<html><head></head><body> It’s been a while, but attacks that take advantage of this are (or at least in the past have been) real.<div dir="auto"><br></div><div dir="auto"><a href="https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html" dir="auto">https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html</a></div><div dir="auto"><br></div><div dir="auto"><a href="https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html" dir="auto"></a><a href="https://www.digitaltrends.com/web/javascript-malware-mobile/" dir="auto">https://www.digitaltrends.com/web/javascript-malware-mobile/</a><br><div><br></div> <div id="protonmail_mobile_signature_block" dir="auto">I recall when this stuff first started to come out, leaning on RG vendors to fix their firmware to make their default passwords unpredictable based on information readily available on the LAN. </div><div id="protonmail_mobile_signature_block" dir="auto">In this case we’re not even talking about taking action this sophisticated… It seems to me that, having a customer willing and ready to secure themselves, preventing them from doing so is wildly inappropriate. <caret></caret></div> <div><br></div><div><br></div>On Wed, Feb 8, 2023 at 7:57 PM, Eric Kuhnke <<a href="mailto:eric.kuhnke@gmail.com" class="">eric.kuhnke@gmail.com</a>> wrote:<blockquote class="protonmail_quote" type="cite"> <div dir="ltr"><div>I agree, but if we start listing every massive security vulnerability that can be found on the intra-home LAN in consumer-grade routers and home electronics equipment, or things that people operate in their homes with the factory-default passwords, we'd be here all month in a thread with 300 emails. </div><div><br></div><div>I'm sure this ISP will realize what a silly thing they did if and when some sort of worm or trojan tries a set of default logins/passwords on whatever is the default gateway of the infected PC, and does something like rewrite the IPs entered for DNS servers to send peoples' web browsing to advertising for porn/casinos/scams, male anatomy enlargement services or something. <br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 8, 2023 at 3:28 PM William Herrin <<a href="mailto:bill@herrin.us">bill@herrin.us</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <<a href="mailto:eric.kuhnke@gmail.com">eric.kuhnke@gmail.com</a>> wrote:<br>
> I would hope that this router's admin "password" interface is only accessible from the LAN side.<br>
> This is bad, yes, but not utterly catastrophic.<br>
<br>
It means that any compromised device on the LAN can access the router<br>
with whatever permissions the password grants. While there are<br>
certainly worse security vulnerabilities, I'm reluctant to describe<br>
this one as less than catastrophic. Where there's one grossly ignorant<br>
security vulnerability there are usually hundreds.<br>
<br>
Regards,<br>
Bill Herrin<br>
<br>
<br>
-- <br>
For hire. <a href="https://bill.herrin.us/resume/" rel="noreferrer">https://bill.herrin.us/resume/</a><br>
</blockquote></div>
</blockquote></div></body></html>