DrayTek Vigor revovery password

A funny thing happened at the office the other day.

We have a teleworker who works in regional NSW. She connects via VPN to our Sydney office – we have Draytek Vigor 2800 VG's at each end.

For some reason, her line was disconnected (some sort of Telstra clerical error) and once that was sorted, she was given a new ISP password by Telstra.

Problem is, she had forgotten the password for the router. No, worries – just do a factory reset was the initial thought, but with so many settings needed to be re-entered, it would have been a real pain.

Whilst we were rummaging through our records to find the password, she called Draytek and they asked her for the MAC address of the unit and then gave her a password (about 6 characters, I think) which logged her in.

So it would seem that Draytek have a "backdoor" password – probably a hash on the MAC address or something of that ilk.

I've done some googling and can't find any mention of this for the Draytek or any other routers.

Is this common ? I guess it's not too much of a security issue, as firstly you'd need to know the MAC address, and secondly once you had the MAC address, you'd need to either have access to the LAN / wireless to login (unless remote management was enabled!).

Handy to know, regardless.

EDIT : Here's a thought... with a few calls to Draytek I could get the "hash" password for multiple addresses and probably derive the hash algorithm. Probably a question for a cryptography expert to comment on the viability, but it does leave me a little concerned.

http://forums.whirlpool.net.au/archive/1317036

https://github.com/ammonium/draytools