Just like the other idea ... can't agree with you here. What Verizon did in this particularly instance is close a publicize security hole which would let attackers get into individuals modems and reconfigure them -- including doing things like repoint the DNS services to a malicious server which would transparently redirect all traffic in your home network to malicious sites (transparently grabbing information in the process).

In this particular instance -- I think they took a measured approach to close an open window which had a huge data privacy issue attached.   They let people know what they did and told them exactly how to get the information they needed to know.  Minor inconvenience to remove a major headache.

Now ... should have Verizon adopted this practice of using a poor password in the first place?  No.   Should they immediately correct the practice with their installers in the field?  Yes.  Should they have left a data privacy issue wide open on home networks where many users never access their router for any reason (a very small percentage of people ever go tampering with their router)?  No. 

I can imagine the headlines if this exploit had been leveraged enmass and thousands of Verizon customers computer traffic was hijacked and information compromised -- and Verizon knew about the vulnerability and had the ability to fix it and instead did nothing except tell users: "please change your password". 

Sorry ... gotta support Verizon on this one.

But is not access for outside management of the router blocked by default regardless of the password? I know the Verizon CPE tool can access the router even if remote admin is disabled. So That is the biggest hole. I know that for a fact. I had remote admin disabled during a support session and a tech port forwarded to one of my PCs. That ^&%&^% me off. He said he was trying to see if I had their software loaded. I did not give him permission and he was only working on a set top box (DVR) issue. I do not use the Verizon router as my primary firewall for good reason. There are back doors!

Not sure if the mod's want discussion here ... but this specific hack works by exploiting a web hack to cause your local browser to redirect itself to the router's IP address and using the default credentials programs it to change the DNS servers to point to a malicious set of servers.   Commonly referred to as a DNS rebinding attack.

It specifically relies on your browser to do the dirty work using default credentials and requires no "inbound" access from outside the network.

Yep That is probably something not good to discuss here. Yep I didn't think of it that way, so it would be like the are on your PC and coming at the router from the inside. I could see more damage that way if your system is compromised. At that point the router might not as well be there. Changing the DNS is just a way to make it worse.

I will do more reading up on it. Your PC would need to be compromized then?

Nope.   No compromise of the PC needed initially.   Essentially it's a malicious website that crafts a redirect URL that redirects your browser to your router IP address and embedded in that URL is the necessary information to login into the router (default credentials) and the HTML post information to alter the DNS settings.

I won't go into the specifics of how you get it to all to work here since that would be a TOS issue (one of my many professional hats is understanding these exploits so as to defend against them in an enterprise setting), but I'll give a high level scenario of how it does the damage.

Once the DNS settings are changed and local system picks them up -- every address lookup your machine does after that will go against the malicious DNS servers.

These servers could return bogus IP addresses.  IP addresses to infected sites which subsequently try to infect your machines -or- sites which masquarade as the "real" site and present the usual login boxes, etc. and get you to type in your credentials (at which point they have your info and can transparently pass you thru to the real site so you don't suspect anything has happened -- later they can use your credentials, so to get into a webmail account not using HTTPS -- and then do things like request password resets on typical accounts you might have with services like Paypal, etc. -- which send the reset link to your email -- and then use that reset account to do malicious things like drain your bank account).   All without infecting your PC.    Read about a "DNS Rebinding" attack on various security sites and you'll get a better sense of what this "default password" scenario can allow to happen.

The "creative" part here is since the "attack" launches from your browser, no external access (inbound port forwarded) is needed to get the ball rolling.    Certain routers aren't vulnerable because they may require multi-tiered interaction to get changes to take effect.

PM me if you'd like have a more in-depth discussion on the topic from a professional perspective.

#1 So, what are you guys/gals saying?

The only way users can opt out of Verizon Security Updates is to put the Verizon router into bridge mode (For DSL users), and use their own router?

If so, nice going.

a) No tech support from Verizon.

b) If an user wanted to get access to the router that is in bridge so this Verizon router only has one LAN port, the user would have to follow http://www.dslreports.com/faq/7267

If I they do not have a Hub/unmanaged switch and they not using a Linksys, they would have to find out the Alternate Method for their router.

#2 While I am not on FIOS, I point to http://www.dslreports.com/faq/16077 - covers different options and trade offs.

#3 What is the harm of not changing the password to a router that is in bridge mode?

a) I followed http://www.dslreports.com/faq/13600 to get my Verizon router in bridge mode.

b) I see the directions that are at http://www22.verizon.com/ResidentialHelp/HighSpeed/Networking/SetUp/Security/128346.htm to change the password for my router.

Others for DSL, are located at http://www22.verizon.com/ResidentialHelp/HighSpeed/Networking/SetUp/Security/128346.htm

For FIOS, the directions are at http://www22.verizon.com/ResidentialHelp/FiOSInternet/Networking/Setup/Security/128347.htm

---

Note: My Verizon router only has one LAN port to it, and ATM (at the moment) I do not have a device (no hub/unmanaged switch) that is connected between it and my RJ-45 WAN port router.

PS. Can you PM me too since I like have a more in-depth discussion on the topic from a professional perspective?

Please and thanks