Fast modems a hacker's heaven

By ADAM GIFFORD

Thousands of broadband internet modems are being installed with default passwords, making them vulnerable to hackers who can use them to surf the net at the owners' expense.

But when Auckland computer programmer John Burns tried to warn people that their modems were insecure, he was threatened with legal action.

Burns said he bought a Nokia M1122 modem/router a month ago when he subscribed to Telecom Jetstream fast internet account.

"About a week after I started, I checked the logs on the modem and discovered some configuration settings had been changed," Burns said.

Extra mapped ports or "pinholes" had been added, linking the router to overseas servers.

"Someone was using my router as a stepping-stone for the transfer of data."

This could be the way a hacker was disguising where data was ending up. It could also be used to disguise the origin of spam or unsolicited emails.

The documentation that came with the modem did not explain what had happened.

By doing a web search, Burns discovered he would need to access the modem with a special cable or through a Telnet session to change the passwords.

He said the problem was not confined to Nokia modems and that many users weren't aware that hackers could access "always on" broadband modems even when the computer was switched off.

"Almost every modem you can buy comes with either no administration password, or a default password set.

"In some cases the manuals do not tell you how to change the password, and in other cases they do not tell you that there are many ways to access the modem, with separate passwords for each method."

Almost all modems have a web-based configuration mode.

If not set up correctly, any external user can connect to the IP address, which identifies where the modem or router is on the internet, and use a default password to access the modem configuration, including user names, passwords and logs.

Burns said he investigated how widespread the problem was by writing a program that looked for New Zealand IP addresses connected to the internet by DSL (digital subscriber line), and then tried to enter.

If it got through, the program harvested a login name and sent an email warning the modem was insecure, and offering Burns' help, for a $45 fee, to fix it.

"The fee was a mistake, but I thought it would help people take this seriously," Burns said.

"Those people who got back to me, I said I would help them fix it for nothing."

His program identified about 50,000 New Zealand-based IP addresses, of which 5000 were active at the time they were polled and 496 were hackable.

One of those who received Burns' email was Chris Yannakakis.

"I turned on my computer in the morning and found I couldn't browse the internet," Yannakakis said.

"Then I got this email from this guy saying he had hacked in and stolen my logon details, and he wanted money to fix it."

Yannakakis said he was considering taking legal action for the theft of personal information and the problems caused.

"It was a massive inconvenience. Because I do some work from home, I had to explain to my manager some of our files may have been put in jeopardy," he said.

Burns said Yannakakis' inability to connect to the internet was nothing to do with his program.

"I got the same complaint from another Xtra customer, so I checked the Xtra site that morning and there was a warning about intermittent connection problems," he said.

"My program only read the login and backed out again, it didn't change any settings."

But the Crimes Amendment Bill, now before Parliament, would make unauthorised access of a computer system illegal.

Xtra spokesman Matt Bostwick said the onus was on modem suppliers and manufacturers to ensure they were secure.

"What we would say to our customers is that it is important to check and change all passwords to see they are secure," Bostwick said.

"Check the documents which come with the modem to find out how to reset them."

Bostwick said Burns' scanning program would probably be considered a serious breach of netiquette.

Dick Smith Electronics buyer Chris Day said documents for modems sold by the chain included information on changing passwords from the default settings.