Hi everyone, today I discovered that there is a hidden super user account on the Archer VR1600v. This is extremely concerning as it is not documented in the manual at all. For those who would like to know what it is, please see below:
My question is, when will TPG provide a patch for this vulnerability?
Confirmed on Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n
Security by obscurity is no security at all! Hiding it doesn't make it more secure, basic IT Security 101. Proof, our TPG modem got hacked by African scammers, who obviously don't work at TPG.
This is a big security hole and the reason we got a TPG bill for $2000 of international phone calls to Senagal. TPG played dumb and pretended they didn't kow how this could happen, but we traced IP addresses to overseas, so obviously not us. TPG users don't have access to SIP login details, so no way they could call from Senagal. Internode used to give out SIP details and we could use them on a mobile SIP app, but TPG made the stupid decision of hiding them in the modem, and allowing the whole world to access them with a Superuser password. This is negligent and the ACCC need to investigate such behaviour from TPG. The reason the superuser password is enabled is to allow TPG to remote login and diagnose and update, notwithstanding the security risk it creates for its customers.
Hi BasilDV and other TPG admins,
This is an unacceptable vulnerability that exists in the routers that you have forced your users to accept. This should be addressed immediately for the security of your users, especially those that may be operating a small business, but also your regular home users.
Can I please have acknowledgement of this issue and assurance that it is being addressed by your tech team as a matter of urgency. There is no legitimate reason a 'secret' user account should exist on my modem. If you believe there is one, please let us know why. However from my point of view any potential benefits are far outweighed by the implication of a unsecure administrator account.
Neither of the above user or passwords log into my modem anymore. I changed the users and passwords in the administration settings, but that works for individuals when they know the problem - the resolution requires action by the tech team to push out changes to all users.
Can you confirm if there are any other hidden users that TPG has created on the modems and what the passwords are so that I can remove them.