Example of an Insecure ISP - Yoigo Spain
Example of an Insecure ISP: Yoigo (Spain)
Exceptionally, this article is written is two languages... in hope some people at Yoigo can read it and act!
Leer en Castellano
I originally didn't think I would publish this article, but a 180€ bill made me change my mind - a 180€ bill for instalation costs of a service I decided to cancel after 3 days for security concerns!!!
As promised to them, if I get a bill, I share my concerns \o/
3 days ago, I arrived at my holiday home in Spain, with the firm intention of understanding why I couldn't access it from the outside world anymore.
Conclusion: Movistar upgraded the router firmware, going back to factory defaults at the same time... bye bye range, bye bye DMZ, bye bye port forwarding.
After one hour trying to talk to a human to ask them not to do that again, I called a competitor, who then proposed to install the next day \o/!
Why not change, ... after all... if you can't call your phone company, there might be an issue!
The day before yesterday, Yoigo came to install my new internet connection.
Internet was fast, perfect image on the TV, ... All is good right?
So first things first, lets check add my firewall in DMZ to get my services back online...
done! ... nothing's working...
I just had my first encounter with CGNAT (Carrier Grade NAT). Basically, while it seems my router has a publically accessible IP, it don't - It has something in the 100.... range, that does not match the public IP I get when I dig...
In 2022, some ISP still rather implement CGNAT than IPv6 - how long will this masquerade go on?
One phonecall (easy to talk to a human being), a router restart the next day, and I finally have a public IP to myself, my services work again - support is available by phone!
While browsing through the router's interface, I found it interesting that Yoigo enables external access to the router by default, with a login/password of 1234/1234. The security guru at Yoigo knows that customers are safe behind CGNAT [sic].
I tried to report this various time at Yoigo, and it does not seem to be an issue...
Not only was already out of CGNAT when I realised this flaw, but it might be illegal to connect to another user's modem, so I didn't try to connect to other IP with these credentials, and don't know if it works in practice.
These default configuration settings are a delight for ill-intended people:
- External access to the router config would be susceptible to brute force (but 1234/1234 makes it even easier)
- 1234/1234 default means that a malware running on any host of the internal network can wreak havok in my network.
While changing password and disabling external access are trivial, my experience tells my intuition that only few customers change those settings once the TV and youtube are working... I would be ashamed if I ever shipped a device with such default settings: it is nothing else than a timebomb!
I then decided to change the internal range of the router, to avoid having the same 192.168.1.X range at all my places. Here was (I hope) my last surprise with Yoigo, as the (very well coded router) kept telling dhcp clients that their DNS was 192.168.1.1.
I told the router it was 192.168.3.1, but it just ignores my directive - I suspect a hardcoded value somewhere...
Not that it really matters to me in terms of networking... My unbound does the job better than their DNS... but between CGNAT, disastrous default parameters and hard coded values in the router's firmware, I somehow lost confidence Yoigo's ability to run a secure network.
Last but not least, I spent 2 hours at the phone with Yoigo, all operators I talked to where polite and doing their job well. I don't expect the average callcenter person being able to understand firmware or range issues, but I would have hoped there was a way report the issues to someone competent. Their tests on the line reveal everything is working fine, so no way to open a ticket...
It seems clear to me that the root of the issue lays in Yoigo's management: they have NO networking knowledge and either they are not capable of getting competent network administrators or they are not listening to their advice.
At this point, I would tend recommend avoiding this company - which is a pity regarding how easy it is to reach support by phone (compared to their competitors)!