The Long Half-Life of a Bad Default
Inside the slow, quiet failure of telnet, factory passwords, and the firmware decisions that quietly shape a decade of consumer devices.
The router on the desk is small, beige, and ten years old. Its plastic case has yellowed in the way of all small beige things from the mid-2010s. On the bottom, in twelve-point type, is a sticker that reads: Username: admin / Password: admin. Below that, a serial number, an FCC ID, and a single line of compliance microprint nobody has ever read. It is unremarkable in every respect, which is exactly the point.
I was given the router by a friend of a friend, a paediatrician in Pune who runs a small clinic out of a rented first-floor office. The clinic had been hit, mildly, by something that asked for two thousand dollars in bitcoin and then, when ignored, went quietly away. The clinic's IT, such as it was, consisted of the router, a printer, two laptops, and a Wi-Fi camera mounted above the reception desk. I came to look at the router.
What I found, in the way these things go, was less a vulnerability than a sediment. Every firmware update the router had ever received, going back to 2014, sat in the device's flash memory like layers of paint in an old house. Each layer had been authored by a different team, at a different company, working from different assumptions about what the device was for. None of them had ever removed the telnet daemon that had been there from the start.