Hard Coded Router Passwords Put Your Network and Data at Risk

Internet Service Providers (ISPs) need to be able to manage their end customer connection devices, typically a modem or router. To do this, they need credentials. Most devices have a default userid and password, often on a sticker on the device. If the user cares, at least in some cases, the user can log into the device and change that default.

BUT, if the ISP needs to log in to maintain the device – for example, to install patches, how can they do that if the customer changed that password.

I have recently seen multiple posts on news boards for security pros d

It turns out that there is a simple answer, but you are not going to like it.

Many hardware manufacturers have colluded with these ISPs and implemented “hard coded” password that the user can’t see.

In fact, in most cases, the user can’t even see that they hard coded userid, that goes along with the hard coded password is even their. When they ask for a list of users, that user isn’t even mentioned.

Of course, since it is hard coded, it is never changed.

The only people who know it are (a) the current ISP employees, (b) former ISP employees – remember, that password never changes and, oh yeah, (c) anyone who knows how to use Google to ask “is there a hard coded password in an XYZ model 123 router”. Google will typically fork it right over.

Why is that a problem? Not only might those hard coded passwords be available for all sorts of devices in your offices, usually without any way for you to even know that those hard coded passwords are there, but they are likely also hard coded in a variety of devices in your employees work from home networks.

Since Work from Home/Work from Anywhere has become the new norm since the start of the pandemic, this is now a bigger problem than it used to be.

There are ways to deal with this including implementing zero trust and other means. If you need help with this, please contact us.