Is your modem secure?

Last week i experienced some issues with my internet connection. After some troubleshooting i came to the conclusion the modem was the problem so i contacted my internet provider (ISP). They did some diagnostics on their end and reached the same conclusion. I set up an appointment for a technician to come by, test the line and replace my modem with a newer model that is ready for my upgrade to a higher speed package. Next day, the technician shows up. He replaced a splitter that didn’t need replacing and did far more line tests than were needed (he wanted to drag it out and have another tech take his next appointment so he could start his weekend early). Fine by me, this gave me a chance to dig for information about the equipment, network and procedures that he shouldn’t be telling me. It also gives me a chance to test and refine my social engineering skills. Finally he pulls a brand new modem out of his bag and starts connecting it. As he connects it he starts telling me about all the wonderful built-in features it has such as Wi-Fi, Wi-Fi hotspot so other ISP customers with mobile devices can connect and use a small portion of my bandwidth and a kick ass firewall. A panic starts to creep up on me…

“With all these features built-in, is there a gateway i can access to tweak all those features and disable them if i need to?” Yes sir, he answers, just go to http://10.0.0.1 in your browser and you’ll see it. So i did and i am presented with a login window. As he is still working on activating the line through his PDA i just tried the first logical name and password. Name: ‘admin’, password: ‘password’ and one second later i am staring at the modem’s configuration panel. I ask the technician, how many people ask for the name and password to access the configuration of this thing? “You are the first in months” he replies. And how many of these modems do you install? “Several a day, every day”. So none wants to configure this at all? “No, it comes with it’s best configuration out of the box so none ever runs in to any issues. If they do, they call the support line and they are provided with the password but from what i hear, hardly anyone ever calls. It just works!” he says with a smile while pointing at my Mac. By now i can feel my heart speeding up and my eyes getting bigger. You mean to tell me there are hundreds of people out there with this default configuration that never changed it? “Yup, why?” he asked.

I replied with “just curious” as i wasn’t going to drag out this appointment any longer. I showed him out and ran back to my computer to see exactly what i could or could not tweak in the modem’s configuration. Thank god, an option was available to change the master password, but no option to change the name. The default setting for the firewall is ‘Minimum Security (Lowest)’ which means that all outgoing traffic is allowed and only one incoming port is blocked. Which is like having no firewall at all. Testing out a few presets resulted in a mix between needed ports being closed and unneeded ports being wide open. This firewall is both a joke and a nightmare. Worst of all, i can’t disable it. I like to manage the firewall myself so i let my router do the heavy lifting and my Mac’s firewall (and Little Snitch) take care of the rest. On to the built-in Wi-Fi, a few settings can be changed but i can’t disable it. As my router is already configured, i want to use my router’s Wi-Fi, not the modem’s. As i can’t disable it i now have another device broadcasting and interfering with my router’s Wi-Fi. And a hotspot for other ISP customers? Hell no. The modem also handles NAT and hands out DHCP addresses, this can not be disabled either. The modems logs everything it does and every connection passing through it. I don’t want logs to be kept but i can’t disable it. Overall quite a nightmare.

While i can take care of this by calling my ISP and have them either tell me how to disable all the built-in features or sending me a different model modem that can do it, i am far more worried about all those customers that use this modem without knowing what a security nightmare it is. Some checking with friends that use different ISP’s and have fairly new modems confirmed that it is worse than i thought. A friend in New York had never checked his modem. After trying a few of the default IP addresses he found that the modem had a login page. ‘Admin’ and ‘Password’ got us in there. A friend in Texas was able to find his modem login page and login with ‘Admin’ and no password was needed! Friends in Florida, California, Canada, the UK, Netherlands, Germany and Ireland all found a way into their modem using default IP’s, names and passwords. Only a few of the friends i spoke with either had a modem that had no login page (no fancy features, just a basic modem), could not log in using any of the default names or passwords or needed names and passwords that were printed on a sticker on the back of the modem. This simple test means that thousands, if not hundreds of thousands of people around the world, are extremely vulnerable just by using their ISP provided modem. This may include your home or business network as well. Friendly tests done for research purposes like this one and this one can be used by persons with malicious intentions as well as was done here.

If you use a modem that provides your Wi-Fi and has other built-in capabilities, it is fair to assume it has a configuration page. Find out what this is by contacting your ISP or by checking System Preferences > Network. Highlight the connection you are using (Ethernet or Wi-Fi, whichever one shows the green ball) and look for the ‘Router’ IP address (Usually 10.0.x.x, 192.168.x.x, 172.16.x.x). Copy this IP address, open your browser and paste it into your browser, now hit enter. If a window opens showing you a configuration page or asks you for a name/password, then it is time to find out how secure your modem is. Try logging in with default and generic combinations like admin/admin, admin/password, admin/and leave password field blank, and perform an online search “default name and password for *enter modem brand, model here* to see if suggestions pop up. If your modem uses a default password, change it immediately. If any of the settings are not configured with security in mind, change them immediately, if you can’t set up the modem exactly how you want it (which is the case with my modem), contact your ISP and ask for a modem that can be properly secured.

Many ISP’s don’t care about the security of your home or business network, they just want you to plug in and be online with the least amount of configuration and support calls. This leaves you at risk. If you do find that your modem was not secured properly, contact your ISP and make them aware, maybe if enough people do it they will properly configure their modems in the future.

Comments are welcome.