Routers sold to New Zealand broadband customers by at least one local ISP have been shipped with a known username and password and can be accessed from the internet. The insecure setup could allow an attacker to divert traffic, lock users out of their routers and even read or send email from users' accounts.
Computerworld has been shown that routers have shipped with the administration web interface enabled on the WAN port with a known default username/password combination. Once an attacker access the administration interface, he or she could change the router configuration. By noting the ADSL network username and password, an attacker might also be able to access the user's email, which typically uses the same login details.
The D-Link 504G routers are resold by Ihug as part of its bliiink broadband package deals. As Computerworld went to press, Ihug technicians were checking the provider's DSL network to find out exactly how many customers are using the vulnerable router. Ihug marketing manager Rob Anderson says technicians are also looking at other routers and modems resold by the ISP to see if they too have a vulnerable configuration.
When notified of the vulnerability on Wednesday, Anderson said that Ihug intended to develop and deploy a fix for the vulnerability within 24 to 48 hours. Ihug will also make sure it doesn't ship any more routers configured with the remote management interface left open to the internet, he says.
D-Link's broadband business manager for Australia and New Zealand, Dean Williams, says shipping routers with the management interface open to the internet is "a big no-no, security-wise".Williams says remote access is disabled on all its routers, However, Computerworld has found that older revisions of firmware used in the D-Link 504G routers sold by Ihug does not allow customers to turn off the remote management web server. Asked about this, Williams says the B2.NZ software found on the routers isn't the current shipping firmware version, and it hasn't been used for over a year now. He advises customers with that version to upgrade to the latest B.21.AU version, available at D-Link's website.
The D-Link routers have also been resold by other providers and retailers, including Dick Smith, but it isn't yet known if they were also shipped with a vulnerable configuration.