Yes this is a huge security hole. Management networks should always be restricted to some extent and the fact that default passwords allow you into VoIP gateways provides an avenue for call fraud. At a very minimum the devices should restrict which addresses can talk to them (ie. management servers in the MSO) and passwords should be non-default.
If I were them or involved in the operation of their network I should start with an audit. Obviously I didn't change or tried to change anything, the few cases I tried to gain access to some randomly selected devices/locations were just to confirm that imho there is a big exposure here. For example, I found devices such as an integrated modem and wireless router where if I wanted I would have been able to enable WiFi guest access or change the existing WiFi configuration such as SSID, keys, etc. Some modems don't seem to provide access via port 80, I didn't scan for any other potential ports or back doors (such as SNMP ports,etc), they simple show the message "Access to this web page is currently unavailable.". The most popular/used device, just for the number of times I've got the same interface for the few (less than a 100) IP I tried seems to be the Ambit modem, the main page shows sort of general modem information, something like: Cable Modem Information Cable Modem : DOCSIS 1.0/1.1/2.0 Compliant MAC Address : 00:1F:XX:XX:XX:XX Serial Number : REMOVED Boot Code Version : 2.1.6d Software Version : 2.105.1008 Hardware Version : 1.20 CA Key : Installed Gaining access to the modem is quite simple, on the left there is a frame that has a Login link and says "Factory default username/password is"user" ", which actually worked on all the ones I found and tried, on the right hand corner there are two links one that says Modem and other that says Tools, if I click on Tools I see at least two options, one that takes me to a form page to change the password, and the other one to change the Frequency Scanning Plan. Again I didn't try to change anything to confirm that it is actually possible but I've the hunch that it is possible. Another case could be integrated modem/router with VoIP features such as Motorola's SurfBoard, the standard management interface without even login in to the thing provides plenty of information, don't know how useful but, there is a link that says "Advanced" which requires you to enter a password, don't waste much of your brain, the password is simply "motorola", with that you get access to more information including MGCP Logs, I didn't analyze the logs in detail but it didn't take much effort to find out that a guy was being called by a collection department of Wells Fargo Bank from an Oregon (503) number. In another case I saw a log entry that could be interpreted as a dialed out number. In summary, I don't believe that any customer should have access to any other customer device in such a way that you can alter the provisioning of a service or snoop and see how the service is being used, this raises not only security but privacy concerns. I didn't use any scripts or tried any heavy tools or hacking, mine is a very minuscule sample of what seems to be a widespread bad practice or mismanaged network configuration. Ryan thanks for your message, I checked and saw that you work for TWC in the Albany area, but no offense, I've no problems to share more details and cooperate, only if being contacted by a "grownup" honcho in charge of networking/security. I promise, I won't break anything ... Cheers Jorge