[clug] Drive-By Pharming Attack Could Hit Home Networks

[Paul Wayper]

Andrew Boyd wrote:
> an observation: default password exploits have been with us for a very
> long
> time, and it is a bit sad that router manufacturers don't seem to have
> taken
> them seriously enough to force a change away from the default password on
> first setup.
I've often wondered why the manufacturers don't make the serial number
the default password.  That's usually attached directly to the router,
so its difficult to lose it.  If that's too 'customer unfriendly', then
have the same sticker include a randomly picked default password on each
router - perhaps chosen from a hash of the serial number, so that their
tech support can look it up if requested.  (That way you also get a
record of who's been asking for the passwords for which devices.)  They
have to print a separate sticker for each device anyway, and since that
usually includes the MAC address of the device it also implies that they
have to program some on-board PROM with the information anyway.  It
can't be that difficult.

> A question: is it all router manufacturers that do not force this change?

IMO forcing people to change the password is worse than leaving it as
the default but allowing them to set their security up with the default
password left intact.  The average person doesn't have a good system for
remembering passwords and hasn't trained their memory to remember them;
so after the fourth time they'll set the password and then turn off all
the security so they don't have to fiddle with the router again.

Have fun,

Paul