Question Could a router randomly change its custom WiFi & admin passwords w/o being hacked?

IWTsNotGreen

Commendable
May 2, 2019
11
0
1,510
Is there a circumstance where a DSL modem/router (Actiontec PK5000) could - without being hacked - block access via both the custom admin logon and SSID password? In other words, it had all the symptoms of changed passwords without undergoing a reset.

Hacking was my immediate conclusion but the owner doesn't "want to believe" a family member or worker in their house may have done it. The owner keeps a printed password list in a file-drawer, which could have theoretically been found. I'm now trying to convince them that they should change other passwords as a precaution (not so easy, long story).

If the device had been reset, the default SSID should have reappeared and a generic admin logon should have worked. I tried all standard passwords to no avail, including the factory sticker WiFi password. I didn't know earlier about command lines that can show the cached WiFi password (would have tried that first). The wired LAN connection never stopped working.

I ended up doing a manual reset and it works fine again. Just trying to learn what technical glitch might have caused this if there was no foul play. Thanks.


The system is Windows 10 on an i5 quad-core AMD Desktop PC made in 2018 (lack full specs at the moment) but that may be irrelevant to the issue. The modem/router itself is at least 5 years old and never did anything odd before.
 
I would agree with you, someone Changed it. Not neccessary hacked, if they knew the password in a drawer, but it was changed.

If you RESET it, did you get the same Default Passwords? If so, then it was manually changed.
Maybe there is a log in the router, I don't know that router, but some do log changes.
 
  • Like
Reactions: digitalgriffin

IWTsNotGreen

Commendable
May 2, 2019
11
0
1,510
I would agree with you, someone Changed it. Not neccessary hacked, if they knew the password in a drawer, but it was changed.

If you RESET it, did you get the same Default Passwords? If so, then it was manually changed.
Maybe there is a log in the router, I don't know that router, but some do log changes.

Yes, the reset was perfectly normal, all defaults returned. I'm using the word "hack" loosely to cover someone finding the password with ease, who didn't tell anyone what they did.
 
Last edited:

IWTsNotGreen

Commendable
May 2, 2019
11
0
1,510
Could have been hacked , but most likely somebody with physical access to the router modified it.

As noted to another respondent, my use of "hacked" includes someone snooping to find the password vs. only a skilled breach.

Without human intervention, those passwords would presumably have to be stored in a discreet bank that was corrupted while other saved settings weren't.
 

mitchd123

Honorable
Apr 30, 2014
8
2
10,515
The hack didn't have to come from the inside. Slim chance, but some networking devices have unpublished back doors, and alternative usernames which allow the network provider the ability to remotely change things. Suggest you get the latest firmware for the device, to eliminate as many security holes as possible.

For example, the Netgear N450 cable model had an unpublished administrative username, MSO with a password of changeme This username was undocumented at the consumer level. You could actually go in and change the password, IF you knew the account existed.
 
  • Like
Reactions: digitalgriffin

IWTsNotGreen

Commendable
May 2, 2019
11
0
1,510
The hack didn't have to come from the inside. Slim chance, but some networking devices have unpublished back doors, and alternative usernames which allow the network provider the ability to remotely change things. Suggest you get the latest firmware for the device, to eliminate as many security holes as possible.

For example, the Netgear N450 cable model had an unpublished administrative username, MSO with a password of changeme This username was undocumented at the consumer level. You could actually go in and change the password, IF you knew the account existed.

Worth looking into. How would one find those hidden doors? Some details on this router model are elusive (Qwest-branded originally, then bought by CenturyLink). It seems to have the latest firmware and looks discontinued now. I do know that remote access (the legit kind) was disabled all along.
 
Last edited:
The hack didn't have to come from the inside. Slim chance, but some networking devices have unpublished back doors, and alternative usernames which allow the network provider the ability to remotely change things. Suggest you get the latest firmware for the device, to eliminate as many security holes as possible.

For example, the Netgear N450 cable model had an unpublished administrative username, MSO with a password of changeme This username was undocumented at the consumer level. You could actually go in and change the password, IF you knew the account existed.

Having UPnP or remote administration on is a good way to get hacked from outside.

But I agree with the majority of sentiment. Most likely someone inside the house is resetting the network.

A SMALL possibility is someone hacked your WiFi which is easy to do even with WPA encryption. But that's easy to tell because you'll see someone on your DHCP table that you don't recognize. Even if they piggy backed on your wifi, they won't have the admin password to the router and they would have to guess that also. (Unless you log in to the router on a non-encrypted webpage) The script kiddies that know how to do these sort of things are << 1% of the general population. We're talking 1% of the 1%.

First thing to do is see if your router has logs and see what's going on.
 
Last edited:

IWTsNotGreen

Commendable
May 2, 2019
11
0
1,510
Having UPnP or remote administration on is a good way to get hacked from outside.

But I agree with the majority of sentiment. Most likely someone inside the house is resetting the network.

A SMALL possibility is someone hacked your WiFi which is easy to do even with WPA encryption. But that's easy to tell because you'll see someone on your DHCP table that you don't recognize. Even if they piggy backed on your wifi, they won't have the admin password to the router and they would have to guess that also. (Unless you log in to the router on a non-encrypted webpage) The script kiddies that know how to do these sort of things are << 1% of the general population. We're talking 1% of the 1%.

First thing to do is see if your router has logs and see what's going on.

Well, I could never login as admin to see those logs, so knowledge was limited. Are they ever cached somewhere outside the router?

Wish I'd known of command lines to check the existing WiFi password (found out later). I tend to think they just got the password in a printed file because the main suspect isn't all that computer-savvy. The whole thing is probably too speculative now, since the router was reset.
 

TRENDING THREADS