Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.
Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.
This is why admin access to a SOHO router should only be accessible from the LAN side and not the WAN side. Making admin changes should happen rarely. One of the biggest things a malicious actor can do is point DNS requests to their malicious server allowing them to divert all LAN traffic to wherever they want. Devices typically get a DNS address when they obtain an IP address from the router via DHCP.
Kicking the SOHO router seems to be a hot topic today. From: The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica
The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.