Home routers co-opted into self-sustaining DDoS botnet

so how do you identify a hacked device? Thats the key bit of - missing - info

BT with the stickers

I would like to know how BT, Plusnet and others that supply handy credit sized cards, stickers or in the case of BT a plastic thingy that you can pull out of the wifi router would respond to this ?

Do I really need to tell my customers, family etc to throw all those handy reminders away and change the passwords? I don't know anyone that has changed then from default because the cards etc are Just there and (the assumption is that they are unique) easy to access.

What happens if the isp 'looses' the details ? They will have a record of them or maybe the company that prints the stickers will etc.

Possibility

RE: Class Action

This is probably only specific to the US (because that's the legal system I "know") but the best way to do it would be to remote kill the US based rogue routers remotely and force the manufacturers to replace the equipment *and* refund the original MSRP of the device. The replacement routers should stop setup at "change admin password" screen and not allow internet connectivity until the password was changed to something with a base level of complexity - which is how they should be sent out to start with.

I know this would dramatically increase the calls to support and returns of product because people are too stupid to RTF setup instructions, but we all have to take responsibility for the parts we played in what the internet has become.

This all happens because

they are hardware vendors and this is how they make their money. Writing and maintaining software is a waste of time for them.

Sky

Do Sky still ship all of their routers with the default sky username and password?

To correct my own post above - I'd forgotten, like Leeroy pointed out, that BT do indeed ship what appears to be an individually printed set of details.

it’s going to be damn near impossible for the home user to recover

Wow. Some things Orange (France) got right!

Switching on while pressing the reset button (or something like that) starts an emergency bootloader to download and flash the main firmware.

While WiFi is active out of the box, the non-hotspot side uses either a long security key or WPS but in either case even with the right password you need to press the WiFi button before a device will be accepted (though I wonder if you could trick the box by faking a MAC?).

It used to be that the default way to the admin console was "admin" and "admin"; this has now changed to be "admin" and some part of your WiFi security key (the default being specific to each box). I should point out that this is user side admin. There is no root access. The original Livebox had an open telnet server with the root password being something dumb like 1234 but that got stamped upon pretty quickly. As far as I'm aware there is no way in now even if you hook up a serial connection internally; it may even be that the root password changes with each box?

Countermeasures

Routers etc. should have an effective "revert to factory" mechanism. At a minimum, this requires a switch that will boot (from uncompromisable ROM) a program that will rewrite the device's flash. Two options. One, to a ROM copy of the firmware with which the device was originally shipped. The other, to download updated and securely signed firmware from the manufacturer's site.

Then when an issue like this arises, tell home users to reload their firmware by using a physical button on the box.

Note, "reset to factory" as usually implemented is the exact opposite of what I'm suggesting. It normally resets the configuration data to factory, while leaving the code unchanged. One should be able to reset the code, while leaving the configuration data alone.