Yondoo provided router, has "password" as admin pw, won't let us change it
Hi, Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this. My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, without providing the ability to change the admin password from "password" on it.   Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out and change it. Which is obviously less than ideal. That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire security implications... e.g., DNS server settings can be pointed at whatever someone wants here. My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took control over her laptop before she called for backup. So I'm just a little concerned that we have no control over changing this router's admin password — from “password” — in a pinch, without waiting for a truck roll && shelling out $50. I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in hopes that they'll let us bring our own. She does have Google Wifi, but we can't even put their router into bridge mode. So she would be double NATed and have no control over changing the admin password on the first router. Anyone have any experience with Yondoo? I've tried reaching out to them on multiple fronts, but have yet to hear back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use our own modem and then take it from there. Thanks, Todd
What's the problem with double NAT? I can't imagine an elderly mom trying to host Xbox games - which is 95% of the problem with double NAT these days (the other 5% being Ubiquiti bros having to access their Unifi router from anywhere). Your screenshots didn't come through, I suspect it's stripped via the mailing list, but there's no model number specified anywhere. NANOG really isn't the best place for this, but I don't know where else you would be able to go besides what you've already done: Yondoo support. On Tue, Feb 7, 2023 at 9:17 AM TACACS Macaque via NANOG <nanog@nanog.org> wrote:
Hi,
Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this.
My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, without providing the ability to change the admin password from "password" on it.
[image: Screenshot 2023-02-03 at 9.49.15 PM.png]
[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out and change it. Which is obviously less than ideal.
That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire security implications... e.g., DNS server settings can be pointed at whatever someone wants here.
My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took control over her laptop before she called for backup. So I'm just a little concerned that we have no control over changing this router's admin password — from “password” — in a pinch, without waiting for a truck roll && shelling out $50.
I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in hopes that they'll let us bring our own. She does have Google Wifi, but we can't even put their router into bridge mode. So she would be double NATed *and* have no control over changing the admin password on the first router.
Anyone have any experience with Yondoo? I've tried reaching out to them on multiple fronts, but have yet to hear back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use our own modem and then take it from there.
Thanks, Todd
The first router would still be vulnerable, and through it the second router. On 8 February 2023 16:06:07 UTC, Josh Luthman <josh@imaginenetworksllc.com> wrote:
What's the problem with double NAT? I can't imagine an elderly mom trying to host Xbox games - which is 95% of the problem with double NAT these days (the other 5% being Ubiquiti bros having to access their Unifi router from anywhere).
Your screenshots didn't come through, I suspect it's stripped via the mailing list, but there's no model number specified anywhere.
NANOG really isn't the best place for this, but I don't know where else you would be able to go besides what you've already done: Yondoo support.
On Tue, Feb 7, 2023 at 9:17 AM TACACS Macaque via NANOG <nanog@nanog.org> wrote:
Hi,
Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this.
My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, without providing the ability to change the admin password from "password" on it.
[image: Screenshot 2023-02-03 at 9.49.15 PM.png]
[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out and change it. Which is obviously less than ideal.
That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire security implications... e.g., DNS server settings can be pointed at whatever someone wants here.
My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took control over her laptop before she called for backup. So I'm just a little concerned that we have no control over changing this router's admin password — from “password” — in a pinch, without waiting for a truck roll && shelling out $50.
I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in hopes that they'll let us bring our own. She does have Google Wifi, but we can't even put their router into bridge mode. So she would be double NATed *and* have no control over changing the admin password on the first router.
Anyone have any experience with Yondoo? I've tried reaching out to them on multiple fronts, but have yet to hear back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use our own modem and then take it from there.
Thanks, Todd
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
I would hope that this router's admin "password" interface is only accessible from the LAN side. It's not listening to the world for a login with "password", right? Have you port scanned its WAN interface and tried connecting to it to see what's listening? This is bad, yes, but not utterly catastrophic. Generally in a situation where somebody has physical access to a home Netgear/Linksys/TP-Link/whatever type router, they could physically push the factory reset button and gain access to its admin interface to reconfigure it however they wanted anyways. I think there's a value for discussion in nanog about how to provision and set up residential last mile services that work right, but this isn't exactly a wider spread network operational issue unless you've discovered thousands of CPEs that can be accessed by "password" from the outside Internet. On Tue, Feb 7, 2023 at 6:18 AM TACACS Macaque via NANOG <nanog@nanog.org> wrote:
Hi,
Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this.
My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, without providing the ability to change the admin password from "password" on it.
[image: Screenshot 2023-02-03 at 9.49.15 PM.png]
[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out and change it. Which is obviously less than ideal.
That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire security implications... e.g., DNS server settings can be pointed at whatever someone wants here.
My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took control over her laptop before she called for backup. So I'm just a little concerned that we have no control over changing this router's admin password — from “password” — in a pinch, without waiting for a truck roll && shelling out $50.
I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in hopes that they'll let us bring our own. She does have Google Wifi, but we can't even put their router into bridge mode. So she would be double NATed *and* have no control over changing the admin password on the first router.
Anyone have any experience with Yondoo? I've tried reaching out to them on multiple fronts, but have yet to hear back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use our own modem and then take it from there.
Thanks, Todd
On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I would hope that this router's admin "password" interface is only accessible from the LAN side. This is bad, yes, but not utterly catastrophic.
It means that any compromised device on the LAN can access the router with whatever permissions the password grants. While there are certainly worse security vulnerabilities, I'm reluctant to describe this one as less than catastrophic. Where there's one grossly ignorant security vulnerability there are usually hundreds. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
I agree, but if we start listing every massive security vulnerability that can be found on the intra-home LAN in consumer-grade routers and home electronics equipment, or things that people operate in their homes with the factory-default passwords, we'd be here all month in a thread with 300 emails. I'm sure this ISP will realize what a silly thing they did if and when some sort of worm or trojan tries a set of default logins/passwords on whatever is the default gateway of the infected PC, and does something like rewrite the IPs entered for DNS servers to send peoples' web browsing to advertising for porn/casinos/scams, male anatomy enlargement services or something. On Wed, Feb 8, 2023 at 3:28 PM William Herrin <bill@herrin.us> wrote:
On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I would hope that this router's admin "password" interface is only accessible from the LAN side. This is bad, yes, but not utterly catastrophic.
It means that any compromised device on the LAN can access the router with whatever permissions the password grants. While there are certainly worse security vulnerabilities, I'm reluctant to describe this one as less than catastrophic. Where there's one grossly ignorant security vulnerability there are usually hundreds.
Regards, Bill Herrin
-- For hire. https://bill.herrin.us/resume/
[OP here] Just some minor follow up: - The tech was able to swap out their RG with the modem-only one that I had sent (after making a couple phone calls). It didn't seem like they could provision a user-supplied modem remotely for some reason, but it also sounded like maybe this wasn't something they normally do, if ever. - The outgoing RG was an Evolution Digital EVO3000GW. The screenshots that dropped were meant to show me attempting an admin password change, and it not letting me. - AFAIK, no WAN ports were open, but UPnP was on by default. I neglected to do a port scan on the WAN port before the equipment swap, but that probably would've been prudent. - Sorry for not being clear about this before, but I'm fairly remote (~5 hour drive), so my mom was acting as remote [somewhat arthritic] hands in all this. - Since I'm remote, I had previously sent a raspberry pi that is running both pi-hole (to mitigate the possibility of her or her partner clicking on a malicious ad or pop-up that may compel them to inadvertently connect with a call center scammer again) and ZeroTier. I use ZT to log in to this device, which double NAT breaks, which is why I brought that up. Totally understandable that most average customers don't use this, and a double-NAT situation is probably fine for my mom's demographic. That said, to be sure, the much bigger issue is that they're provisioning CPE with an unchangeable "password." - I understand that this forum may not be quite the right fit for a post like this, and am looking for others that may be more appropriate. My hope is that this eventually gets to someone at Yondoo, or parent Mid-Atlantic Broadband (AS29914), since something like this probably falls outside of the wheelhouse of their tier 1 support, which was all we could get a hold of. Thanks to everyone who's responded -- I value all of your input. Cheers, Todd On Wed, Feb 8, 2023 at 5:09 PM Jason R. Rokeach via NANOG <nanog@nanog.org> wrote:
It’s been a while, but attacks that take advantage of this are (or at least in the past have been) real.
https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to...
<https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html> https://www.digitaltrends.com/web/javascript-malware-mobile/
I recall when this stuff first started to come out, leaning on RG vendors to fix their firmware to make their default passwords unpredictable based on information readily available on the LAN. In this case we’re not even talking about taking action this sophisticated… It seems to me that, having a customer willing and ready to secure themselves, preventing them from doing so is wildly inappropriate.
On Wed, Feb 8, 2023 at 7:57 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I agree, but if we start listing every massive security vulnerability that can be found on the intra-home LAN in consumer-grade routers and home electronics equipment, or things that people operate in their homes with the factory-default passwords, we'd be here all month in a thread with 300 emails.
I'm sure this ISP will realize what a silly thing they did if and when some sort of worm or trojan tries a set of default logins/passwords on whatever is the default gateway of the infected PC, and does something like rewrite the IPs entered for DNS servers to send peoples' web browsing to advertising for porn/casinos/scams, male anatomy enlargement services or something.
On Wed, Feb 8, 2023 at 3:28 PM William Herrin <bill@herrin.us> wrote:
On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I would hope that this router's admin "password" interface is only accessible from the LAN side. This is bad, yes, but not utterly catastrophic.
It means that any compromised device on the LAN can access the router with whatever permissions the password grants. While there are certainly worse security vulnerabilities, I'm reluctant to describe this one as less than catastrophic. Where there's one grossly ignorant security vulnerability there are usually hundreds.
Regards, Bill Herrin
-- For hire. https://bill.herrin.us/resume/
I am also a big fan of installing cake (sqm-scripts) in front cable devices. On Thu, Feb 9, 2023 at 5:59 AM Todd Stiers <todd.stiers@gmail.com> wrote:
[OP here]
Just some minor follow up:
- The tech was able to swap out their RG with the modem-only one that I had sent (after making a couple phone calls). It didn't seem like they could provision a user-supplied modem remotely for some reason, but it also sounded like maybe this wasn't something they normally do, if ever.
- The outgoing RG was an Evolution Digital EVO3000GW. The screenshots that dropped were meant to show me attempting an admin password change, and it not letting me.
- AFAIK, no WAN ports were open, but UPnP was on by default. I neglected to do a port scan on the WAN port before the equipment swap, but that probably would've been prudent.
- Sorry for not being clear about this before, but I'm fairly remote (~5 hour drive), so my mom was acting as remote [somewhat arthritic] hands in all this.
- Since I'm remote, I had previously sent a raspberry pi that is running both pi-hole (to mitigate the possibility of her or her partner clicking on a malicious ad or pop-up that may compel them to inadvertently connect with a call center scammer again) and ZeroTier. I use ZT to log in to this device, which double NAT breaks, which is why I brought that up. Totally understandable that most average customers don't use this, and a double-NAT situation is probably fine for my mom's demographic. That said, to be sure, the much bigger issue is that they're provisioning CPE with an unchangeable "password."
- I understand that this forum may not be quite the right fit for a post like this, and am looking for others that may be more appropriate. My hope is that this eventually gets to someone at Yondoo, or parent Mid-Atlantic Broadband (AS29914), since something like this probably falls outside of the wheelhouse of their tier 1 support, which was all we could get a hold of.
Thanks to everyone who's responded -- I value all of your input.
Cheers, Todd
On Wed, Feb 8, 2023 at 5:09 PM Jason R. Rokeach via NANOG <nanog@nanog.org> wrote:
It’s been a while, but attacks that take advantage of this are (or at least in the past have been) real.
https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to...
https://www.digitaltrends.com/web/javascript-malware-mobile/
I recall when this stuff first started to come out, leaning on RG vendors to fix their firmware to make their default passwords unpredictable based on information readily available on the LAN. In this case we’re not even talking about taking action this sophisticated… It seems to me that, having a customer willing and ready to secure themselves, preventing them from doing so is wildly inappropriate.
On Wed, Feb 8, 2023 at 7:57 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I agree, but if we start listing every massive security vulnerability that can be found on the intra-home LAN in consumer-grade routers and home electronics equipment, or things that people operate in their homes with the factory-default passwords, we'd be here all month in a thread with 300 emails.
I'm sure this ISP will realize what a silly thing they did if and when some sort of worm or trojan tries a set of default logins/passwords on whatever is the default gateway of the infected PC, and does something like rewrite the IPs entered for DNS servers to send peoples' web browsing to advertising for porn/casinos/scams, male anatomy enlargement services or something.
On Wed, Feb 8, 2023 at 3:28 PM William Herrin <bill@herrin.us> wrote:
On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I would hope that this router's admin "password" interface is only accessible from the LAN side. This is bad, yes, but not utterly catastrophic.
It means that any compromised device on the LAN can access the router with whatever permissions the password grants. While there are certainly worse security vulnerabilities, I'm reluctant to describe this one as less than catastrophic. Where there's one grossly ignorant security vulnerability there are usually hundreds.
Regards, Bill Herrin
-- For hire. https://bill.herrin.us/resume/
-- This song goes out to all the folk that thought Stadia would work: https://www.linkedin.com/posts/dtaht_the-mushroom-song-activity-698136666560... Dave Täht CEO, TekLibre, LLC
participants (8)
-
Collider
-
Dave Taht
-
Eric Kuhnke
-
jason@rokeach.net
-
Josh Luthman
-
Todd Stiers
-
typhoon.notice_0a@icloud.com
-
William Herrin