Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

D1000 vulnerability

Comments

  • Registered Users, Registered Users 2 Posts: 1,003 ✭✭✭_Puma_


    Seems Eir have been issuing insecurely configured routers to their customers and are leaving them wide open to remote takeovers. It has already been verified by independent sources to the original exploit. 

    http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

    Have Eir put in place a contingency measure to address the threat yet? Leaves you wondering what sort of Security penetration test were carried out before the bulk issuing of these routers to their customers. Heads should roll for this.


  • Closed Accounts Posts: 2,797 ✭✭✭Eir: Pamela


    [font=Verdana, sans-serif]Hi Guys,[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]Thanks for getting in touch.[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]We are currently working with our supplier to determine if there is any risk to that specific modem. We will be in a better position to answer your queries this afternoon and we will publish an update online at http://support.eir.ie[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]Thanks,[/font]
    [font=Verdana, sans-serif]Pamela [/font]

    [font=Verdana, sans-serif] [/font]


  • Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭edanto


    Any update on this?


  • Registered Users, Registered Users 2 Posts: 2,320 ✭✭✭roast


    Still no update on the support site....


  • Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭edanto


    I'd say eir legal have been telling customer service DON'T ADMIT ANYTHING while they hope it's going to go away.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 13 mpok


    Irrespective of the vulnerability or otherwise of the modem why on earth is the CPE management port accessible to anyone other than Eir's operation center? I can see that port 7547 on my F1000 modem is open from my phone (on Meteor) Defense in depth! The bad guys shouldn't be able to get to the modems in the first place and the modems should be secure as well. Simple filter to allow Eir CPE devices to connect to Eir management servers and vice versa with all other TR-069 traffic blocked is only a few lines in the configuration on any respectable router. 


  • Registered Users, Registered Users 2 Posts: 1,877 ✭✭✭donspeekinglesh




  • Registered Users, Registered Users 2 Posts: 3,337 ✭✭✭Wombatman


    Have Eir customers been made aware of this problem?

    Has their been a press release from Eir?

    Detailed info here from Nov 7th. Why the delay in addressing this problem?

    https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/

    Edit: Just saw this
    https://community.eir.ie/broadband-25/security-issue-eir-modems-288074


  • Registered Users, Registered Users 2 Posts: 2,320 ✭✭✭roast


    Absolutely no statement from Eir yet, which is disgraceful.

    These exploits should have been picked up on before pushing the firmware out or, at the very least, acknowledged in a timely manner once the flaw was public knowledge. The fact that there has been no acknowledgement from Eir in the weeks after the flaw was publicized just goes to show the lack of regard Eir have for security.


  • Registered Users, Registered Users 2 Posts: 3,337 ✭✭✭Wombatman


    Looks like German Telekom is now rolling out a firmware update for the affected routers. Details (in German) are here:
    https://www.telekom.de/hilfe/geraete-zubehoer/router/speedport-w-921v/firmware-zum-speedport-w-921v

    Affected useres are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.

    Details here:
    https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 3,337 ✭✭✭Wombatman


    http://www.independent.ie/irish-news/2000-eir-customers-hacked-as-130000-more-put-at-risk-35271309.html

    The company spokesman said that Eir was informed two weeks ago about the vulnerability and immediately began to fix the modems remotely. However, last Thursday engineers discovered that almost 2,000 of the modems had been breached "by a third party".


  • Registered Users, Registered Users 2 Posts: 1,251 ✭✭✭tphase


    just wondering what are the options for people who use these devices but are not eir customers? Will a firmware update be made available to download?


  • Closed Accounts Posts: 2,797 ✭✭✭Eir: Pamela


    [font=Verdana, sans-serif]Hi Guys,[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]You will find all the relevant information on this [/font][font=Verdana, sans-serif]here[/font][font=Verdana, sans-serif] to reset your password  however if you have any further queries or need assistance we have a dedicated team on 1901 that will be happy to assist you.  [/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]- Pamela [/font]

    [font=Verdana, sans-serif] [/font]


  • Registered Users, Registered Users 2 Posts: 2,320 ✭✭✭roast


    I see Eir finally acknowledged it on the support site. Good to know customer security is a primary concern.

    https://community.eir.ie/service-updates-70/modem-reset-instructions-06122016-288871

    2,000 is not a "small number".


  • Closed Accounts Posts: 6,869 ✭✭✭PeterTheNinth


    Just did a scan of a few of our sites using NMAP with the following command:

    nmap -p 7547 -T4 -Pn -A <target>

    Discovered open port 7547/tcp on 86.43.???.???
    Discovered open port 7547/tcp on 83.70.???.???
    Discovered open port 7547/tcp on 86.45.???.???

    A few of them are showing up as having the open port alright. We use quite a few in bridge mode so they wouldn't be vulnerable to this vulnerability. Can you not just forward port 7547 on to a nonexistent address? (i.e. so that the router itself does not respond to requests on that port)


  • Closed Accounts Posts: 6,869 ✭✭✭PeterTheNinth


    I just noticed on my port scan that the same port is showing up as being open on the F1000 and F2000 E-Fibre modems. I wonder are these also vulnerable to the same issue?


  • Registered Users, Registered Users 2 Posts: 990 ✭✭✭rat_race


    What's funny about this, is that I already told Eircom about a major security flaw in the D1000, over two years ago!

    http://www.boards.ie/ttfthread/2057337389

    I am not in the slightest bit surprised with this new BS. Remember around 2001, Eircom was hacked, exposing 130,000 usernames and passwords? And there have been dozens of documented hacks since. Now this.

    Eir, start behaving like an ISP.


    Edit: the security flaw back then was different, but still a massive red flag that they should sort their sh*t out!


  • Closed Accounts Posts: 2,797 ✭✭✭Eir: Pamela


    I just noticed on my port scan that the same port is showing up as being open on the F1000 and F2000 E-Fibre modems. I wonder are these also vulnerable to the same issue?
    [font=Verdana, sans-serif]Hi [/font][font=Verdana, sans-serif] [/font][font=Verdana, sans-serif]PeterTheNinth,[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]The efibre modems are not affected, if you have any concerns I would recommend contacting our team on 1901 to discuss this further.[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]- Pamela [/font]

    [font=Verdana, sans-serif] [/font]


  • Registered Users, Registered Users 2 Posts: 1,251 ✭✭✭tphase


    tphase wrote: »
    just wondering what are the options for people who use these devices but are not eir customers? Will a firmware update be made available to download?
    [font=Verdana, sans-serif]Hi Guys,[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]You will find all the relevant information on this [/font][font=Verdana, sans-serif]here[/font][font=Verdana, sans-serif] to reset your password  however if you have any further queries or need assistance we have a dedicated team on 1901 that will be happy to assist you.  [/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]- Pamela [/font]

    [font=Verdana, sans-serif] [/font]
     I assume resetting the modem will allow eir to push a patch to fix the vulnerability however non-eir customers who happen to be using these modems will not have the patch applied - is that correct?


  • Closed Accounts Posts: 2,797 ✭✭✭Eir: Pamela


    tphase wrote: »
    tphase wrote: »
    just wondering what are the options for people who use these devices but are not eir customers? Will a firmware update be made available to download?
    [font=Verdana, sans-serif]Hi Guys,[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]You will find all the relevant information on this [/font][font=Verdana, sans-serif]here[/font][font=Verdana, sans-serif] to reset your password  however if you have any further queries or need assistance we have a dedicated team on 1901 that will be happy to assist you.  [/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]- Pamela [/font]

    [font=Verdana, sans-serif] [/font]
     I assume resetting the modem will allow eir to push a patch to fix the vulnerability however non-eir customers who happen to be using these modems will not have the patch applied - is that correct?
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]I'm afraid I would be unable to advise on this from here [/font][font=Verdana, sans-serif]tphase. [/font][font=Verdana, sans-serif]Our dedicated team on 1901 will be able to discuss this with you in further detail.[/font]
    [font=Verdana, sans-serif] [/font]
    [font=Verdana, sans-serif]Thanks,[/font]
    [font=Verdana, sans-serif]Pamela [/font]

    [font=Verdana, sans-serif] [/font]


  • Advertisement
Advertisement