Optus cable routers let anyone change passwords, says tech
But shoddy defaults still set username to 'admin,' password to 'password'
University of Sydney tech Paul Szabo says Netgear routers provided by Australian telco Optus contain a vulnerability that allows attackers to change admin passwords without knowing the existing credentials.
The bug in the CG3000v2 cable modem means attackers could enter anything into the current password field to change the code to one of their choice. Details of the flaw have been published online.
Optus has asked Netgear to look into the security of the currently-sold routers.
"Optus takes security concerns seriously and we are investigating further," a spokesperson said.
"We have contacted the vendor to ask for a review to ensure the firmware is operating securely."
Szabo told Vulture South that attackers could best exploit the flaw using a cross-site request forgery (CSRF) phishing link that, when clicked by users, could change the password to one set by attackers.
"The fault is that the admin password can be changed on the web interface without providing the current password," Szabo says.
"The page http://192.168.0.1/SetPassword.asp prompts for old and new password (and repeat of new), but in fact ignores the old password provided, and changes the password to the new one, regardless. This issue could be exploited via CSRF to change the password while the user happens to be logged in."
Szabo says he informed both Netgear and Optus but did not hear back.
The vulnerability could be considered excessive; most users would not bother to change passwords from the default of username 'admin' and password of 'password.' Indeed the basic manual [PDF] does not tell users to change their login credentials.
Hacked routers are used in various attacks including distributed denial of service attacks or booter services. ®