Bad ISP OpSec

by JavinZ (zuckonit)

A lot of popular ISPs (Comcast, AT&T, Verizon) plus countless others have fantastic security - but a noticeable flaw is the default password for customers.  You can easily see what these passwords are by finding them on the ISPs' websites or by scavenging forums online to find them.  Do ISPs care about this?  No.  They are just there to make money from the customer.

I will mostly look at Canadian ISPs because they are very close to me.  Two noticeable ISPs are Access and SaskTel.  One quick look on their websites allows you to find what their default passwords are, allowing you to brute-force accounts with a notorious program named Hashcat.  You can easily find out what provider people have from their access point name.  A lot of ISPs do this, like Access (Example: Access254).

The default password for Access is a random 21-character-length alphanumeric string.  If you have a good GPU and CPU, you can crack the password in no time.  But for basic users, it would take quite a while.

A worse example is SaskTel, whose default password still can be easily found on their website.  SaskTel is unique in that they have the default password as their home phone number.  Yes, that's right, their default is the home phone number.  Now, if you know the area code for your province or region, you can easily brute-force it in no time with Hashcat.  For me, it took 48 seconds to brute-force a SaskTel AP and have access to the devices on the network and, to make it worse, they left the admin panel with the same password as their AP!

If someone is inexperienced in computer security and hacking, and isn't aware of the consequences of leaving stuff with the default password, a lot of bad things can happen to their network without them knowing.

It's always good to change the password on your AP to something strong so nothing like this can happen.  Will your ISP help you if you were hacked?  Sure!  But they won't learn from their simple mistakes.