cancel
Showing results for 
Search instead for 
Did you mean: 

New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

PNet4um
Grafter
Posts: 29
Thanks: 2
Registered: ‎13-02-2010

New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

I have searched several times to see if anyone has already posted on this topic but was surprised when no-one had raised it.
From what I can see - whenever you allow access to this(/any?) Plusnet-branded Thomson router by WiFi or LAN to a Windows PC (and I guess others!) then that person can see the unique part of the login password to the router - i.e. the piece after 'CP'. This is obviously a major concern as it is now common for WiFi passwords to be asked-for by visitors who are not necessarily (all) trusted, certainly not I.T. competent and many have devices that are at least physically in-secure and may well be "easy to hack" too - any comments welcome.
The password (less 'CP') is displayed in "Network Places" if SSDP/uPnP is enabled on the PC and although it appears possible to disable at the router (Games uPnP) I certainly wouldn't trust that to be watertight.
Obviously an alternative (or additional) approach would be to change the login password although I would also prefer to rename the user name of 'admin' but can't find any way to do that in the GUI.
I am not sure if I will swap my old router for this one even though it has Class-N WiFi. Now that I know the maker/model - I now gather that this particular router is "horizontally-challenged" and not likely to improve the range which is why I committed to a new 24m contract to get it!
I have seen quite a few posts about the router (e.g. useful "stuff" from NPR et.al...) and may have to resort to CLI even if it does end-up acting as an ADSL modem and I have to LAN-attach a Class-N extender to it.
I don't suppose anyone can recommend a cheap VoIP-enabled router or a supplier of a PAP2T? that is reliable - again feedback welcome even though off-topic.
11 REPLIES 11
apjashley1
Grafter
Posts: 307
Registered: ‎31-07-2012

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

From the GUI you would create a new user, then login as the new user and delete the 'admin' account.
Whoever has your router's serial number only has access to the settings if they can first get on to the network, so they're either in your house already and using a LAN cable or they also know your WiFi key so you must trust them enough not to go hacking!
apjashley1
Grafter
Posts: 307
Registered: ‎31-07-2012

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

I'm not sure how competent you are in the CLI (Telnet) but npr has written an excellent guide on how to set up a second WiFi network just for guests, that is isolated from your main network (while still allowing access to the web) and can have its own different password.
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

You can create a new username and password then delete the old one if that make you feel more secure Wink
Two guesses where to find the telnet commands  Cheesy
PNet4um
Grafter
Posts: 29
Thanks: 2
Registered: ‎13-02-2010

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

Quote from: apjashley1
From the GUI you would create a new user, then login as the new user and delete the 'admin' account.
Whoever has your router's serial number only has access to the settings if they can first get on to the network, so they're either in your house already and using a LAN cable or they also know your WiFi key so you must trust them enough not to go hacking!

Thanks for the "new user via GUI" approach - I will try that as I have used TelNet CLI and it isn't exactly "user friendly" although I must ask NPR if these routers are "TelNet-script-able" in some way...
Regarding "trusting" visitors etc. - it isn't so much about their integrity but their kit (mobiles, iPads, Notepads) combined with their low I.T. competence and their risk-aversion threshold compared to my own.
My primary equipment is under lock and key in a bedroom when I am not there or if there are visitors and I am away from that room or access to it.
Allowing any chance of a hacker getting within my (W)LAN through a visitor's kit is bad but containable with good security (I hope!) on all my own kit but as soon as you add any risk of easy penetration / compromise of what could be my primary router then I am at serious and major risk no matter how small a chance of that happening.
PNet4um
Grafter
Posts: 29
Thanks: 2
Registered: ‎13-02-2010

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

Quote from: apjashley1
I'm not sure how competent you are in the CLI (Telnet) but npr has written an excellent guide on how to set up a second WiFi network just for guests, that is isolated from your main network (while still allowing access to the web) and can have its own different password.

That sounds interesting but is it possible on the 582? What seemed to match your description on the bottom of his (CLI) web pages was: Multiple SSID  -- (TG587n only)
apjashley1
Grafter
Posts: 307
Registered: ‎31-07-2012

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

It works perfectly on the TG582n, I've done it
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

Quote from: PNet4um
That sounds interesting but is it possible on the 582?

For interest, the O2 version of this TG582n can be configured with a second "guest" wireless network from the GUI. Surprised this is not available in the PN version.  Shocked
mattturner
Grafter
Posts: 246
Thanks: 2
Registered: ‎25-06-2009

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

Hello,
Yes, the router serial number is available via uPnP. And we use the serial number as the admin user's default password.
We don't think that this is a security risk but you can change the password for this user if you like through the user interface.
Thanks,
Matt
PNet4um
Grafter
Posts: 29
Thanks: 2
Registered: ‎13-02-2010

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

Quote from: Matt
Hello, Yes, the router serial number is available via uPnP. And we use the serial number as the admin user's default password.
We don't think that this is a security risk but you can change the password for this user if you like through the user interface.
Thanks, Matt

Thanks for responding. Although I am happy for you (Plusnet) to take that point of - it certainly doesn't match my own view of security although I do admit that 35+ years in a very wide range of I.T. roles inc. supporting and selling to FTSE banks etc. doesn't make me typical.
My two suggestions would be (a) to ensure that your customers are made aware of the risk (even if Plusnet regard this as acceptable) and (b) given an easy guide (or an aid/tool) to properly securing the router as I would regard your position as open to legal claim of negligence if a customer was compromised despite the agreed fact that access to the (W)LAN would have to have been given. BTW I am not claiming to be at an "Expert witness" level in that regard!
Don't get me wrong - I am very happy with your response in that it confirms the situation and I know from other responses what I can do to ameliorate the problem.
Just one final but minor question that has just occurred to me - if we make changes to the routers you supply - do you "wash your hands" of them in terms of support or do you make "fair efforts"?
Thanks again.
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

I agree it's a bit silly, but I don't see it as a big security issue. Provided the wireless network is secure, which it should be, then the only people who can view the serial number are those on the LAN. The same people can just as easily turn the router over and read the password there.
Some routers still come with a default username / password (admin / admin or admin / pass etc). At least the PN supplied router makes some attempt at being secure, but remember it is a cheap consumer model not a industrial strength model.
PowerLee
Pro
Posts: 826
Thanks: 128
Fixes: 2
Registered: ‎12-03-2013

Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?

I remember a few years back O2 had to update the firmware on all there Thompson / Technicolor routers due to them all having the exact same default password  Grin
That's when they changed over to using the router serial number for the password instead.