Hi, this morning I discovered that someone had made ~150 international phone calls from my TPG NBN Home Phone Account even though I don't even have a home phone handset connected. Digging a bit further I have since discovered that my TPG provided TP-Link Archer VR1600 v2 router has a gigantic security hole as they all have a hard-coded Super User that allows anyone to login to them remotely (provided remote Web Access is enabled, which I needed).
After about 2 seconds of googling I soon found the Super User username & pwd and sure enough, I could remotely login and have full control of the router settings & passwords, including access to all of the Telephony settings. I'm not sure yet, but I'm guessing this is how the international phone calls were made on my account. I tried to change the password for this Super User, however it does not seem to change it as I could still login using the usual Super User password.
I have now switched back to my old router as I don't trust this TP-Link thing anymore.
TPG, what are you going to do about this MASSIVE security vulnerability that I'm guessing affects a large number of your users?
Yes, this is a big security hole and the reason we got a TPG bill for $2000 of international phone calls to Senagal. TPG played dumb and pretended they didn't kow how this could happen, but we traced IP addresses to overseas, so obviously not us. TPG users don't have access to SIP login details, so no way they could call from Senagal. Internode used to give out SIP details and we could use them on a mobile SIP app, but TPG made the stupid decision of hiding them in the modem, and allowing the whole world to access them with a Superuser password. This is negligent and the ACCC need to investigate such behaviour from TPG. The reason the superuser password is enabled is to allow TPG to remote login and diagnose and update, notwithstanding the security risk it creates for its customers.