[OP here]

Just some minor follow up:

 - The tech was able to swap out their RG with the modem-only one that I had sent (after making a couple phone calls). It didn't seem like they could provision a user-supplied modem remotely for some reason, but it also sounded like maybe this wasn't something they normally do, if ever.

 - The outgoing RG was an Evolution Digital EVO3000GW. The screenshots that dropped were meant to show me attempting an admin password change, and it not letting me.

 - AFAIK, no WAN ports were open, but UPnP was on by default. I neglected to do a port scan on the WAN port before the equipment swap, but that probably would've been prudent.

 - Sorry for not being clear about this before, but I'm fairly remote (~5 hour drive), so my mom was acting as remote [somewhat arthritic] hands in all this.

 - Since I'm remote, I had previously sent a raspberry pi that is running both pi-hole (to mitigate the possibility of her or her partner clicking on a malicious ad or pop-up that may compel them to inadvertently connect with a call center scammer again) and ZeroTier. I use ZT to log in to this device, which double NAT breaks, which is why I brought that up. Totally understandable that most average customers don't use this, and a double-NAT situation is probably fine for my mom's demographic. That said, to be sure, the much bigger issue is that they're provisioning CPE with an unchangeable "password."

 - I understand that this forum may not be quite the right fit for a post like this, and am looking for others that may be more appropriate. My hope is that this eventually gets to someone at Yondoo, or parent Mid-Atlantic Broadband (AS29914), since something like this probably falls outside of the wheelhouse of their tier 1 support, which was all we could get a hold of.

Thanks to everyone who's responded -- I value all of your input.

Cheers,
Todd

On Wed, Feb 8, 2023 at 5:09 PM Jason R. Rokeach via NANOG <nanog@nanog.org> wrote:
It’s been a while, but attacks that take advantage of this are (or at least in the past have been) real.

https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html

https://www.digitaltrends.com/web/javascript-malware-mobile/

I recall when this stuff first started to come out, leaning on RG vendors to fix their firmware to make their default passwords unpredictable based on information readily available on the LAN. 
In this case we’re not even talking about taking action this sophisticated… It seems to me that, having a customer willing and ready to secure themselves, preventing them from doing so is wildly inappropriate. 


On Wed, Feb 8, 2023 at 7:57 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I agree, but if we start listing every massive security vulnerability that can be found on the intra-home LAN in consumer-grade routers and home electronics equipment, or things that people operate in their homes with the factory-default passwords, we'd be here all month in a thread with 300 emails.

I'm sure this ISP will realize what a silly thing they did if and when some sort of worm or trojan tries a set of default logins/passwords on whatever is the default gateway of the infected PC, and does something like rewrite the IPs entered for DNS servers to send peoples' web browsing to advertising for porn/casinos/scams, male anatomy enlargement services or something.



On Wed, Feb 8, 2023 at 3:28 PM William Herrin <bill@herrin.us> wrote:
On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
> I would hope that this router's admin "password" interface is only accessible from the LAN side.
> This is bad, yes, but not utterly catastrophic.

It means that any compromised device on the LAN can access the router
with whatever permissions the password grants. While there are
certainly worse security vulnerabilities, I'm reluctant to describe
this one as less than catastrophic. Where there's one grossly ignorant
security vulnerability there are usually hundreds.

Regards,
Bill Herrin


--
For hire. https://bill.herrin.us/resume/