Watch Out for Undocumented Sagem ADSL Modem/Router Features

One of my customers changed their ISP in Australia recently.

The new ISP is one of the two largest telecoms on this continent (let's not name them here).

As part o the new services, my customer received a new ADSL2+ modem/router F@ST3864V2, manufactured by Sagem.

During a security audit, several things worried me:

1. Web-based access to the management console of the ADSL2+ modem was enabled without login screen from the local subnet. Anybody on the local subnet at the customer's site could gain access to the web interface unless another firewall or router was used.

2. There was no option to change or reset the factory-default accounts (including administrator). Neither from within the web interface or CLI. None of the standard well-known passwords from other Sagem ADSL modems worked (I know all of them as I worked with many of those).

3. I contacted the telecom's Helpdesk and after about two days of efforts received confirmation that indeed my concerns were justified but that telecom could not help further as modem had come from the manufacturer.

4. I was referred to Sagem's helpdesk. Sagem promised to provide a workaround how to reset the passwords but that never happened.

Executive summary of the solution I chose:

To protect my customer, I removed the original ADSL2+ modem/router and replaced it with the brand and vendor which allowed more secure setup.