password part it's no big deal really for me whether ISP knows it or not - was just surprised at how easily they handed out the password to my wifi based on me calling in and providing my address -
I would hope they would be more careful with those details -

Anyway the main point of my reply was to see if anyone had successfully changed and what process they had followed

ED E

The admin password is only local anyways.


If you can't trust somebody who has LAN access you've already lost.

WilliamC

ED E wrote: »

The admin password is only local anyways.


If you can't trust somebody who has LAN access you've already lost.

Well that's the first time I have heard of someone recommending not changing a router default password because you should trust everyone on your lan. There are various scenarios where a trusted individual unintentionally provides an open door to the router to possibly a virus or other malware.

Eitherway it's not about trusting people on your lan or not - it's about basic security best practices. Unless something has changed in the last year or so I thought pretty much everyone recommended you change your default passwords on routers. Am I wrong is this now a pointless activity?

Regardless of whether we agree or not anyway - the point of this thread even though it has gone a bit off topic is just how to change the admin password on a Vodafone gigabox and if anyone has done successfully and what instructions they used as the provided option on the router portal seems to not work at least for me - but as there are others with the same problem I would suggest either there is a flaw or an undocumented requirement for it to work. If I am doing something wrong we'll that's partially why I am here looking for guidance.

If Vodafone advise there is no need for this that's fine also - like I say just looking for more information and guidance.

ED E

Changing it for the sake of changing it kinda pointless.

For example, if you buy a TP link of Amazon tomorrow the logins are:
admin
admin

You DEFINITELY want to change those. But with most ISP worth their salt now your router comes with a generated key (often the same as your WPA key) and changing it is only really for convenience.

So yes the advice is change it, if theres cause to.

WilliamC

ED E wrote: »

Changing it for the sake of changing it kinda pointless.

For example, if you buy a TP link of Amazon tomorrow the logins are:
admin
admin

You DEFINITELY want to change those. But with most ISP worth their salt now your router comes with a generated key (often the same as your WPA key) and changing it is only really for convenience.

So yes the advice is change it, if theres cause to.

Most of these ISPs also print that generated key on the router I agree that most people trust the people on their LAN as would I but still like to take the extra step of changing any password that is a default - maybe that's me most others might disagree but my question is not should I or shouldn't I - its if I want to how can I

So the main reason on here again is to see if anyone has successfully changed their Vodafone gigabox router password and if they did how they completed. Don't want to get into the shoulds or should nots as I think different people will have different ideas with no one right or wrong - it being personal preference of the end user.

cregmon

Hi @WilliamC,
Did you ever a resolution to this? I'm in the same position after switching from eir to Vfe and was surprised that we couldn't update the default (secret) admin password.

It raised a few questions that could in the wrong hands prove dangerous for Vfe customers.

1. Where is the cleartext copy of the admin password stored within Vodafone's organization?
2. Does the OEM manufacturer for these Gigaboxes also have similar copy of the password?
3. Is there a secure audit trail of who has accessed those password repositories?
4. What permission do Vodafone or other personnel need to access these passwords?
5. Is there a legitimate reason why end-users are prohibited from modifying the default admin password?
6. Has this process of withholding such information been checked for legal compliance in Ireland and the EU (Consumer protection, GDPR, etc.)?

This would only be an initial pass at querying the practice. I know it would be a big headache for Vfe to resolve it; either they would have to create a secure mechanism to retrieve and communicate the passwords to end-users or deliver new Gigaboxes to anyone who wants to update the admin account. An updated firmware would may also be needed.

Even if every router has a unique, machine-generated password, that's not good enough. The key problem is that the end-user doesn't know if that's the case and you can't simply rely on the good word of the ISP that everything is OK.

I know for the vast majority its not an issue but it seems a strange thing to do and hints at poor security understanding within the design team at Vodafone if they thought it wouldn't be an issue - that in itself creates a bigger concern!

I'll probably be raising it with the relevant authorities if the continued lockdown makes be any more bored.

WilliamC

It was never resolved - I gave up in the end - my contract is up in 2 months and I'll be changing then. Like I said at the time I don't mind the ISP having details but the User should be able to change this to help them secure their side - eitherway the portal web page for change doesn't work and after several calls and emails it still doesn't and I had cases that were closed when the issue wasn't resolved. On one occasion the technician on the phone called the password out to me (he had misunderstood what the issue was and thought I was locked out) which only made things worse - even though I understand he was trying to help.
From my own perspective reason I wanted to change is that I always change default passwords as per general security recommendations - particularly on any router - anyway bottom line - never resolved, cases were closed by Vodafone without any resolution. I made note to change when the contract is up. Contract is up shortly.

I had been with Sky previous to this and they didn't have this issue - so its likely ill be returning to them.

blastman

I've just encountered this issue after upgrading to Vodafone FTTH this week, I have to say this is a frankly appalling policy for an IT company to adopt (and I say this having worked for one of the world's largest IT security companies). As I've just changed I will keep the Gigabox for now, but I'll definitely be replacing it sooner rather than later because of this. Questioning now how private my VPN connection is if they can see down to the level of my wifi password..... :mad:

ED E

blastman wrote: »

I've just encountered this issue after upgrading to Vodafone FTTH this week, I have to say this is a frankly appalling policy for an IT company to adopt (and I say this having worked for one of the world's largest IT security companies). As I've just changed I will keep the Gigabox for now, but I'll definitely be replacing it sooner rather than later because of this. Questioning now how private my VPN connection is if they can see down to the level of my wifi password..... :mad:

This post is hilarious. Fantastic.

alec76

ED E wrote: »

This post is hilarious. Fantastic.

He could be an accountant or HR ,lawyer or anyone there, not everyone in IT software engineer.

Ricta

Ricta wrote: »

Hi,

has anyone succeeded in changing the admin password of a Vodafone Gigabox fibre router? I have gone through the motions filling in the required fields in the settings screen, it eventually tells me to check my email for a mail with a link to activate the new password, but I never get an email, I checked the spam folder.

I just tried it again for the hell of it, lo and behold, it now works!

I have sucessfully changed my admin password on my Vodafone Gigabox.

I have not tried rebooting it yet to check if the change is persistant.

necstandards

I've been messing around with the original password as it was too long and hard to remember. So i changed it and now have forgotten to what..
Is there someway it can be reset?

necstandards

Ricta wrote: »

I just tried it again for the hell of it, lo and behold, it now works!

I have sucessfully changed my admin password on my Vodafone Gigabox.

I have not tried rebooting it yet to check if the change is persistant.

Did you get an email when you changed the password??

Ricta

No, I never got any email.
When I was successful in changing the password, there was no pop-up at all about any email. The firmware version, when I could not change the password, was XS_3.4.14.11, since then, it has been automatically upgraded to XS_3.5.00.09. It seems to me that a f/w upgrade has allowed the changing of the admin password.

If you can't login because you don't know the admin password, then I think you will have to reset it to factory defaults.
This video shows how: https://youtu.be/1OAWbh2T-CE

necstandards

Ricta wrote: »

No, I never got any email.
When I was successful in changing the password, there was no pop-up at all about any email. The firmware version, when I could not change the password, was XS_3.4.14.11, since then, it has been automatically upgraded to XS_3.5.00.09. It seems to me that a f/w upgrade has allowed the changing of the admin password.

If you can't login because you don't know the admin password, then I think you will have to reset it to factory defaults.
This video shows how: https://youtu.be/1OAWbh2T-CE

Thanks for replying. So i've tried the hard reset 3 times and it hasn't reverted back to the original PW. They tell me there is nothing that can be done to rectify this...

Ricta

are there any ambiguous looking characters in the default password on the label that you might be mis-reading? Like maybe a 1 that you think is an l, for instance?
A straw to clutch!

necstandards

Ricta wrote: »

are there any ambiguous looking characters in the default password on the label that you might be mis-reading? Like maybe a 1 that you think is an l, for instance?
A straw to clutch!

Thanks for your help, unfortunately i cant get in to it

Davver

Apologies for reviving this thread, but just attempted to change Admin password because the Vodafone Login interface is automatically served to anyone who has seen my IP address (when I'm not using a VPN) and decides to visit.
So password has been changed, but can no longer log in with either the new password or the original one as printed on the underside of the router.

I'll press the reset button later this evening when things are a little less busy, and hopefully (fingers crossed) be able to log in with the original password, but was wondering if it's possible to serve a different page to anyone visiting the router who is not using the LAN address? Or, as I suspect will need to be done to get this to work, if they are on a LAN address, that it doesn't automatically resolve to login.html?
*Basically*: What kind of server software is this box running and is it possible to edit the configuration? (is there a version of httpd.conf somewhere that I can edit?)

(I tried to telnet to the full IP address and got the following response:
Escape character is '^]'.
head UNKNOWN 408 Request Timeout
Server:
Date: Fri, 26 Feb 2021 12:54:52 GMT
Cache-Control: no-cache,no-store,max-age=0
Prama: no-cache
X-Frame-Options: DENY
Expires: 0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
Content-Language: en
Content-Type: text/html
Connection: close
So the Server application is not listed here.)