Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kitz]

Well Ive just tried to log into my router tonight after noticing that something weird seems to have happened to my MRTG graphs which for some unexplained reason seemed to have stopped logging.

I spent a while looking at my MRTG config wondering what had happened.. and then I then tried to log into my router.
But could I log into my router - could I hellers like!  My router wouldnt let me access it either via http or cli.

So I spent a fruitless half an hour or so messing around..... only to find out that Be had changed my router passy without even notifying me.
Just in case anyone else is with Be..  this is from their website

We want to let you know that we’ve recently been informed of a security problem that could affect the BE Box, among other routers.

Essentially, the problem could allow somebody to change your router settings, and nobody wants that.

For you tech savvies, we’ve included more details at the bottom of this email.

Email?  What e-mail?  You sure as hell didnt send me one out.

Mad?  Yes I am.   
Thanks Be for just making me waste a total of about 45 mins in total 


--------------------

If like me you are having problems logging into your BeBox, the new Admin password has been reset to the serial number on the bottom of your router.
It doesnt matter if youve already set your own passy...  it will be over-written.

Be tells you how to change it if you have a TG585v7 here.

If you have an older Speedtouch router the setting can be found from

Toolbox >
User Management >
Change my password.

[philip_l]

Hi

I never received an email either although I don't use the BeBox so maybe they knew that?  Mmm okay I don't believe Be are that organised though to only send emails to those actively using the BeBox, and I think really I should have got one but didn't.

Nice one Be, an ISP that can't reliably arrange an emailshot, not good.

Regards

Phil

[Azzaka]

http://www.jibble.org/o2-broadband-fail/

This exploit applies to all Speedtouch and possibly BT Home Hubs as well - some people are realising this so some calls may be coming in regarding this.

IMPORTANT STUFF
---------------

This exploit can be limited by setting a username/password on the router. DON'T GO WITH THE DEFAULT!!

[chainbeltmadras]

What should we do now then just leave it as the serial number or could a hacker have the serial numbers already.

If I have been using ethernet and not wireless was it still vulnerable to attack.

[Azzaka]

Yes it is still Vulnerable to the Attack. The best advise is to change all the default passwords.

[chainbeltmadras]

I cannot login to it. How can we know if the box has been updated.
If I reset by paper clip on the box is the serial number always the new default password.

[kitz]

The vulnerability appeared to be that by default these routers were shipped out with the password not set.
Inputting your own password obviously then makes the router more secure.

In fact I think this would apply to many makes of routers where the user has retained the default password, as its not hard to find out what the defaults are.

You can leave it as the serial number, or you can change it to your own.
Its highly unlikely that a hacker would be able to get your router serial number.
He'd either have to be in there already toget it from the router, or be on the premises to get it from the sticker on the bottom.
Some helpdesks may retain a list of SN to users too.

>> I cannot login to it.

The username should be Administrator with a capital A
and the serial number from the sticker on the bottom of your router
so something like CPxxxxxxxxx.  Ignore the last few figures that are in the brackets.

[chainbeltmadras]

Still very confused by it,

Azzackas link is very worrying.

o2 email today contradicts what you say again.

We have been notified of a potential security issue with our O2 wireless box routers. We have taken this issue very seriously and have been investigating it with the routers manufacturer, Thomson.

As standard the O2 Wireless Boxes have no password for its "Administrator" login, and generic password for the "SuperUser" login, mainly to make it easy for you to use the router.

The user name has changed to "SuperUser" and you password is now your router serial number which can be found printed underneath your router.

I hope this information has been of help to you.

Best regards

[kitz]

>> The user name has changed to "SuperUser"

Thanks for pointing that out.
O2 have always used SuperUser as the main admin on their boxes.

[JohnnyD]

Well BE totally messed my router up.......The combination I eventually got in with was SuperUser with a password of Administrator

That only took me 3 weeks to sort out

JD

[Oranged]

Well BE totally messed my router up.......The combination I eventually got in with was SuperUser with a password of Administrator

That only took me 3 weeks to sort out

JD

I've been with O2 using a TG585v7 for 12 months and as soon as I started using the router, as Azzaka said, I created my own userid and password and applied the SuperUser privileges to that......so I have no need to use any of the default userids.

[Azzaka]

Something to note, we have found a peice of software that can calculate the wireless key by using the Defualt SSID. In such a case the best practice is to change the SSID at least otherwise change both the Key and the SSID.