Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[Eric Kuhnke <eric.kuhnke () gmail com>]

I would hope that this router's admin "password" interface is only
accessible from the LAN side. It's not listening to the world for a login
with "password", right?  Have you port scanned its WAN interface and tried
connecting to it to see what's listening?

This is bad, yes, but not utterly catastrophic. Generally in a situation
where somebody has physical access to a home
Netgear/Linksys/TP-Link/whatever type router, they could physically push
the factory reset button and gain access to its admin interface to
reconfigure it however they wanted anyways.

I think there's a value for discussion in nanog about how to provision and
set up residential last mile services that work right, but this isn't
exactly a wider spread network operational issue unless you've discovered
thousands of CPEs that can be accessed by "password" from the outside
Internet.





On Tue, Feb 7, 2023 at 6:18 AM TACACS Macaque via NANOG <nanog () nanog org>
wrote:

> Hi,
>
> Long time lurker, first time poster. Sorry in advance if this is the wrong
> forum for something like this.
>
> My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer
> Premises Equipment) with a built-in router, without providing the ability
> to change the admin password from "password" on it.
>
> [image: Screenshot 2023-02-03 at 9.49.15 PM.png]
>
> ​[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
>
> Their customer service rep said that this is not only WAI, but also wanted
> to charge her $50 to have a tech come out and change it. Which is obviously
> less than ideal.
>
> That aside, this seems like a pretty egregious security standard which,
> from my understanding, can have fairly dire security implications... e.g.,
> DNS server settings can be pointed at whatever someone wants here.
>
> My mom is elderly and had already fallen victim to a call center scammer a
> couple years ago. They briefly took control over her laptop before she
> called for backup. So I'm just a little concerned that we have no control
> over changing this router's admin password — from “password” — in a pinch,
> without waiting for a truck roll && shelling out $50.
>
> I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in
> hopes that they'll let us bring our own. She does have Google Wifi, but we
> can't even put their router into bridge mode. So she would be double NATed
> *and* have no control over changing the admin password on the first
> router.
>
> Anyone have any experience with Yondoo? I've tried reaching out to them on
> multiple fronts, but have yet to hear back from them on this. A tech is
> scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let
> us use our own modem and then take it from there.
>
> Thanks,
> Todd