[besson3c]

This story is somewhat interesting to me:

Slashdot Technology Story | Verizon Changing Users Router Passwords

We all know that many people don't bother securing their home Wifi networks, but what about those that do that just leave their password set to the default? How hard would it be for somebody to figure out the router IP, get a listing of common routers that assign this IP and their associated user/passwords, and compromise a network?

If the blowback of a network compromise affects an ISP and costs them money, are they within their right to change your router password for you?

I'm sort of playing devil's advocate here, I don't really (yet) have a strong opinion one way or the other. Your thoughts?

[subego]

How would it cost them money? Aren't you responsible for dodgy stuff that originates from your network?

Honest question. I'm by no means sure of this. I imagine it's complicated.

[reader50]

From the linked story, Verizon supplied the router, but the user now owns it. And had set it to allow admin access only from the LAN side. Verizon got in by using a port backdoor they'd left themselves.

Apparently, they defined some TOS terms to cover such intrusions. But they shouldn't have such a right with customer-owned property. So my opinion: Verizon committed computer intrusion, and possibly broke the law. I'd turn off their port, or replace the router firmware if they've blocked turning off their access. Or supply a new router if they've locked the firmware too.

[bstone]

I only use DD-WRT firmware and ultra insane secure methods. I doubt if Verizon can get it to it. Also, I don't use Verizon, so if they did then I'd have a big issue.

[besson3c]

Originally Posted by subego 

How would it cost them money? Aren't you responsible for dodgy stuff that originates from your network?

Honest question. I'm by no means sure of this. I imagine it's complicated.

It depends. I think the major ISPs such as Comcast probably can afford to be lax on account of being so big... In a corporate environment having routers and creating "rogue" networks is probably forbidden more often than not, in part because of the massive liability and risk of compromise. I somehow suspect that as far as Comcast goes, they are less at risk.

Still, AFAIK whenever there is a police, DHS, FBI, etc. warrant or something a company like Comcast would have to comply. The resources that would be necessary to respond to this sort of thing cost money, so it is probably in their best interest to have sane security policies at least to some extent.

Moreover, in the event of a compromise to a Comcast network, for instance, chances are the exploited machines are going to be chewing up a lot of resources, including bandwidth, possibly opening a lot of connections to the ISPs mail servers, and in turn costing them in support calls from users trying to clean up their machines/networks, and costing them in having to have a NOC (network operations center) to respond and disable these accounts or take whatever action is necessary to stop the bleeding.

[subego]

Okay, I see what you're saying. Though a good deal of this strikes me as sunk cost (you're going to need a NOC anyway, for instance), I don't think it's unreasonable for an ISP to take steps to minimize this.

OTOH, it sounds like the person here did due diligence by disabling the WAN access. In fact, seeing as how the ISP sold them the router, they did the ISP a favor. If the ISP is going to claim interest in security there is no excuse for handing over a router with WAN access enabled.

Passwords on routers which (theoretically) need physical access to the network to compromise don't strike me as something an ISP should be worrying about. It's not like I don't have a paperclip.

[besson3c]

Yes, but people compromising networks because of lacking passwords can be a liability, therein lies the rub. I don't know if ISPs should be worrying about these passwords more than anything else, but if it's easy for them to reset a password in particular when they suspect that a network is compromised, should they? Or, should they just disable this person's account?

If they do that, are they putting themselves at risk in losing the customer or maybe even being sued? If you are a small business owner and your ISP disables your account because they expect a compromise, you can prove that there was none and that you lost $x in business, do you have a grounds to sue? I don't know the answer to that...

[subego]

There may be some finer points I'm missing here, but the only routers they'd be able to backdoor would be routers they provided. The routers they provide should have WAN acces disabled by default. This minimizes their exposure to the junky password problem about as far as an ISP has the means to do so.

[Person Man]

Here's how I feel about it.

If the router is provided by the ISP and the customer leases it or rents it from them (i.e. the ISP owns the router), then the ISP has every right to go in and change the password.

However, if the router is owned by the customer, even if the ISP provided it (i.e. the customer bought it from them), then the ISP has NO RIGHT to change ANY setting on the router because it is not theirs, no matter what. Now, this does not preclude them from saying, "We noticed that your router has a password that is not very secure. We suggest you change it." But if the customer chooses not to change it, that's their prerogative because the router belongs to them.

I think that ISPs could do more about malware infected computers, though. I used to think that any computer exhibiting suspicious behavior should have their net connection suspended until the computer could be checked and cleaned, but now I think that ISPs shouldn't do that. They could, however, monitor for malware and send a letter saying, "We noticed online activity that is unusual for you based on past usage habits. You might want to check your computer." Then the customer can do with that info what they want.

I realize that current malware tries to hide its tracks very well (i.e. spam software only sending small amounts of e-mail at a time), but had some of these tactics been used early on in the game there might have been less of a malware problem overall. Though disconnecting the infected computer would have disrupted bot networks pretty effectively.

[besson3c]

Originally Posted by subego 

There may be some finer points I'm missing here, but the only routers they'd be able to backdoor would be routers they provided. The routers they provide should have WAN acces disabled by default. This minimizes their exposure to the junky password problem about as far as an ISP has the means to do so.

It would seem to me that if I wanted to do malicious stuff that I'd probably go war diving to find an exposed Wifi network, as opposed to seeing what routers, if any, permit access via the WAN...

[besson3c]

Originally Posted by Person Man 

Here's how I feel about it.

If the router is provided by the ISP and the customer leases it or rents it from them (i.e. the ISP owns the router), then the ISP has every right to go in and change the password.

However, if the router is owned by the customer, even if the ISP provided it (i.e. the customer bought it from them), then the ISP has NO RIGHT to change ANY setting on the router because it is not theirs, no matter what. Now, this does not preclude them from saying, "We noticed that your router has a password that is not very secure. We suggest you change it." But if the customer chooses not to change it, that's their prerogative because the router belongs to them.

I think that ISPs could do more about malware infected computers, though. I used to think that any computer exhibiting suspicious behavior should have their net connection suspended until the computer could be checked and cleaned, but now I think that ISPs shouldn't do that. They could, however, monitor for malware and send a letter saying, "We noticed online activity that is unusual for you based on past usage habits. You might want to check your computer." Then the customer can do with that info what they want.

I realize that current malware tries to hide its tracks very well (i.e. spam software only sending small amounts of e-mail at a time), but had some of these tactics been used early on in the game there might have been less of a malware problem overall. Though disconnecting the infected computer would have disrupted bot networks pretty effectively.

It used to be, if not still, that some ISPs suspended or canceled your account if you are found to be running servers on their network. Technically a compromised network probably involves rogue servers being run, what applies here?

Also, by simply telling a customer about their problems wouldn't you just be increasing your support overhead, cause they would surely call up the ISP and have them coach them through securing their PC.

Lots of different ways to look at this stuff, I guess, I'm mostly just playing devil's advocate here to make sure that all relevant possibilities are being accounted for.

[subego]

Originally Posted by besson3c 

It would seem to me that if I wanted to do malicious stuff that I'd probably go war diving to find an exposed Wifi network, as opposed to seeing what routers, if any, permit access via the WAN...

Exactly. Just like if I have physical access to your router (which I'd need if WAN access is disabled) I wouldn't bother dicking around guessing your password when I can just do a hard reset.

IOW, enormously intrusive solution to a non-problem.

[besson3c]

Originally Posted by subego 

Exactly. Just like if I have physical access to your router (which I'd need if WAN access is disabled) I wouldn't bother dicking around guessing your password when I can just do a hard reset.

IOW, enormously intrusive solution to a non-problem.

I wouldn't say non-problem, I'd say possibly unavoidable problem, but then again, this intrusive sort of ISP behavior might help avoid or reduce these problems greatly since I'd be willing to bet that most war divers zero in on open networks. Then again, the article didn't talk about securing the open networks, just changing the router password, so maybe it is pointless.

[subego]

Originally Posted by besson3c 

I wouldn't say non-problem, I'd say possibly unavoidable problem, but then again, this intrusive sort of ISP behavior might help avoid or reduce these problems greatly since I'd be willing to bet that most war divers zero in on open networks. Then again, the article didn't talk about securing the open networks, just changing the router password, so maybe it is pointless.

Oh, absolutely. I'm only referring to the things which are within the ISP's control. These routers are under their control. The ones with WAN access disabled are a non-problem.

Now, if it hadn't been disabled, and the ISP used that fact to access the router, that's an entirely different story. Not only can one show a demonstrable risk with that router, I'd be hard pressed to classify the ISP's actions as an intrusion. They would have accessed the router with a password that was voluntarily given to them, and would not have bypassed any user-enabled defenses in doing so.

Of course, they could have just turned off the damn WAN access in the first place.