Jump to content



Photo

Australia's Biggest Telco Sold Routers With Hardcoded Passwords


  • Please log in to reply
3 replies to this topic

#1 Asrokhel

Asrokhel

    Neowinian

  • 1,027 posts
  • Joined: 05-April 12
  • OS: Windows 8 Pro x64 (testing to see if I keep it or go back to Windows 7)

Posted 13 November 2012 - 12:45

Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that could allow attackers access to customer networks.

SC was tipped off to the public disclosure of the flaws on 16 October, 2012, and given the threat posed to Telstra customers, had warned Telstra and delayed publication until the telco and vendor Netcomm had developed and fully tested a firmware fix.

The flaws meant attackers could bypass any unique passwords and access the device administrative console and customer's local network.

Telstra has today issued a patch to fix the flaws and was contacting affected customers by phone and email to urge them to apply the fix.

The firmware upgrade was the only means of removing the unchangeable default logins introduced by Netcomm into the BigPond Elite Wireless BroadBand Network Gateway line.

"We’ve now published a firmware update and are contacting all customers with this type of modem to ensure they install the patch," Telstra told SC in a statement.

"...we’ve worked as quickly as possible with our vendor to design, create, test and deploy a software update for our customers."

Milan-based security researcher and consultant Roberto Paleari discovered the flaws and publicly disclosed them on 12 October after he told SC he reported it to a Telstra Bigpond technical support line.

Paleari later worked with Telstra and Netcomm to detail the vulnerabilities, which also included a command-injection flaw due to the server-side script failing to properly validate user-supplied input.

The researcher publicly disclosed the holes after he said Telstra's technical support department requested he detail the bug over phone and would not communicate via email, his preferred method for record-keeping.

“I can only say I am really sorry I finally had to disclose the vulnerabilities without waiting for a fix from the device manufacturer,” Paleari told SC, adding that he believed in responsible disclosure.

“Router security should be taken more seriously.”

SC urges all affected users to apply the patch immediately.

The patch also introduced a feature allowing manual selection between internal and external antennas from the modem interface.












http://www.scmagazin...-wide-open.aspx


#2 exotoxic

exotoxic

    Neowinian Senior

  • 2,198 posts
  • Joined: 04-April 04
  • Location: England

Posted 13 November 2012 - 16:28

Some routers have hard coded passwords for remote login by ISP tech support.

#3 remixedcat

remixedcat

    meow!

  • 10,497 posts
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 13 November 2012 - 20:27

moral of the story... don't use ISP routers

#4 xSuRgEx

xSuRgEx

    Neowinian Senior

  • 2,706 posts
  • Joined: 02-August 03
  • Location: Earth

Posted 13 November 2012 - 20:34

didnt kevin mitnick pwn netcom back in the day?