On Tuesday, CERT Coordination Center issued an alert at Carnegie Mellon University. According to the alert, several DSL routers (from different manufacturers) come with a “guessable” hard-coded password that allows the router to be accessed with a hidden administrator account.
“All of the devices have an admin password in the form “XXXXairocon” — where XXXX are the last four characters of the device’s physical MAC address” said CERT/CC.
The affected device models are:
By sending a public query over the Simple Network Management Protocol (SNMP), a router’s full MAC address can be obtained, so getting the last four characters doesn’t come with a lot of difficulty. Along with this, the username that correlates to the hard-coded password is admin (with one exception being PLD SpeedSurf 504AN which is adminpldt). A hacker may utilize these credentials to allow for administrator access to the affected device over their telnet service.
Being the concern that it is now, it may be irritating to know that this vulnerability is not new. In 2014 the issue was realized by a researcher in the ZTE ZXV10 W300, as well as in May by a different researcher, for the Observa Telecom RTA01N – however, they didn’t know any other devices were affected until now.
Because the hard-coded password is in the same format in all affected devices, it’s thought that the firmware was all developed by the same company. This is not unusual for companies, but earlier this year a security researcher found identical susceptibilities in “a large number of DSL router models” from different manufacturers that were distributed by ISPs from all around the world to their customers.