Hack TM Unifi: In case you’ve lost your default password

There’s a lot of documentation online on how to hack your neighbours Wi-Fi, but sometimes you need to hack your own system. Usually its because you’ve change your router password and forgot it completely, leaving you in the cold desolate place we like to call “No router land”.

Don’t fear though, its actually pretty darn easy to hack your standard Dlink Dir-615 router (pictured above) that came stock with your Unifi subscription. Make no mistake, the router actually has some pretty sleek features, but Telekom Malaysia has a lackadaisical approach to security that makes hacking this router merely google searches away.

The default Unifi access credentials are:

Username : admin
Password :

Where the password field is literally left blank, (as it is).

However, if you’re locked out of your Unifi router, here’s a couple of things you could do to get your connection back:

Option 1: Logging in with the Operator account

Most of the time, I recommend you use the admin account to change your Unifi settings, TM themselves admit that they don’t even set a password for this account on their user guide (page 9, 2nd bullet). However, if you’ve changed the password to this account and forgot it, there’s still a 2nd account that is left lurking in the system.

This is the ‘Operator’ account, and actually has more features than the standard ‘Admin’ account. TM have left this here, presumably for support purposes, but quite frankly, they shouldn’t. It’s like your house contractor, keeping a spare key to your home for ‘support’ purposes, it’s just not good security.

Fortunately though, if you’ve just changed the ‘Admin’ password, you’ve still got a chance to go back into your router and set things up correctly, just logon with the Operator account using one of the following credentials:

Username: Management
Password: TestingR2

Username : operator
Password : h566UniFi

Username : operator
Password : telekom

Username : operator
Password : <your Unifi username in reverse order>

Needless to say, please change the operator password once you’ve logged on, and remember it wisely this time.

Option 2: Hack the Dlink Dir 615 router

This options isn’t as hard as it might seem. For those running a router with a firmware version of 7.09 and below, there is a well documented vulnerability on the Dlink Dir-615 router that enables you to access your router without even knowing the username or password. To do so, just enter the url below;

http://192.168.0.1/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0

For more info on the vulnerability check out this link here. The vulnerability is called an authentication bypass, and literally allows you to access the router with no credentials at all! You can visit any page from the router menu, by just adding the “?NO_NEED_AUTH=1&AUTH_GROUP=0” to the end of the link.

Option 3: The one that will always work

*Edited 5-Dec-2013*

I’m really scared of this one. As from my checks with a couple of Shodan searches ALL Unifi routers are susceptible to this attack. All you need to do this is visit this link:

http://192.168.0.1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd

And you’ll see in plain-freaking-text, your unifi routers username and password, for both the admin and operator/management accounts.

Thanks to use_the_source_luke from this bugtraq post.

This is all public information at this point and you deserve to know that your unifi router is insecure. So get out there and buy a new router already.

*end edit*

Out of Options

There are other vulnerabilities on the Dlink router, including the famous config.bin password hack, however, from my checks, most Unifi routers are already patched with the fix for that. Leaving the above two options your only hope. If you really are out of options, you can always purchase a new router for your Unifi connection (I recommend the Asus RT-N12C1 or the Asus RT-N12HP)

However, you made need to call TM for your Unifi Password.

How to secure your Unifi router

It’s also important to learn how to secure your router, the first bit is easy. Change the passwords, TM have a really bad habit of setting the router password to blank, meaning there literally is NO PASSWORD!!

Needless to say, that’s bad security. What’s even worse is the average customer isn’t aware of the operator account which is left on the system with default passwords as well. From my quick checks, about 50% of people don’t change they’re router Admin passwords, and nearly 99% of people haven’t changed their operator password. You can’t really blame them, they didn’t know the operator account was there in the first place. So basically 99 times out of a 100, you’ll be able to ‘hack’ your unifi router using nothing but default passwords.

Securing the router, first and foremost requires that you change the passwords from their default values.

Secondly, if you’re using a firmware version of 7.09 and below, it’s time to upgrade your firmware. Upgrading your router firmware is actually pretty common stuff, there are entire websites that are dedicated to documenting router vulnerabilities, not for hackers, but security research–and this concept actually helps make our everyday appliances more secure.

Conclusion

A lot of people have locked themselves out of their home routers, so hopefully this post helps. However, because TM have such a bad stance against security, it also means that if you don’t take the necessary precautions, you could be on the wrong end of an attack.

Remember to stay safe and secure, securing your router is as important as securing your front door.