TPG Community

Get online support

Archer VR1600v v2 Super User

fowlchicken
Level 2

Hi everyone, today I discovered that there is a hidden super user account on the Archer VR1600v. This is extremely concerning as it is not documented in the manual at all. For those who would like to know what it is, please see below:

 

Username: XX

Password: XXXXXXX

 

My question is, when will TPG provide a patch for this vulnerability?

 

Confirmed on Firmware Version:0.1.0 0.9.1 v5006.0 Build 190228 Rel.72265n

11 REPLIES 11
SteveK
Level 5

So you are worried, very concerned about security, and troubled by this 'secret' password...

 

Then publically post it for the world to see.

 

Great logic.. Smiley Mad

jamest
Level 2

Security by obscurity is no security at all! Hiding it doesn't make it more secure, basic IT Security 101. Proof, our TPG modem got hacked by African scammers, who obviously don't work at TPG.

 

This is a big security hole and the reason we got a TPG bill for $2000 of international phone calls to Senagal. TPG played dumb and pretended they didn't kow how this could happen, but we traced IP addresses to overseas, so obviously not us. TPG users don't have access to SIP login details, so no way they could call from Senagal. Internode used to give out SIP details and we could use them on a mobile SIP app, but TPG made the stupid decision of hiding them in the modem, and allowing the whole world to access them with a Superuser password. This is negligent and the ACCC need to investigate such behaviour from TPG. The reason the superuser password is enabled is to allow TPG to remote login and diagnose and update, notwithstanding the security risk it creates for its customers.

BasilDV
Moderator

Hi @jamest

 

Thanks for raising this to our attention.

We'd like to look into your account for better understanding of the situation.

Please send me a PM with your TPG username or customer ID number to assist you accordingly.

 

How do I private message (PM) in the community

 

BasilDV

bcarfoot03
Level 2

Hi BasilDV and other TPG admins,

 

This is an unacceptable vulnerability that exists in the routers that you have forced your users to accept. This should be addressed immediately for the security of your users, especially those that may be operating a small business, but also your regular home users. 

 

Can I please have acknowledgement of this issue and assurance that it is being addressed by your tech team as a matter of urgency. There is no legitimate reason a 'secret' user account should exist on my modem. If you believe there is one, please let us know why. However from my point of view any potential benefits are far outweighed by the implication of a unsecure administrator account.

BasilDV
Moderator

Hi @bcarfoot03

 

This has been addressed by our Network Engineers.

 

Have you tried to access the said super user? Please send me a PM with your TPG username or customer ID number to assist you accordingly.

 

How do I private message (PM) in the community

 

BasilDV

bcarfoot03
Level 2

Hi BasilDV,

 

The following username and password was still valid on my modem:

username: su

password: ygDT92!ez7

 

BasilDV
Moderator

Hi @bcarfoot03

 

Just to confirm, you've sent me a PM that you think you have removed the user.

Does it mean that it is not working? How did you remove it?

 

BasilDV

bcarfoot03
Level 2

Neither of the above user or passwords log into my modem anymore. I changed the users and passwords in the administration settings, but that works for individuals when they know the problem - the resolution requires action by the tech team to push out changes to all users. 

 

Can you confirm if there are any other hidden users that TPG has created on the modems and what the passwords are so that I can remove them.

BasilDV
Moderator

Hi @bcarfoot03

 

We can confirm that the issues has been addressed by our Network Engineers.

There shouldn't be any further issues with the modem/router login.

 

BasilDV