The problems were spelled out by blogger David Chen after he tried to help a friend change some settings on his Time Warner provided SMC8014WG-SI cable modem/router. To anyone with a modest understanding of security his findings will likely be a little surprising.
As with many ISP-provided routers, the Time Warner units disable customer access to a number of advanced features. Shockingly, however, Chen found some important administrative features were still there, and simply masked by Javascript.
By simply disabling Javascript support in his browser he was able to access these additional options, including one which allowed him to print out the device's configuration. That printout included the admin login and password in clear text.
He also came to the realization that this information could be used to hack into any of these routers provided by Time Warner because the web administration interface is enabled.
A Time Warner representative contacted by Wired Magazine's Kim Zetter indicated they "have been working on it."
It's at least a better response than David Chen got when he Contacted the ISP on his friend's behalf. He was told "we are aware of it but we cannot do anything about it."
Written by: Rich Fiscus @ 22 Oct 2009 5:32