Time Warner Cable today rolled out a temporary patch for a security hole discovered by blogger David Chen. While helping a friend change the Wi-Fi settings on their SMC8014 series cable modem/Wi-Fi router combo, Chen noticed that the web admin for the router simply uses a script to hide certain menu options when the user does not have admin privileges.
"By simply disabling Javascript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.," writes Chen.
The software engineer and founder of social communications platform start-up, Pip.io, goes on to say this opened up access to a "Back Up Configuration File." With just one click, Chen reports that a text dump of the router's configurations was saved to his desktop and in there, was the login in and password in plaintext. So that's it, right? I mean, there's nothing else, is there? Wrong. Wired reports that Chen discovered the same login details could be used to access every router in the SMC8014 series on Time Warner’s network.
"Another issue which was alarming was the fact that, by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack."
David says he contacted TWC's security department to warn the company and was told, “We are aware of it but we cannot do anything about it."
According to CNet the company has rolled out a temporary patch and is testing a permanent fix for the problem. It's nice to see that Time Warner Cable changed its tune.