Avast Pro states google wifi router has a weak default password

I use the google wifi device OnHub AC1900. When I run Avast Pro, it claims that my router has a weak default password of admin/admin.

However, one cannot even access settings via a web browser on that router. It requires a phone app and a user defined username/pass to configure it. From a browser the homepage of the router simply gives links to download the phone app.

My guess is that Avast Pro is simply calling it with a POST and passing admin/admin. Since it returns a page (the one with download links) Avast assumes that it logged in.

I want to make sure I am not wrong though and there isn’t something I am missing with this router. Like whether or not Avast is using a different protocol or hitting a specific page directly. The google wifi routers leave much in a black box, so I want to be sure there is no glaring security hole I missed.

I believe this to be a bug. See this post: https://forum.avast.com/index.php?topic=209402.msg1423925#msg1423925

Both topics have been reported on the developers channel.
As soon as I get an answer, I’ll post it here.

When Wi-Fi inspector finds a weak service password, it doesn’t explicitly state which password that is. It could be the wi-fi password, router password or the FTP server.

Have you checked all three? Many times users don’t change FTP server default password.

Doesn’t it!

Where does that tell you that the weak password is the wi-fi password, router password or the FTP server?

HNS-Weak-Pass just states it’s a weak password but doesn’t state each one explicitly.

To me this seems to be the router log in passwords (not WiFi) … admin/admin

That’s what I also think. :slight_smile:
http://www.tp-link.com/us/faq-426.html

(Sorry, I quoted the wrong user. )

But the only usernames/passwords that the router has set to admin/admin, as default are the router passwords. FTP has to be explicitly enabled and has no defaults. Default WiFi SSID’s are conglomerates of text and part MAC addresses and the passwords are pseudo-random numeric, and besides, my PC doesn’t have WiFi so Avast can’t test for that. So for Avast to report that it has found admin/admin can only mean that it was checking the routers web interface.