New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- New router (TG582n) - login password exposed in "N...
New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
02-04-2013 7:38 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
From what I can see - whenever you allow access to this(/any?) Plusnet-branded Thomson router by WiFi or LAN to a Windows PC (and I guess others!) then that person can see the unique part of the login password to the router - i.e. the piece after 'CP'. This is obviously a major concern as it is now common for WiFi passwords to be asked-for by visitors who are not necessarily (all) trusted, certainly not I.T. competent and many have devices that are at least physically in-secure and may well be "easy to hack" too - any comments welcome.
The password (less 'CP') is displayed in "Network Places" if SSDP/uPnP is enabled on the PC and although it appears possible to disable at the router (Games uPnP) I certainly wouldn't trust that to be watertight.
Obviously an alternative (or additional) approach would be to change the login password although I would also prefer to rename the user name of 'admin' but can't find any way to do that in the GUI.
I am not sure if I will swap my old router for this one even though it has Class-N WiFi. Now that I know the maker/model - I now gather that this particular router is "horizontally-challenged" and not likely to improve the range which is why I committed to a new 24m contract to get it!
I have seen quite a few posts about the router (e.g. useful "stuff" from NPR et.al...) and may have to resort to CLI even if it does end-up acting as an ADSL modem and I have to LAN-attach a Class-N extender to it.
I don't suppose anyone can recommend a cheap VoIP-enabled router or a supplier of a PAP2T? that is reliable - again feedback welcome even though off-topic.
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
02-04-2013 8:53 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Whoever has your router's serial number only has access to the settings if they can first get on to the network, so they're either in your house already and using a LAN cable or they also know your WiFi key so you must trust them enough not to go hacking!
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
02-04-2013 8:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
02-04-2013 9:35 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Two guesses where to find the telnet commands
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
02-04-2013 10:29 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: apjashley1 From the GUI you would create a new user, then login as the new user and delete the 'admin' account.
Whoever has your router's serial number only has access to the settings if they can first get on to the network, so they're either in your house already and using a LAN cable or they also know your WiFi key so you must trust them enough not to go hacking!
Thanks for the "new user via GUI" approach - I will try that as I have used TelNet CLI and it isn't exactly "user friendly" although I must ask NPR if these routers are "TelNet-script-able" in some way...
Regarding "trusting" visitors etc. - it isn't so much about their integrity but their kit (mobiles, iPads, Notepads) combined with their low I.T. competence and their risk-aversion threshold compared to my own.
My primary equipment is under lock and key in a bedroom when I am not there or if there are visitors and I am away from that room or access to it.
Allowing any chance of a hacker getting within my (W)LAN through a visitor's kit is bad but containable with good security (I hope!) on all my own kit but as soon as you add any risk of easy penetration / compromise of what could be my primary router then I am at serious and major risk no matter how small a chance of that happening.
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
02-04-2013 11:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: apjashley1 I'm not sure how competent you are in the CLI (Telnet) but npr has written an excellent guide on how to set up a second WiFi network just for guests, that is isolated from your main network (while still allowing access to the web) and can have its own different password.
That sounds interesting but is it possible on the 582? What seemed to match your description on the bottom of his (CLI) web pages was: Multiple SSID -- (TG587n only)
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
02-04-2013 11:04 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
03-04-2013 9:35 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: PNet4um That sounds interesting but is it possible on the 582?
For interest, the O2 version of this TG582n can be configured with a second "guest" wireless network from the GUI. Surprised this is not available in the PN version.
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
03-04-2013 9:47 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Yes, the router serial number is available via uPnP. And we use the serial number as the admin user's default password.
We don't think that this is a security risk but you can change the password for this user if you like through the user interface.
Thanks,
Matt
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
03-04-2013 12:03 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Matt Hello, Yes, the router serial number is available via uPnP. And we use the serial number as the admin user's default password.
We don't think that this is a security risk but you can change the password for this user if you like through the user interface.
Thanks, Matt
Thanks for responding. Although I am happy for you (Plusnet) to take that point of - it certainly doesn't match my own view of security although I do admit that 35+ years in a very wide range of I.T. roles inc. supporting and selling to FTSE banks etc. doesn't make me typical.
My two suggestions would be (a) to ensure that your customers are made aware of the risk (even if Plusnet regard this as acceptable) and (b) given an easy guide (or an aid/tool) to properly securing the router as I would regard your position as open to legal claim of negligence if a customer was compromised despite the agreed fact that access to the (W)LAN would have to have been given. BTW I am not claiming to be at an "Expert witness" level in that regard!
Don't get me wrong - I am very happy with your response in that it confirms the situation and I know from other responses what I can do to ameliorate the problem.
Just one final but minor question that has just occurred to me - if we make changes to the routers you supply - do you "wash your hands" of them in terms of support or do you make "fair efforts"?
Thanks again.
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
03-04-2013 3:55 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Some routers still come with a default username / password (admin / admin or admin / pass etc). At least the PN supplied router makes some attempt at being secure, but remember it is a cheap consumer model not a industrial strength model.
Re: New router (TG582n) - login password exposed in "Network Places" - uPnP/SSDP?
03-04-2013 4:25 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
That's when they changed over to using the router serial number for the password instead.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- New router (TG582n) - login password exposed in "N...