May 29 2010, 06:59 AM, updated 15y ago
TM, you basically planted a bloody backdoor in everyone's DIR-615 router.
What is this? What are all these hidden options in this special account you neglected to tell us about? You mean to say I could have used my own router all along? You mean people spent >RM1000 on Cisco grade equipment just because you didn't want to tell them about this?
You mean in a sample group of 900 nodes, 600 of them who think their networks are 'secure' are actually completely open? Even those companies on Unifibiz which use the same router? WOW..
That's right guys, TM named the "administrator" account on the DIR-615 as "admin" when there was actually a secondary administrator account with a higher access level. The VLAN settings were never locked out, that account which we all assumed was the admin (because they told us so) was actually a noob piece of shit with <60% access to the router. This account has the same user/pass across every Unifi router that has been given out so far and cannot be changed or even seen with the default 'admin' account.
----
What's the fix?
Untick remote management. If you have a firewall on it, block all the ports (TCP 22/23/80/8080/443) from WAN access.
UPDATE : If you're a Unifi user on firmware 7.05, if you read everything in the management page you can find the username for this account. The pass is the same, once you get access log in and reconfigure your router security properly. I can't believe not a single technician set this account up properly.
----
FAQ
Some less tech-savvy people have asked me what this all means.. so here goes -
Q: What is this and how is this possible?
A: Every consumer router has a username/password combination to access it. This is a basic security feature to ensure that only you (the owner) can access it. This Unifi router however, has two accounts by default. When TM installed Unifi in your home/office, they only configured the first account. The second account -- which has a higher level of access was left configured with its default username/password. They also neglected to inform the customers (you) and their own technicians who did the install about this second account. As every Unifi user is 'forced' to use this router and this account has not been configured properly, every Unifi user is also vulnerable to have their routers accessed by unauthorized users simply by using this default account user/password combination.
Q: So what if outsiders can access my router? What does this mean?
A: The Unifi router is not just a simple box that sits on your network. It can be considered to be a full computer system and has the capability to run any executable that's made for it. Since an outsider can access your router, he can also do the following :
- Turn your router into a proxy, if he commits any crimes online it will be traced back to you instead and you will take the fall for it
- Use your 10/20mbps Unifi account so he doesn't have to pay for his
- Use up your bandwidth quota (once quotas are implemented) as much as he wants and you will pay for it
- 'Spy' on your Internet connection and view every site you are visiting
- Forward all connections to your home PC using DMZ, making your home PC completely vulnerable to Internet attacks.. if you have an open NAS (network attached storage) on your home network, he will be able to access all your files
And the list goes on and on..
Q: So how can I fix this?!
A: Make sure remote management is disabled (as it is enabled by default). With this enabled, anybody with this default user/pass combination can access your home router and perform the attacks I mentioned above. This fix however, doesn't prevent people on your own LAN network from accessing the router. If you are running an open Unifi hotspot (shop wifi, etc) and you are using the default DIR-615 router, the only fix is to access this second account and change the password.
I've uploaded a Router Security guide and VLAN bridging guide (to use your own hardware with Unifi) on my website @ http://unifi.athena.my
This post has been edited by rizvanrp: Jun 12 2010, 08:19 PM
Quote
) 
and they know if u are downloading po*n
. But if you're just talking about hacking for router boxes, google DD-WRT. There's already a huge community set up. These attacks start now and its better I disclose the vulnerability than let their user base grow to the point it cannot be stopped. At least if their tech's are reading this, they will disable the feature in their future installs and possibly change their policy to let the user utilize the main admin account or upgrade their firmware to completely remove this account.
good job rivan, nice find
all around. 
. left on 24/7. Just look at the IPTV box already use 24 watts to electricity, black fiber modem 8 watts, DECT phone is energy efficient (0.7 watts for my given model) so that 1 ok and finally Dlink router not sure how much as i did not find its specification but at least 5 watts. so really that 40 watts left on 24/7 plus now want to add custom router. wow that like leaving the lights on in one bed room 24/7 just to put things in perspective.
0.1176sec
0.37
6 queries
GZIP Disabled