[OP here] Just some minor follow up:
- The tech was able to swap out their RG with the modem-only one that I had sent (after making a couple phone calls). It didn't seem like they could provision a user-supplied modem remotely for some reason, but it also sounded like maybe this wasn't something they normally do, if ever. - The outgoing RG was an Evolution Digital EVO3000GW. The screenshots that dropped were meant to show me attempting an admin password change, and it not letting me. - AFAIK, no WAN ports were open, but UPnP was on by default. I neglected to do a port scan on the WAN port before the equipment swap, but that probably would've been prudent. - Sorry for not being clear about this before, but I'm fairly remote (~5 hour drive), so my mom was acting as remote [somewhat arthritic] hands in all this. - Since I'm remote, I had previously sent a raspberry pi that is running both pi-hole (to mitigate the possibility of her or her partner clicking on a malicious ad or pop-up that may compel them to inadvertently connect with a call center scammer again) and ZeroTier. I use ZT to log in to this device, which double NAT breaks, which is why I brought that up. Totally understandable that most average customers don't use this, and a double-NAT situation is probably fine for my mom's demographic. That said, to be sure, the much bigger issue is that they're provisioning CPE with an unchangeable "password." - I understand that this forum may not be quite the right fit for a post like this, and am looking for others that may be more appropriate. My hope is that this eventually gets to someone at Yondoo, or parent Mid-Atlantic Broadband (AS29914), since something like this probably falls outside of the wheelhouse of their tier 1 support, which was all we could get a hold of. Thanks to everyone who's responded -- I value all of your input. Cheers, Todd On Wed, Feb 8, 2023 at 5:09 PM Jason R. Rokeach via NANOG <nanog@nanog.org> wrote: > It’s been a while, but attacks that take advantage of this are (or at > least in the past have been) real. > > > https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html > > > <https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.html> > https://www.digitaltrends.com/web/javascript-malware-mobile/ > > I recall when this stuff first started to come out, leaning on RG vendors > to fix their firmware to make their default passwords unpredictable based > on information readily available on the LAN. > In this case we’re not even talking about taking action this > sophisticated… It seems to me that, having a customer willing and ready to > secure themselves, preventing them from doing so is wildly inappropriate. > > > On Wed, Feb 8, 2023 at 7:57 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote: > > I agree, but if we start listing every massive security vulnerability that > can be found on the intra-home LAN in consumer-grade routers and home > electronics equipment, or things that people operate in their homes with > the factory-default passwords, we'd be here all month in a thread with 300 > emails. > > I'm sure this ISP will realize what a silly thing they did if and when > some sort of worm or trojan tries a set of default logins/passwords on > whatever is the default gateway of the infected PC, and does something like > rewrite the IPs entered for DNS servers to send peoples' web browsing to > advertising for porn/casinos/scams, male anatomy enlargement services or > something. > > > > On Wed, Feb 8, 2023 at 3:28 PM William Herrin <b...@herrin.us> wrote: > >> On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke <eric.kuh...@gmail.com> wrote: >> > I would hope that this router's admin "password" interface is only >> accessible from the LAN side. >> > This is bad, yes, but not utterly catastrophic. >> >> It means that any compromised device on the LAN can access the router >> with whatever permissions the password grants. While there are >> certainly worse security vulnerabilities, I'm reluctant to describe >> this one as less than catastrophic. Where there's one grossly ignorant >> security vulnerability there are usually hundreds. >> >> Regards, >> Bill Herrin >> >> >> -- >> For hire. https://bill.herrin.us/resume/ >> >