Yondoo provided router, has "password" as admin pw, won't let us change it
typhoon.notice_0a at icloud.com
typhoon.notice_0a at icloud.com
Wed Feb 8 17:15:12 UTC 2023
Apparently iCloud’s hide my email implementation can only be used with one recipient, so here was my reply to Josh (apologies to him for the spam), for posterity:
Thanks for your reply.
Double NAT tends to break things like ZeroTier.
But even if that wasn’t a problem for us, I think the more pressing concern here is that the default admin password for the router is “password”, and you can’t change it without a tech coming out to change it for you, and shelling out $50.
Who knows how many residential routers are in their fleet that are “password” protected; seems like a disaster waiting to happen.
The model was an Evolution Digital EVO3000GW — thankfully they were able to swap it out with a non-router modem that I had sent to her over the weekend, but not without making a few phone calls, first. It didn’t seem like they could provision the new modem remotely.
If anyone has a more security-focused forum they could recommend for a post like this, I’ll be happy to take my inquiry elsewhere.
> On Feb 8, 2023, at 8:06 AM, Josh Luthman <josh at imaginenetworksllc.com <mailto:josh at imaginenetworksllc.com>> wrote:
> What's the problem with double NAT? I can't imagine an elderly mom trying to host Xbox games - which is 95% of the problem with double NAT these days (the other 5% being Ubiquiti bros having to access their Unifi router from anywhere).
> Your screenshots didn't come through, I suspect it's stripped via the mailing list, but there's no model number specified anywhere.
> NANOG really isn't the best place for this, but I don't know where else you would be able to go besides what you've already done: Yondoo support.
> On Tue, Feb 7, 2023 at 9:17 AM TACACS Macaque via NANOG <nanog at nanog.org <mailto:nanog at nanog.org>> wrote:
>> Long time lurker, first time poster. Sorry in advance if this is the wrong forum for something like this.
>> My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer Premises Equipment) with a built-in router, without providing the ability to change the admin password from "password" on it.
>> Their customer service rep said that this is not only WAI, but also wanted to charge her $50 to have a tech come out and change it. Which is obviously less than ideal.
>> That aside, this seems like a pretty egregious security standard which, from my understanding, can have fairly dire security implications... e.g., DNS server settings can be pointed at whatever someone wants here.
>> My mom is elderly and had already fallen victim to a call center scammer a couple years ago. They briefly took control over her laptop before she called for backup. So I'm just a little concerned that we have no control over changing this router's admin password — from “password” — in a pinch, without waiting for a truck roll && shelling out $50.
>> I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in hopes that they'll let us bring our own. She does have Google Wifi, but we can't even put their router into bridge mode. So she would be double NATed and have no control over changing the admin password on the first router.
>> Anyone have any experience with Yondoo? I've tried reaching out to them on multiple fronts, but have yet to hear back from them on this. A tech is scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let us use our own modem and then take it from there.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG