Several consumer broadband routers from varying manufacturers have been found to contain static administrative passwords. The names/models of the affected routers (at the time of writing) are shown below:
- ASUS DSL-N12E
- DIGICOM DG-5524T
- Observa Telecom RTA01N
- Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293
- ZTE ZXV10 W300
Please refer to this CERT knowledge base article for the most up to date list of affected models.
Why Should This Issue Be Considered Important?
Using these static credentials a remote attacker could potentially gain access to your broadband router and make any changes they wish to it’s settings/configuration.
How Can I Protect Myself From This Issue?
Unfortunately it does not appear that the manufacturers of these routers intend to provide mitigations or updates to the routers firmware to address their use of static administrative passwords.
In order to prevent an attacker from being able to access your router remotely, please follow the workaround provided in this CERT knowledge base article. This workaround will involve blocking the SNMP ports (161, 162 as well as Secure SNMP ports 10161 and 10162) to prevent the attacker being able to determine the MAC address of your router. This is important since the password for all routers affected by this issue is XXXXairocan where XXXX is the last four characters of the routers MAC address. An SNMP query to your router is used to obtain the appropriate MAC address.
See Aside and Aside 2 for definitions of SNMP and MAC addresses (respectively).
You may need to refer the documentation (if any) for your router in order to determine the exact steps needed to block the above mentioned ports using the routers firewall. A Google search for your router model or a call to your Internet Service Provider (ISP) may also help with this.
If you own one of the affected routers (or you know someone that does) I hope that the above advice is useful in protecting you from this potential threat.
What is SNMP?
Simple Network Management Protocol (SNMP) is a device management protocol. It is used to manage devices such as routers, servers and network printers (among others). If a device develops a fault or requires attention it can notify the network administrator using SNMP e.g. that a printer is low on ink or that a server is under heavy CPU or memory load. Further information on SNMP is available here.
What is a MAC address?
A media access control (MAC) address is the unique identifier of a network interface card (NIC). This NIC can be wired or wireless. For a common Ethernet network a MAC address is made up of 6 groups of two hexadecimal digits which are separated by hyphens ( – ) or semi colons ( : ). Hexadecimal is a numbering system that has 16 values increasing in value from 0 to 9 and a to f, more information on hexadecimal.
An example MAC address would be 00:0A:11:22:33:44. A MAC is sometimes referred to as the physical address since this address is assigned in the factory to the network card (NIC) of your device (similar to a unique serial number).
The first 6 digits of a MAC address are called the prefix and are associated with the name of the network card manufacturer e.g. Broadcom or Realtek etc. The remaining 6 digits are the unique numbers that are used to identify your specific network card.
You may be wondering why MAC addresses are used when computers have IP addresses already?
The answer is that the OSI networking model is made up of 7 layers. The network access layer 2 uses MAC addresses to tell the difference between one device on the network and another. At layer 2, network bridges, switches and wireless access points operate and do so without the use of IP addresses.
As mentioned above devices are uniquely identified by their MAC address. Layer 2 uses MAC addresses so that it can operate with other network transmission standards other than TCP/IP if required. Layer 3 uses IP addresses (which form the IP of TCP/IP) and at this layer routers use them to forward traffic to the correct devices/destinations.
Network switches (devices that send traffic between devices and routers on the network in order to move network data/traffic to it’s eventual destination) use MAC addresses to tell the difference between the devices connected to their ports and to determine which device to send specific network traffic to.
When a packet (piece of data) is going to be sent on the network, for example your web browser (an application) requests a new webpage. This is done at the top layer of the TCP/IP model (layer 7 the application layer). As the request moves down the network stack in your operating system more and more data is added to it by each layer namely layer 6, layer 5 and so on. Layer 3 and above use IP addresses while layer 2 uses MAC addresses since by this time the layer 3 information is no longer present (it is designed to be removed once used by layer 3 devices).
The MAC address of the networks card(s) installed within your system can be displayed using the following commands:
Linux (from a terminal window) (the MAC address will appear as “HWaddr”):
Apple Mac OS X:
Please see this link for the necessary steps.
Press the Windows key and the letter R to open a Run box. Type cmd and press Enter
Type the following command (the MAC address will appear as “Physical address”):