Published in News
Telstra routers security risk
Ship with hardcoded user names and passwords
Telstra is in hot water after a recent line if its broadband routers shipped with hardcoded usernames and passwords.
According to SC magazine,hardcoded-passwords-leave-telstra-routers-wide-open.aspx the flaws were found on 16 October, 2012 by Milan-based security researcher and consultant Roberto Paleari. It was not announced until Telstra had developed and fully tested a firmware fix. The flaws meant attackers could bypass any unique passwords and access the device administrative console and customer's local network.
Telstra has issued a patch to fix the flaws and was contacting affected customers by phone and email to urge them to apply it. Paleari found other vulnerabilities including a command-injection flaw due to the server-side script failing to properly validate user-supplied input. Telstra ignored the later fault because it did not see it as a problem so Paleari disclosed it.
The patch also introduced a feature allowing manual selection between internal and external antennas from the modem interface.