Tens of thousands of broadband modems wide open to hijacking

bealtine · 22-11-2016 8:48am #1

D1000 (as used by eir) can be directed to drop its firewall, allowing access to panel over the internet

http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

ondafly · 22-11-2016 9:35am

Not the first time for Eir either !

ED E · 22-11-2016 10:28am

Le sigh.

plodder · 22-11-2016 11:23am

I use that modem. It's pretty annoying that they leave an open TCP port without telling you. What is the story though if you change the admin password? I presume most people would change that rather than leaving it as the default wifi password, which would be impossible to remember...

Interesting that with the old Netopia modems the port was only accessible to specific IP addresses (assigned to Eircom's technical support).

MBSnr · 22-11-2016 11:47am

No mention of the F1000, but port 7547 is open as well. I've disabled TR-64 in the management interface. Will that stop it being vulnerable to this I wonder?

EDIT: I read that TR-64 pulls the wifi password which is also the admin login. Since my admin login and wifi password are not the default, I'm guessing that may stop the SSH login.

MBSnr · 22-11-2016 12:39pm

plodder wrote: »

I use that modem. It's pretty annoying that they leave an open TCP port without telling you. What is the story though if you change the admin password? I presume most people would change that rather than leaving it as the default wifi password, which would be impossible to remember...

Interesting that with the old Netopia modems the port was only accessible to specific IP addresses (assigned to Eircom's technical support).

I tested my F1000 by connecting to it via SSH and using the original wifi password (which has been changed) and I got account lockout for 10 mins. So this is likely only to be an issue with modems that have all the defaults still set.

Quaderno · 30-11-2016 9:14pm

Still developing, but it looks like the vulnerability in three of Eir's router models may have played a crucial role in taking down close to a million broadband customers in Germany over the last couple of days.

https://comsecuris.com/blog/posts/were_900k_deutsche_telekom_routers_compromised_by_mirai/

plodder · 05-12-2016 11:01pm

I see this finally made the news today. Coincidentally (or maybe not) my D1000 has been bricked since late last week. I wonder if the software update they tried to push failed somehow. Lucky I had a spare modem handy.

Happy_Harry · 06-12-2016 11:11am

So I got an email from eir this morning

We became aware on 3rd December that your modem may have had unauthorised access. In addition, we received additional information from our modem supplier on 5th December and it is imperative that you reset your modem immediately.

I would like to know what unauthorised access there was.. I didn't have default pw for admin nor for wifi. Any idea how I could have been affected ?

Thankfully I have eir only as a back up and not sure I have connected to it for any longer periods of time lately .

AlanG · 06-12-2016 11:20am

Pretty poor performance from the eir representative on Morning Ireland this morning. This sort of thing is bound to happen if the companies retain backdoor access to the routers in customers homes.

ED E · 06-12-2016 1:29pm

AlanG wrote: »

Pretty poor performance from the eir representative on Morning Ireland this morning. This sort of thing is bound to happen if the companies retain backdoor access to the routers in customers homes.

Its not a backdoor, its an advertised function that serves a legitimate purpose. Users want it. When average joe calls he wants to be told his password, not open a laptop, enter these numbers, enter this username, enter this password, go here, go there.

This problem stems from poor systems management and/or using the cheapest vendor possible.

plodder · 06-12-2016 4:09pm

ED E wrote: »

Its not a backdoor, its an advertised function that serves a legitimate purpose. Users want it. When average joe calls he wants to be told his password, not open a laptop, enter these numbers, enter this username, enter this password, go here, go there.

This problem stems from poor systems management and/or using the cheapest vendor possible.

It seems quite reckless to have allowed access to that port from any IP address rather than a limited set of known ones owned by Eir technical support. I assume that was cost saving as well, as it was one less thing to customise by Zyxel for Eir.

It was funny to hear the RTE reporter on the news last night trying to pronounce the word Zyxel. It looked like it was the first time he had ever seen it. :pac:

ED E · 06-12-2016 5:23pm

Oh its a total configuration failure, but that doesnt mean CPE management is a bad thing.

Haven't read the TR specs but IIRC 69 uses PK auth so the IP doesnt really matter as only the ISPs management units can connect. One would assume thats enabled for F1000(Zyxel) and F2000(Huawei).

plodder · 07-12-2016 1:00am

ED E wrote: »

Oh its a total configuration failure, but that doesnt mean CPE management is a bad thing.

Sure.

Haven't read the TR specs but IIRC 69 uses PK auth so the IP doesnt really matter as only the ISPs management units can connect. One would assume thats enabled for F1000(Zyxel) and F2000(Huawei).

Just took a quick look at it and there seems to be two levels of security. TLS/certificates and shared-secrets/passwords. TLS is recommended but not required. Managing certificates can be a headache, so I don't know whether they decided to rely on password level security. Maybe not, but there was definitely some problem that needed to be fixed.

Tens of thousands of broadband modems wide open to hijacking

Comments