Child Item

Site Totals

61223 Questions Answered 267 Categories

Can we trust the security built into Westell 9100 router? I have my doubts...

I tried the IHA (In Home Agent) yesterday. One of the notifications that I have is that I need to set the password on my router. I have already done so. Just to get rid of the notification, I clicked on the link to set my router password. It did set the password to a new password.

In my dealings with the Westell router... It asks that I set the password when it's initially set up - so I set it. Then after that, I must enter a password to do anything at all in the settings. Now this IHA things tells me to set the password. The password is already ser to a value that the IHA doesn't know about, yet it sets it again to a new value.

I asked tech support how can the IHA do this. The router itself denies me changing anything until I first enter the password. The tech 'specialist' says that 'somehow', it knows the old password even though I never told the IHA what the existing password was.

I summary, security for the router is non-existant! Somehow, Verison gets in and monkeys with the settings of the router without even knowing the password. So Verizon has a back door in the router that they are no telling us about. This is pretty bad and only shows how little security our PCs have when attached to the router.

For extra security, I place all my PCs behind another personal firewall so as to protect it from the non-existent security of this Westell router the Verizon supplies.

Verizon can do whatever the hell they want to the STBs and the Westell piece of junk. But they can't get into my LAN by usurping this so-called security provided by the Verizon supplied router.

Comments

spacedebris

The IHA didnt know your password. It simply had verizon send the reset command to reset the password to default and then change the password so that the IHA would then know the password. Both the Westel and the Actiontec have an option in the "advanced" settings which allows for remote access. Unless you go in and disable this function it allows Verizon to be able to remotely reset your router for you. The IHA is a tool that, for troubleshooting purposes, needs access to your router. Therefor when you install IHA it needs to know your router password. If your router already has a password, it resets it so that the IHA can then set the password again and know it for future troubleshooting. If you go in and disable that remote reset funtion, then IHA will be unable to do that. But without access to the router, it has limited troubleshooting possiblities. Other than the remote access for Verizon, the routers security software is typical of most routers on the market.

Merthiolate

@spacedebris wrote:
The IHA didnt know your password. It simply had verizon send the reset command to reset the password to default and then change the password so that the IHA would then know the password. Both the Westel and the Actiontec have an option in the "advanced" settings which allows for remote access. Unless you go in and disable this function it allows Verizon to be able to remotely reset your router for you. The IHA is a tool that, for troubleshooting purposes, needs access to your router. Therefor when you install IHA it needs to know your router password. If your router already has a password, it resets it so that the IHA can then set the password again and know it for future troubleshooting. If you go in and disable that remote reset funtion, then IHA will be unable to do that. But without access to the router, it has limited troubleshooting possiblities. Other than the remote access for Verizon, the routers security software is typical of most routers on the market.

If that was the case, then why was my custom password for the router still the password that I use to access the router?

Merthiolate

@spacedebris wrote:
The IHA didnt know your password. It simply had verizon send the reset command to reset the password to default and then change the password so that the IHA would then know the password. Both the Westel and the Actiontec have an option in the "advanced" settings which allows for remote access. Unless you go in and disable this function it allows Verizon to be able to remotely reset your router for you. The IHA is a tool that, for troubleshooting purposes, needs access to your router. Therefor when you install IHA it needs to know your router password. If your router already has a password, it resets it so that the IHA can then set the password again and know it for future troubleshooting. If you go in and disable that remote reset funtion, then IHA will be unable to do that. But without access to the router, it has limited troubleshooting possiblities. Other than the remote access for Verizon, the routers security software is typical of most routers on the market.

spacedebris, you say in your reply, "If you go in and disable that remote reset funtion [sic], then IHA will be unable to do that. But without access to the router".... how do I do that? I don't you guys fiddling about with my router settings on a willy-nilly basis. If access is needed, I want to first be informed of your intent. Then, if you want in, I'll just manually reset everything to default by pushing the reset button. Also, I don't use IHA as I run linux on my LAN. I did load up a Windows XP just to to try IHA but I saw no benefit of having it.

Merthiolate

repost because of word omission:

spacedebris, you say in your reply, "If you go in and disable that remote reset funtion [sic], then IHA will be unable to do that. But without access to the router"

How do I do that? I don't want you guys fiddling about with my router settings on a willy-nilly basis. If access is needed, I want to first be informed of your intent. Then, if you need in for some reason, I'll just manually reset everything to default by pushing the reset button.

Also, I don't use IHA as I run linux on my LAN. I did load up a Windows XP just to to try IHA but I saw no benefit of having it.

Merth

viafax999

You appear to be of the belief that a password used to protect browser access to the router firmware is the only way to get to that firmware.

As VZ wrote the firmware and also the software for the IHA then there is nothing stopping them having written code in the IHA that talks directly to a custom built IHA backdoor in the firmware on the device at 192.168.1.1. If that is the way they do it removing the IHA kills part of the threat but the backdoor is still there. Unfortunately a lot of companies do have procedures such as this and so you are somewhat at the mercy of their security in protecting their source code and also that they wrote their backdoors in such a way that they are tamperproof Smiley Very Happy

If this is in fact how the IHA accomplished what you described then the positive side is that it probably can only be accomplished by code on the inside of your network unless you have activated port forwarding to your router address.

Child Item