Say It Ain't So Verizon

by Pipefish  (email@pipefish.me)

You can reset the router password of most stock setups of Verizon's Fios Internet service without authorization, and without physical access.

That is a bold statement, but one that I have found to be true every single time I test it out.  And if I've found this out, chances are good that plenty of others have as well.  I have called and emailed Verizon several times about this issue and have gotten a mix of "I didn't know that was possible" to "Yeah, that's a value add feature for our customers."

Either way, the big V has not addressed the problem.  My hope is that if this article gets published in this fine tome that someone brings a copy up to the President of Verizon Security Awesomeness or something, and says "Uhh, we may need to rethink this one!"

I found this issue out by accident, after I moved.

I had Verizon come out and transfer my Fios service to my new address.  The tech was doing the usual stuff, then said, "Now I have to verify connectivity.  Do you have a computer we can use to test it out?"

I ambled up and set my laptop in front of him, which was running Ubuntu.  The tech instantly stated, "Uh, we don't officially support machines unless they're a Windows PC."

I browsed the Internet and was satisfied.  He said, "We have to run a program to test connectivity or I don't get credit for the install."

The "program" in question was an EXE.  Sigh.

O.K., fine, so I booted up my Windows 7 VM.

He plugged in a thumb drive and fired off some EXE.  Now, I won't even go into the fact that I would usually never let anyone plug in a random thumb drive to my PC and run some EXE, but this was a VM and I wanted him to finish, so I held my tongue.

The EXE launched some apps that looked like they were testing different aspects of my Fios service.  But for all I know, I was being enrolled in a botnet.  But that's neither here nor there.

When all the colors on the screen showed green, he said, "Now I'm going to show you about Verizon's In-Home Agent."  I didn't feel like dealing with it, but he was in full-on canned speech mode.  "It lets you diagnose issues, collect log info for support, and do some other neat stuff, like reset the router password."  Fine, fine, get out thank you, enjoy your life tech-guy.

When he left, I went to login to the router with the password he had left me (Password1).  Of course, wireless security was set to what Verizon always sets it to: WEP.

I went in, changed to WPA2 PSK, and changed the passphrase.  When I went to change the password, but accidentally closed the window before I did.  Shucks... but wait... the In-Home Agent screen was up and the option "Change Password" was sitting right there.

OK, I'll bite.  So I clicked it.  It asked for a new password.  It did not ask for an old one.  Hmm...  So I typed in a new password.  Then I tried to log into the router.  My new password worked.  Interesting.

Well, maybe since the application was running earlier, it cached the first password when I logged into the site... I dunno how, but maybe.  So, I rebooted and repeated and changed the password to something new, without being prompted for the old one.  Fascinating.

I went to my neighbor later and asked if I could test something out.  They owe me since I have fixed their computers for free, so they let me tinker.  They let me connect to their network (which was WEP) and I ran the In-Home Agent.  I then proceeded to change their router password without being asked for the original.  Yikes.

In my first call to Verizon, I explained how most times that Verizon techs come out for a Fios move or install, they set Wi-Fi security to WEP.  I was told this was because not all customers' computers support WPA/WPA2, and they want to ensure that their customers can use their Wi-Fi.

O.K., but WEP can be cracked in minutes.  There have been dozens of articles published (some in this magazine) on how to do it.  It's easy.  But, that's not the worst part.  If I get onto a network (crack their WEP or am allowed in), all I have to do is run the In-Home Agent and I can reset their router password.

I don't have to "man-in-the-middle" them, nor find vulns in their PCs to exploit.  I can just own them at their gateway.  Redirect DNS where I want, set new routes.

"Hmm, I'll inform my manager about your concerns."  That's all I got in the first call.  Several other calls, and several emails later, there has been no update to the In-Home Agent.

I did get one tech who said, "Well, I mean you know, if you're on the network, we figure you're allowed to be... so you can reset the password, I guess."  O.K., but if I crack the WEP I got on without being allowed to be....  Sigh.

It doesn't get through.  Hopefully, having this in 2600 will get them to wake up.  Because a concerned customer's harassment apparently can't.