ADSL router security concern in SA
A large number of ADSL routers from South African Internet users are relatively easily accessible from the web thanks to default passwords for remote support accounts remaining unchanged.
Using the website ShodanHQ, a MyBroadband member was able to easily get a list of routers in South Africa accessible from the Internet.
The router that came up most often in the first 50 results to the user’s query (which returned over 100,000 results in total) was the D-Link DSL–2750U on the Telkom Internet network.
According to the MyBroadband forum member, they randomly tested a few of these routers and found that all of them were accessible using the default username and password for remote management.
Telkom Internet currently has 3 different brands of ADSL routers listed on its website: D-Link (specifically the 2750U), Netgear, and Billion.
A quick survey of popular consumer ADSL Internet Service Providers (ISPs) indicated that only Vox Telecom’s Atlantic offers D-Link kit as an option to its customers. Atlantic’s head office explained that only branches offer it though, and that they mainly supply customers Billion routers.
Mweb, Web Africa, and Afrihost don’t currently offer D-Link ADSL routers at all.
Security is a personal decision: Telkom
Asked about the security of these D-Link routers, Telkom explained that ADSL routers may be dispatched with factory default settings and passwords.
“Abuse and interception is preventable by changing the admin/default usernames and passwords,” a Telkom spokesperson told MyBroadband.
Instructions to do this are published in the user guides for the Telkom-supplied modems, the spokesperson said.
“Security is a personal decision and while modems have the functionality to provide a safe environment, it is reliant on the user to activate the built in security measures to limit the risk of intrusion.”
Remote management blocked by default: D-Link
D-Link’s technical supervisor, Altus Lourens, explained that by default all of their routers have the remote management feature on port 80 disabled.
Lourens added that this is also true for the firmware supplied to Telkom Internet for the D-Link routers they sell.
“If a client enables the remote management, D-Link Technical Support always recommends changing the default Support account password,” Lourens said.
“From D-Link Technical Support side we have had a lot of queries from clients on how to do it,” Lourens said.
As an added security measure, should clients accidentally enable remote management they will only be able to log on remotely with the support account, which has limited permissions on the router.
“For example: anyone remotely logged on will not be able to change anything on the NAT side like opening ports,” Lourens said.
Easily accessed routers used in DDoS attacks
Roelf Diedericks, chief technology officer at Neology, and Cybersmart CEO Laurie Fialkov, recently told MyBroadband that DSL modems of unwitting users are often brought to bear in DNS Amplification attacks.
This is a type of distributed denial of service attack (DDoS) that reportedly “almost broke the Internet”. Fialkov said that they have also seen it dramatically degrade the speeds of their ADSL customers.
“We have seen various levels of DNS DDoS attacks originating from infected customers on networks we are involved with,” Diedericks said. “The activity has certainly increased over the past few weeks,” he added.
Diedericks went on to explain that attackers find a foothold largely due to open resolvers, poorly configured DSL modems, and buggy firmware.
More on information security in South Africa
Beware: SA Facebook profiles clones, used for fraud
SAPS website still vulnerable: hacker
Slow ADSL? It could be a cyber-attack
Internet bank fraud affects few: Absa