I would hope that this router's admin "password" interface is only accessible from the LAN side. It's not listening to the world for a login with "password", right? Have you port scanned its WAN interface and tried connecting to it to see what's listening? This is bad, yes, but not utterly catastrophic. Generally in a situation where somebody has physical access to a home Netgear/Linksys/TP-Link/whatever type router, they could physically push the factory reset button and gain access to its admin interface to reconfigure it however they wanted anyways. I think there's a value for discussion in nanog about how to provision and set up residential last mile services that work right, but this isn't exactly a wider spread network operational issue unless you've discovered thousands of CPEs that can be accessed by "password" from the outside Internet. On Tue, Feb 7, 2023 at 6:18 AM TACACS Macaque via NANOG <nanog@nanog.org> wrote:
Hi,
Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this.
My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, without providing the ability to change the admin password from "password" on it.
[image: Screenshot 2023-02-03 at 9.49.15 PM.png]
[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out and change it. Which is obviously less than ideal.
That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire security implications... e.g., DNS server settings can be pointed at whatever someone wants here.
My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took control over her laptop before she called for backup. So I'm just a little concerned that we have no control over changing this router's admin password — from “password” — in a pinch, without waiting for a truck roll && shelling out $50.
I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in hopes that they'll let us bring our own. She does have Google Wifi, but we can't even put their router into bridge mode. So she would be double NATed *and* have no control over changing the admin password on the first router.
Anyone have any experience with Yondoo? I've tried reaching out to them on multiple fronts, but have yet to hear back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use our own modem and then take it from there.
Thanks, Todd