Verizon Westell A90

If Verizon was your Internet Service Provider back in April 2011, you probably received an updated Terms of Service (TOS) spelling out several updates to their TOS. And if you are like most users, you likely did not read it or even if you did, you did not pay particular attention to the details.

Somebody brought it to my attention back then, but I was too busy to do anything with it, though one change did strike me as not kosher. Rather than bore you with what I think of ISPs or other companies that provide needed services, here is the part of Verizon’s updated TOS that should make you go, WTF!

The email itself was sent on the April 18 2011, but the updated TOS, as the email notes, was to go into effect on April 19. Which means that Verizon did not even give their subscribers enough time to read the email. That is usually the first sign that they wanted to pull a fast, which they did, and succeeded.

Ok, the email started like this:

Dear Valued Verizon Customer,
Good news! Below please find the description of changes to the Verizon Online Terms of Service (TOS) effective 4/19/11. In particular, Verizon will send emails regarding your account or TOS changes to your designated Primary Email Address on file. What this means to you is that these updates will now be emailed to the account you have marked as Primary on your My Verizon account profile. This will now make it much easier for you to keep up to date on important account-related updates using your Primary email address.

We encourage you to log-in to the Account Profile section at and make sure that you have designated a Primary Email Address. When you do update your Primary Email Address you will receive a confirmation email from Verizon that your email address has been updated. Below you will find information regarding the additional changes to your TOS. We value you as a customer and look forward to continuing to serve you.



That is the nice part. Actually, the whole email was nicely worded, including the part of the TOS that is not so nice. Here is part of the updated TOS that merits special attention:

Effective April 19, 2011 – Important Information Regarding Changes to Your Verizon Online Terms Of Service

As set forth in Section 3 of the Terms of
Service, your continued use of the Service after the effective date of these changes will constitute your agreement to the changes.

3. Home Router Password Changes. Section 10.4 was updated to clarify that Verizon may in limited instances modify administrative passwords for home routers in order to safeguard Internet security and our network, the security and privacy of subscriber information, to comply with the law, and/or to provide, upgrade and maintain service. The administrative password for your home router is used to access the administrative controls for the router and to make changes to your router’s internal settings. We will use reasonable means to notify Subscribers whose home router administrative passwords are changed, which may include email notice to your Primary Email Address and/or an announcement on the My Verizon portal.

Note that the email was sent on April 18, with the new TOS set to go into effect a day after. So no time to read it, but you are told that just using the service after that date signals your consent to the updated TOS.

Related Post:  How to install Oracle JRE on Fedora 20 and use alternatives to switch between it and OpenJDK

The most interesting part is the one about “Home Router Password Changes.” All routers that I have used usually come with a default username and password. If you have used one yourself, which I am sure you have, if you re reading this, the first thing you did after setting it up is change the default password to something more secure. I have always assumed that once that default password has been changed, that no person other than myself can change it.

Related Post:  You'll need to do this after installing Elementary OS 5 Juno

Wrong assumption.

Verizon can change that password. In other to do that, they must have a master password, or as it is known in some circles, a backdoor. To Verizon, it is an administrative password. The only problem is their “administrative password” can unlock your administrative password.


Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Hola! Did you notice that no longer runs network ads?  Yep, no more ads from the usual suspects that track you across the Internet.  But since  I still need to pay to keep the site running, feel free to make a small donation by PayPal.

Subscribe for updates. Trust me, no spam!

Mailchimp Signup Form

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event for 2020.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

5 Responses

  1. They have an administrative port open on the router that you can not turn off that allows them in period. The only way to keep them from signing in to change the passwords which they have done to mine a couple of times it to backup the config which you can do. Set the unit back to factory defaults and login using the default user and password. Restore the config and reset the password. If you want to keep them out all together you have to put an inline firewall and block the port.I believe the port is 4567

    1. Thank you. So they do have a backdoor. An nmap scan of my router showed the following ports:

      80/tcp open http
      443/tcp open https
      4567/tcp open unknown
      8080/tcp open http-proxy
      8443/tcp open https-alt

      When I did that scan several months ago, I wasn’t sure what 4567 was for, but Wikipedia has it down as a Sinatra default server port.

      Time to mess with my FIOS router.

  2. For the longest period of time any form of wireless encryption above 128 bit WEP and MAC filtering were in the support scope of Verizon DSL support. WPA became a request only method about 2 years ago. It’s also within normal scope of support to set the password for the modem to “admin”.

  3. Do you know for a fact that they have a higher priority password?

    Because that, especially the “limited instances” part, reads to me like they were using a router that had its factory default password published, some installers weren’t changing it, and this gives them the necessary legal cover to go in and fix it, for those who have never messed with it themselves, thus leaving it at the default.

    Of course that’s the favorable (to them) reading, and the terms now allow them to change it for other reasons too, but it does sound like they give you the new password when they change it, which at a minimum, does not necessarily imply they have a master password aka “back door”, to routers where the owner actually /has/ changed the password.

    Given the general (IOW, IDR whether VZ has been named as a carrier with the problem or not) coverage of routers often installed without changing the password and with remote access on, thus allowing pretty much anyone on the net to go in and screw with it at their whim, retroactively going in to those where the default works and setting up a non-default password, then notifying the user about it, seems the best policy, but I can easily see the lawyers insisting on covering clause in the TOS.

    Further, something like that would need to be carried out with a pretty short notification, because they’re essentially zero-daying themselves. Once the announcement is made, they very likely have literally hours before someone’s exploiting it. So if it were me and there wasn’t a minimum waiting period before the TOS could go into effect, I’d be sending out the notification emails @ 23:59 one day, and starting the password changes at 00:01 the next — two minutes later!

    OTOH, if you have evidence of a tiered password system, with them having the master, that’s a different story indeed. But the TOS change alone “ain’t” it, nor is there any indication in your article that you have anything beyond that TOS change.

    Verizon ain’t no friend of mine, but overplaying your hand as an opponent doesn’t help, either.

  4. Does this apply just to Verizon-supplied routers, or to all routers?

    If the former, it’s easy to avoid by using your own independently sourced router and setting it up with WPA2.

    ISP-supplied routers always seem to be a bad financial deal, and the installers tend to set them up with weak, next-to-useless WEP security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter
Mailchimp Signup Form

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.


The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.

Anastasia Marchenkova

An invitation from Anastasia Marchenkova

Hya, after stints as a quantum researcher at Georgia Tech Quantum Optics & Quantum Telecom Lab, and the University of Maryland Joint Quantum Institute, I’m now working on superconducting qubit quantum processors at Bleximo. I’ll be speaking during Algorithm Conference in Austin, Texas, July 16 – 18, 2020. Meet me there and let’s chat about progress and hype in quantum computing.