Danger of default router password

Question

How bad is it to not change the default home router password? Are there any concrete dangers?

Are there any attacks directly resulting out of the use of default passwords, not vulnerabilities in the firmware?[*]

You can assume that anyone legitimately connected to the router is allowed to access and change it's configuration [**].

_{[*] I found this vulnerability, but it seems to be a vulnerability in the router firmware (which could be prevented using anti-csrf tokens), not a direct result of using a default password.}

_{[**] So I'm not worried about other residents or visitors that are allowed access to the network.}

Answer 1

The wireless router is the gateway to your entire home network, from a wireless baby monitor, to the secure computers you do your banking on. Controlling this gateway gives an attacker access to the devices inside the network and to data that passes through it.

It's no surprise that home routers are a new frontier for the criminal underground and default passwords is one of the main vectors of attack. In 2011 and 2012 attackers exploited a vulnerability to change the DNS settings of more than 4.5 million DSL modems in Brazil. In March 2014 Team Cymru reported that over 300,000 home routers had been compromised and had their DNS settings changed in a global attack campaign. In September 2014, again there was a large scale attack on Brazilian routers.

Most of these attacks involved two vulnerabilities, a CSRF (Cross-Site Request Forgery) that is present in many brands of routers and default passwords. This means that visiting a malicious website will force your web browser to log into your home router and make configurations changes. This article describes a similar attack and its severe consequences.

It all started in 2007 when this attack was published. The main condition for the attack to be successful was that the attacker to guess the router password, because back then, even Cisco had 77 routers vulnerable to CSRF.

And the problem of default passwords is still real in 2014:

Tripwire spoke to 653 IT and security professionals, and 1009 remote workers in the US and UK – with alarming results. Thirty percent of IT professionals and 46% of workers polled do not even change the default password on their wireless routers. Even more (55% and 85%, respectively) do not change the default IP address on their routers (making cross-site request forgery – CSRF – attacks much easier). (Source)

The dangers of having the internet facing admin panel with default passwords should obvious. But an open network with the admin panel open to the local network is vulnerable to local attacks. Wardriving with good antennas can cover large areas and spot many vulnerable routers.

Once it has access, an attacker can change DNS settings and intercept data for serving malware, ads or phishing. Or it can open up the internal network and attack some old unpatched Android phones, and maybe hope that one of those devices will travel and be an entry point to a different, higher value network.

Also, routers most likely store credentials for connecting to the ISP, which can be reused or abused by the attacker. I've heard of wireless routers that had one open network for guests and one password protected network. Connecting to the open network and accessing the admin panel with default credentials allowed access to the router configuration file that had the WPA key for the password protected network.

While some users are ignorant about security, there are router manufacturers that aren't ignorant about their users' security and provide unique admin passwords for each router. Most passwords are printed on the permanent sticker along the other details such as model and MAC address. This is not as secure as my recently purchased router, which had the password printed on a card and which required changing it on first use.

As Malavos mentioned in the comments, there are ISPs that lease routers with default password and even some that forbid changing those defaults passwords. I'm adding that some ISPs will change the default passwords and use it to configure the router remotely, but they will set the same password for all their clients' routers. This is problematic because that password can be recovered through hardware hacking so every router with that password can be compromised, even remotely.

Main rules for protecting wireless routers:

• Update router firmware
• Turn off unneeded services
• Set strong admin passwords

Answer 2

For direct dangers, you have the possibility of the control panel being exposed to the internet (I've only seen routers that either didn't have this ability or had it set to off by default, but it is within the realm of possibility for it to be on by default or accidentally set as such by a user who wasn't aware of the implications). Also an infected computer on the network could allow someone on the outside to gain control of the router.

That said, we should not judge one layer of defense assuming the previous ones haven't failed. A correctly built router that doesn't expose its control panel to the internet and that only has clean legitimate computers that always have legitimate users may mean there isn't a danger (that I know of) in leaving the password set to the default value. Ask yourself, how likely is that situation to be true and to remain true for the lifetime of your network? The concrete danger is that some other layer of defense will eventually fall, so you want this other layer up to better protect yourself.

Answer 3

"You can assume that anyone legitimately connected to the router is allowed to access and change its configuration."

You can't determine if someone is legitimately connected if the default password is something like "password", though.

We come now to a question of terminology. If your password is set on install to some random sequence by (for example) an ISP contractor, it's much safer than if it was some default value like "password".