Warning about the new F2000 modem supplied by Eircom with E-Fibre

CountyHurler · 08-04-2015 12:52pm #1

Hi,

I arrived out to install e-fibre on a site yesterday and found one of these new F2000 devices connected to the E-Fibre line.

I tried to configure it the same way as we have been configuring D1000s and F1000s for the last three years but it seems there is a bug with it. You are currently unable to change the LAN Interface subnet mask on the device... Tried it every which way when I was on the site, but ended up having to put in a spare F1000 after spending an hour talking to Eircom "support", who told me that it was a customer site configuration problem ... (in spite of the fact that it was Eircom who had told me to use the current setup we are using). He also said that he was unaware of any firmware update that addresses the issue. Eircom support are an absolute waste of time anyway tbh...

I googled around the issue and it seems that a company in NZ are aware of the problem with the device, which is actually a Huawei HG659b
https://www.spark.co.nz/help/internet-data/equipment/huawei/hg659-gateway/changing-the-lan-host-ip-address-huawei-hg659-hg659b/

Important: Currently you are unable to change the Subnet Mask on the Huawei HG659. We are working on resolving this issue.

Has anybody else experienced this problem?

ED E · 08-04-2015 1:57pm

If Spark have the issue too its a Huawei bug, it'll be up to them to fix it.

paconarvaez · 16-04-2015 9:34pm

i recently changed my modem from f1000 to the new f2000 because i heard the wifi was better, and everything works except my sky b/b connecter , it one of those little black connecters with the wps button , but when i press the wps on my modem and activate my sky connecter it dosent see my modem. has anyone else had this prob. thanks for your time,

yuloni · 18-04-2015 9:59pm

This post has been deleted.

mass_debater · 19-04-2015 4:28pm

If you are using something different to a /24 subnet why are you not bridging the modem and providing your own router and firewall

CountyHurler · 23-04-2015 11:50am

mass_debater wrote: »

If you are using something different to a /24 subnet why are you not bridging the modem and providing your own router and firewall

Dont get me started on this... All of the sites used to be set up with the D1000/F1000s in bridge mode, so that the sites only required one IP address.... That was until we discovered that both D1000 and F1000s changed from bridge mode BACK to routing mode if the power was cut for any reason.

mass_debater · 23-04-2015 12:01pm

CountyHurler wrote: »

Dont get me started on this... All of the sites used to be set up with the D1000/F1000s in bridge mode, so that the sites only required one IP address.... That was until we discovered that both D1000 and F1000s changed from bridge mode BACK to routing mode if the power was cut for any reason.

That's a new one, I've never encountered this and I've setup plenty of them. Are you sure nobody's pressing the reset?

CountyHurler · 25-04-2015 6:38pm

mass_debater wrote: »

That's a new one, I've never encountered this and I've setup plenty of them. Are you sure nobody's pressing the reset?

Nah, I've tried it myself... Take a D1000, and configure it for bridge mode... Then pull the power on it, and it returns to Routing mode... Had the same issues with the F1000. We've had to order 4 IPs for every site and configure a routed connection.

We tried replacing the D1000/F1000 with a Cisco or Zyxel device which is stable in bridge mode... But we found that if there are any issues with the line.... Eircom will not provide support unless one of their devices (i.e. the D1000 or F1000) is connecting to the line...

ainiseoir · 10-06-2015 1:48pm

" Eircom support are an absolute waste of time anyway tbh... "

You can sing that. I contacted them yesterday and it was a heart scald listening to somebody from the subcontinent scrambling through the manual.
I have the bloody manual myself.
Have they outsourced the technical support ?

Bazideluxe · 01-07-2015 9:59pm

Guys can anyone check if you have this wifi bug I found please?

Got new F2000 today and whenever I try to hide SSID, the wifi goes OFF:

ninkovicz · 18-08-2015 5:58pm

You are messing with wrong settings mate.... Go to Home Network....Wireless settings ....Advance settings and you will be able to HIDE SSID...

ihastakephoto · 10-09-2015 10:58pm

there is a password which eircom support are using which gives them admin rights to your modem. Thats all fine if this is protected and known only to eircom staff, however, after 3 minutes of webchat, the support tech gave me the password. I asked if it was common use and he said, it was "like some kind if backdoor for all eircom routers"
Imma upgrade my firmware and debrand asap.... after I remove the support account from mine, I will approach eircom about a disclosure through appropriate channels

jca · 10-09-2015 11:45pm

ihastakephoto wrote: »

there is a password which eircom support are using which gives them admin rights to your modem. Thats all fine if this is protected and known only to eircom staff, however, after 3 minutes of webchat, the support tech gave me the password. I asked if it was common use and he said, it was "like some kind if backdoor for all eircom routers"
Imma upgrade my firmware and debrand asap.... after I remove the support account from mine, I will approach eircom about a disclosure through appropriate channels

Get a life ffs...

roast · 10-09-2015 11:52pm

ihastakephoto wrote: »

there is a password which eircom support are using which gives them admin rights to your modem. Thats all fine if this is protected and known only to eircom staff, however, after 3 minutes of webchat, the support tech gave me the password. I asked if it was common use and he said, it was "like some kind if backdoor for all eircom routers"
Imma upgrade my firmware and debrand asap.... after I remove the support account from mine, I will approach eircom about a disclosure through appropriate channels

I wouldn't consider this a particularly devious or malicious security issue, it's by design. It's fairly common for ISP-provided equipment to have remote management access for the likes of firmware updates, remote troubleshooting and diagnosis. See TR-069 here.

If you can answer all the troubleshooting questions should a fault arise and thus not require remote assistance, then I'm sure Eircom, Vodafone and the like don't really care if you disable it anyway. :pac:
There are some security issues with TR069 but that goes with for any protocol really.

ihastakephoto · 11-09-2015 12:04am

@jca says the guy reading the forum at midnight himself and feeling the need to comment about someone else's life..

@roast the issue is in the fact that they gave out the password... with very little effort I can now collect ip addresses of anyone who visits my site, determine if theyre using the same modem, if so, remotely access and change their passwords, reboot their modem, install my own firmware....the list goes on.

roast · 11-09-2015 12:11am

ihastakephoto wrote: »

@roast the issue is in the fact that they gave out the password... with very little effort I can now collect ip addresses of anyone who visits my site, determine if theyre using the same modem, if so, remotely access and change their passwords, reboot their modem, install my own firmware....the list goes on.

Hold on, you're saying you can remotely login to other users routers and do the above? You can't... by default, TR-069 is configured to only allow access from a certain source (in this case, Eircom). It's not like any randomer can login and start arsing with your settings. You can enable access from other IPs, but only if you're logged into the router already.

jca · 11-09-2015 12:12am

Well at least I'm not worrying about my isp looking at my router configuration....

jca · 11-09-2015 12:16am

ihastakephoto wrote: »

@jca says the guy reading the forum at midnight himself and feeling the need to comment about someone else's life..

@roast the issue is in the fact that they gave out the password... with very little effort I can now collect ip addresses of anyone who visits my site, determine if theyre using the same modem, if so, remotely access and change their passwords, reboot their modem, install my own firmware....the list goes on.

Give us a link to your "site" I'll take a gawk at how to make a tinfoil hat and you can hack my router.....

ihastakephoto · 11-09-2015 12:28am

roast wrote: »

Hold on, you're saying you can remotely login to other users routers and do the above? You can't... by default, TR-069 is configured to only allow access from a certain soruce (in this case, Eircom). It's not like any randomer can login and start arsing with your settings. You can enable access from other IPs, but only if you're logged into the router already.

Ive logged into my own, my parents, my in laws, and restarted their connections from my office, my home and my mobile wifi.
hence my concern

ihastakephoto · 11-09-2015 12:30am

you're a gas chap, now run along, I'm sure there are loads of people you can troll before school tomorrow

jca · 11-09-2015 12:43am

ihastakephoto wrote: »

Ive logged into my own, my parents, my in laws, and restarted their connections from my office, my home and my mobile wifi.
hence my concern

That makes you the one doing wrong here. You don't find any Eircom employees logging into their parents, in laws or other people's routers. I bet you're the guy who rings people and tells them they have a virus on their computer...

roast · 11-09-2015 12:46am

Lads, will ye cop on...

Anyway

ihastakephoto wrote: »

Ive logged into my own, my parents, my in laws, and restarted their connections from my office, my home and my mobile wifi.
hence my concern

How? By HTTP? Or what port?

bk · 11-09-2015 10:43am

MOD: jca, please remember, attack the post not the poster.

In fairness, ihastakephoto absolutely has a valid concern if s/he can log into other peoples routers.

Nor would I consider it doing anything wrong to log into your relatives routers with their permission to test the theory that you have found a back door.

ED E · 11-09-2015 11:53am

I HIGHLY doubt you've found a remote exploit for the webui. The F2000 is one of the first ISP modems that uses full HTTPS/SSL on its interface. And as above TR069 pinhole will only accept a signed request from the CPE management system in eircom before it opens up its other ports to requests.

jca · 11-09-2015 1:10pm

bk wrote: »

MOD: jca, please remember, attack the post not the poster.

In fairness, ihastakephoto absolutely has a valid concern if s/he can log into other peoples routers.

Nor would I consider it doing anything wrong to log into your relatives routers with their permission to test the theory that you have found a back door.

My God I'm speechless thank God ED E has come along to put some sanity on this ridiculous thread.

bk · 11-09-2015 3:06pm

jca wrote: »

My God I'm speechless thank God ED E has come along to put some sanity on this ridiculous thread.

Well in fairness jca, Eircom does have a very bad track record of securing their routers, remember how easy it use to be to crack the WEP encryption on the old Netopia Eircom routers:

http://www.tomdoyletalk.com/2007/10/01/eircom-netopia-wireless-router-hack/

So it wouldn't be terribly surprising to discover another security issue.

This may or may not be the case, but either way one of the first rules of boards is attack the post not the poster.

dalta5billion · 11-09-2015 4:21pm

Prompted by ihastakephoto I found the same vulnerability on the F1000, and have confirmed it as exploitable in the wild.

It's a hidden account with slightly reduced privileges but enough to cause havoc (attacker can flash firmware). Users should disable all forms of remote management to mitigate.

Most likely it is the same case with the F2000, as ihastakephoto reported here. I think you should all apologise to him/her.

ED E · 11-09-2015 4:47pm

dalta5billion wrote: »

Most likely it is the same case with the F2000, as ihastakephoto reported here. I think you should all apologise to him/her.

Unlikely, F1000 is Zyxel and the F2000 is Huawei (a far more competent company IMO).

Is the password there a random char string? There are two accounts on the 2000s IIRC, admin and Supervisor, but they both use the system pasword by default, but only persons on site could read that from the label, or if they were given the WLAN PSK.

dalta5billion · 11-09-2015 4:49pm

ED E wrote: »

Unlikely, F1000 is Zyxel and the F2000 is Huawei (a far more competent company IMO).

Is the password there a random char string? There are two accounts on the 2000s IIRC, admin and Supervisor, but they both use the system pasword by default, but only persons on site could read that from the label, or if they were given the WLAN PSK.

Seemingly random, but this is hard coded into every F1000 - i.e. every F1000 will allow login with this user:pass.

Edit: also remember, Zyxel and Huawei cannot be held responsible for poor configs from ISPs

ihastakephoto · 11-09-2015 9:46pm

ok, the account username is support, which suggests to me that eircom added / request huawei add this hidden account.
I have used the same password to access 3 different routers.
I hope to get time tomorrow to update my own firmware and test.

just to clarify, these are routers of mine and family who were aware that I was testing.

ED E · 12-09-2015 9:25am

Oh eircom.....

Warning about the new F2000 modem supplied by Eircom with E-Fibre

Comments