31

How bad is it to not change the default home router password? Are there any concrete dangers?

Are there any attacks directly resulting out of the use of default passwords, not vulnerabilities in the firmware?[*]

You can assume that anyone legitimately connected to the router is allowed to access and change it's configuration [**].

[*] I found this vulnerability, but it seems to be a vulnerability in the router firmware (which could be prevented using anti-csrf tokens), not a direct result of using a default password.

[**] So I'm not worried about other residents or visitors that are allowed access to the network.

tim
  • 29,018
  • 7
  • 95
  • 119
  • 3
    The danger is increased in today's routers many of which come with predictable default passwords, rather than random ones. A TP-LINK router I purchased had a default password made up of the last 10 characters of the MAC address. And to make matters worse, the default SSID consists of the last 6 characters of the MAC address, like a convenient hint and a clear invitation to hackers. – ADTC Jan 01 '15 at 09:02
  • When we first moved into our new apartment, our wifi was not yet set up. Consequently, I used a neighbor's open network in the interim. A day later I was trying to do something that required a specific port to be opened, so I attempted to login to the router with the default credentials and open it up... and the login info worked. Don't worry, I never ended up doing anything. I was mostly surprised I got as far as I did. **That being said**, it can be pretty dangerous. – Charlie Jan 02 '15 at 00:04
  • 1
    I was looking for that answer @ADTC in addition to ADTC comment with some bigpond routers you can also predict the entire default password just by using SSID – Tim Jonas Jan 04 '15 at 05:12
  • Is it even a good idea to not worry about other residents or visitors? What about when your l33t nephew comes and visists and decides to change the password on the router? – JonnyWizz Oct 30 '15 at 13:33

3 Answers3

36

The wireless router is the gateway to your entire home network, from a wireless baby monitor, to the secure computers you do your banking on. Controlling this gateway gives an attacker access to the devices inside the network and to data that passes through it.

It's no surprise that home routers are a new frontier for the criminal underground and default passwords is one of the main vectors of attack. In 2011 and 2012 attackers exploited a vulnerability to change the DNS settings of more than 4.5 million DSL modems in Brazil. In March 2014 Team Cymru reported that over 300,000 home routers had been compromised and had their DNS settings changed in a global attack campaign. In September 2014, again there was a large scale attack on Brazilian routers.

Most of these attacks involved two vulnerabilities, a CSRF (Cross-Site Request Forgery) that is present in many brands of routers and default passwords. This means that visiting a malicious website will force your web browser to log into your home router and make configurations changes. This article describes a similar attack and its severe consequences.

It all started in 2007 when this attack was published. The main condition for the attack to be successful was that the attacker to guess the router password, because back then, even Cisco had 77 routers vulnerable to CSRF.

And the problem of default passwords is still real in 2014:

Tripwire spoke to 653 IT and security professionals, and 1009 remote workers in the US and UK – with alarming results. Thirty percent of IT professionals and 46% of workers polled do not even change the default password on their wireless routers. Even more (55% and 85%, respectively) do not change the default IP address on their routers (making cross-site request forgery – CSRF – attacks much easier). (Source)

The dangers of having the internet facing admin panel with default passwords should obvious. But an open network with the admin panel open to the local network is vulnerable to local attacks. Wardriving with good antennas can cover large areas and spot many vulnerable routers.

Once it has access, an attacker can change DNS settings and intercept data for serving malware, ads or phishing. Or it can open up the internal network and attack some old unpatched Android phones, and maybe hope that one of those devices will travel and be an entry point to a different, higher value network.

Also, routers most likely store credentials for connecting to the ISP, which can be reused or abused by the attacker. I've heard of wireless routers that had one open network for guests and one password protected network. Connecting to the open network and accessing the admin panel with default credentials allowed access to the router configuration file that had the WPA key for the password protected network.

While some users are ignorant about security, there are router manufacturers that aren't ignorant about their users' security and provide unique admin passwords for each router. Most passwords are printed on the permanent sticker along the other details such as model and MAC address. This is not as secure as my recently purchased router, which had the password printed on a card and which required changing it on first use.

As Malavos mentioned in the comments, there are ISPs that lease routers with default password and even some that forbid changing those defaults passwords. I'm adding that some ISPs will change the default passwords and use it to configure the router remotely, but they will set the same password for all their clients' routers. This is problematic because that password can be recovered through hardware hacking so every router with that password can be compromised, even remotely.

Main rules for protecting wireless routers:

  • Update router firmware
  • Turn off unneeded services
  • Set strong admin passwords
Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
  • 1
    Also if there is the default password set, a CSRF attack on the change password page may succeed because the old password is often used as the CSRF token. – SilverlightFox Dec 30 '14 at 18:13
  • 1
    I want to add that most brazilian internet providers do not provide a good router when you hire the service. Some of them are really old d-link's and such. Some companies even forbid you on changing the default password. Also, most of the population still don't care much for information security, and are not informed on their dangers at all. Internet providers like GVT and Net even have the courage to sell other products, which are supposed to improve your network security. Source: Born here, live here. – Malavos Dec 30 '14 at 19:22
  • 5
    Also (this deserves another comment) there are apps like Mandic Magic, which users post wifi passwords. It's common habit of employees of these companies to share these default passwords on such applications. Just logged now to Mandic magic, and there are more than 100passwords on my 900m radius. Many of them are from even private offices. You could get a lot of data with an app, using it in 2 minutes, because someone didn't change their default password. – Malavos Dec 30 '14 at 19:27
7

For direct dangers, you have the possibility of the control panel being exposed to the internet (I've only seen routers that either didn't have this ability or had it set to off by default, but it is within the realm of possibility for it to be on by default or accidentally set as such by a user who wasn't aware of the implications). Also an infected computer on the network could allow someone on the outside to gain control of the router.

That said, we should not judge one layer of defense assuming the previous ones haven't failed. A correctly built router that doesn't expose its control panel to the internet and that only has clean legitimate computers that always have legitimate users may mean there isn't a danger (that I know of) in leaving the password set to the default value. Ask yourself, how likely is that situation to be true and to remain true for the lifetime of your network? The concrete danger is that some other layer of defense will eventually fall, so you want this other layer up to better protect yourself.

Lawtonfogle
  • 981
  • 7
  • 11
  • IMHO, the right default security model for many things should be that physical access equates to legitimate authority. If a router were by default configured so that administrative access would require either that one pushed a button on the router or had a cookie supplied by a recent connection where the button was pushed, then the existence of a default password really wouldn't be a problem. – supercat Jan 01 '15 at 18:13
0

"You can assume that anyone legitimately connected to the router is allowed to access and change its configuration."

You can't determine if someone is legitimately connected if the default password is something like "password", though.

We come now to a question of terminology. If your password is set on install to some random sequence by (for example) an ISP contractor, it's much safer than if it was some default value like "password".

Agamemnus
  • 101
  • 2
    "You can't determine if someone is legitimately connected if the default password is something like "password", though." - the assumption underlying the statement you quoted is that if someone has the WPA key then they have legitimate access. – user253751 Dec 31 '14 at 04:42
  • 1
    I don't think so. If someone guesses "password", but the owner of the network didn't know them and didn't want them there, it's not really "legitimate" in common usage of the word. – Agamemnus Dec 31 '14 at 05:41
  • 1
    if someone is even able to reach the login screen, then in the most common default setup, they must have the WPA key. How did they get the WPA key? The network owner told them it. – user253751 Dec 31 '14 at 06:14
  • 1
    @immibis or the WPA key was also left at the default value, or disabled... – Scott Odle Dec 31 '14 at 23:02
  • 1
    @ScottOdle All the home routers I've seen (which isn't very many) had random WPA keys by default. – user253751 Jan 01 '15 at 01:14
  • I've come across many issued by Cox and CenturyLink in the Phoenix area, with WEP/WPA _and_ the admin password disabled by default. – Scott Odle Jan 01 '15 at 01:55