Spark Smart Modem vulnerable?

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark Smart Modem vulnerable?

r0bbie

245 posts

Master Geek

#289033 8-Aug-2021 13:26

Hey Spark's router was listed on a new disclosed router bug - do you think they are affected?

https://www.bleepingcomputer.com/news/security/actively-exploited-bug-bypasses-authentication-on-millions-of-routers/

1 | 2 | 3 | 4

1906 posts

Uber Geek

ID Verified

Lifetime subscriber

#2756917 8-Aug-2021 22:14

Remote WAN admin is disabled by default in my Spark Smart Modem.

The CERT/CC recommends updating the router to the latest available firmware version. It is also recommended to disable the remote administration services (WAN side) on each SoHo router and also disable the web interface on the WAN.

https://borncity.com/win/2021/08/02/authentifizierungsschwachstelle-cve-2021-20090-bei-arcadyan-basierten-routern-und-modems/

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

catspyjamas

188 posts

Master Geek

#2756928 9-Aug-2021 04:55

More info about this here: Multiple Modem Routers Vulnerable to Unauthenticated Attacks | TechNadu and here: Multiple Vulnerabilities in Buffalo and Arcadyan manufactured routers - Research Advisory | Tenable®

The current firmware for Spark's Smart modem (which is now also on Skinny's modem I gather after it updated to match) is listed as vulnerable.

Remote WAN access is disabled in ours but I'm not sure where and how to disable remote administration services in the Spark Smart Modem web page, or how to disable the web interface on the WAN. Can someone advise please?

I would hope Spark are aware of this and doing something about it especially as it is their currently deployed device for both DSL and fibre. I note in the Timeline in sthe second article I linked to, that Arcadyan were advised about this back in April.

EDIT: It's also in Bleeping Computer today. They report attacks started happening 2 days after the PoC was made public on Aug 3rd. Actively exploited bug bypasses authentication on millions of routers (bleepingcomputer.com)

1101

3122 posts

Uber Geek

#2757007 9-Aug-2021 10:25

Spark are silent on this issue . Its as if they dont yet know .
It would be nice to have some sort of response from them , even if just to acknowledge they know of the issue or confirm the patch status .

MaxineN

Max
1777 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2757011 9-Aug-2021 10:33

catspyjamas:

More info about this here: Multiple Modem Routers Vulnerable to Unauthenticated Attacks | TechNadu and here: Multiple Vulnerabilities in Buffalo and Arcadyan manufactured routers - Research Advisory | Tenable®

The current firmware for Spark's Smart modem (which is now also on Skinny's modem I gather after it updated to match) is listed as vulnerable.

Remote WAN access is disabled in ours but I'm not sure where and how to disable remote administration services in the Spark Smart Modem web page, or how to disable the web interface on the WAN. Can someone advise please?

I would hope Spark are aware of this and doing something about it especially as it is their currently deployed device for both DSL and fibre. I note in the Timeline in sthe second article I linked to, that Arcadyan were advised about this back in April.

EDIT: It's also in Bleeping Computer today. They report attacks started happening 2 days after the PoC was made public on Aug 3rd. Actively exploited bug bypasses authentication on millions of routers (bleepingcomputer.com)

Remote WAN admin access should already be disabled unless you turned it on(if this is even a thing in Spark/Skinny's build. Unless this is being exploited via TR-069 or something else. It's also only been a day or two since those articles came out(It's also the start of another work week)? So I imagine there is still a response being prepared and/or working on a patch/hot fixes.

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

Bung

6506 posts

Uber Geek

Subscriber

#2757042 9-Aug-2021 11:52

MaxineN:

also only been a day or two since those articles came out(It's also the start of another work week)? So I imagine there is still a response being prepared and/or working on a patch/hot fixes.

"The security flaw was discovered Tenable, which published a security advisory on April 26" Spark's supplier has known for months. Spark shouldn't have to be relying on 3rd party reporting.

MaxineN

Max
1777 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2757062 9-Aug-2021 11:59

Bung: MaxineN:
also only been a day or two since those articles came out(It's also the start of another work week)? So I imagine there is still a response being prepared and/or working on a patch/hot fixes.

"The security flaw was discovered Tenable, which published a security advisory on April 26" Spark's supplier has known for months. Spark shouldn't have to be relying on 3rd party reporting.

I’m not defending spark or saying that spark are relying on 3rd party reporting. Just simply mentioning that it’s a start of a work day, this was publicly reported on the weekend and I imagine or at least I hope that they have known about this and are working on a hot fix and/or statement.

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

catspyjamas

188 posts

Master Geek

#2757102 9-Aug-2021 13:23

Well I read the two articles I linked to on July 23rd - two days after they were published. Meant to post about it but distracted by other happenings here.

I can't imagine Arcadyan would have kept Spark or the many other ISPs using their devices in the dark since April (shame on Arcadyan if they did). I suspect Spark do know and hope they do provide a patch. Though they never provided an update to the HG695b after the broadcom wifi chip vulnerability was exposed in April-ish 2020. Perhaps because the Spark Smart modem was their main device by then, but even so, it was still a modem many were using. That one hasn't had an update for about 4 years.

Remote WAN access is disabled by default, but the security advisories state this is only one course of action in the workaround. I'm not sure how to employ the other two (disabling remote administration services, and disabling the web interface on the WAN). Also not sure if any of these changes would stop an automatic firmware update from Spark, which not be ideal. Hopefully Spark or someone will advise.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Gordy7

1906 posts

Uber Geek

ID Verified

Lifetime subscriber

#2757543 9-Aug-2021 21:28

The Vodafone Ultra Hub (Vodafone H-500-t) does not appear on the list of vulnerable routers.

I am going to replace my Smart Modem with the Ultra Hub until Spark reports on and/or fixes the authentication issue.

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

MaxineN

Max
1777 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2757545 9-Aug-2021 21:30

Gordy7:

The Vodafone Ultra Hub (Vodafone H-500-t) does not appear on the list of vulnerable routers.

I am going to replace my Smart Modem with the Ultra Hub until Spark reports on and/or fixes the authentication issue.

WAN is locked to IPoE Vlan 10 last time I tried. Even with it jailbroken WAN settings just can't be changed. Unless a Vodafone update fixed this.

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

Gordy7

1906 posts

Uber Geek

ID Verified

Lifetime subscriber

#2757552 9-Aug-2021 21:43

MaxineN:

Gordy7:

The Vodafone Ultra Hub (Vodafone H-500-t) does not appear on the list of vulnerable routers.

I am going to replace my Smart Modem with the Ultra Hub until Spark reports on and/or fixes the authentication issue.

WAN is locked to IPoE Vlan 10 last time I tried. Even with it jailbroken WAN settings just can't be changed. Unless a Vodafone update fixed this.

I am on the Slingshot network at the moment and the Ultra Hub is now working ok.....

I have been using the Smart Modem as it has better WiFi.

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

MaxineN

Max
1777 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2757553 9-Aug-2021 21:44

Gordy7:

I am on the Slingshot network at the moment and the Ultra Hub is now working ok.....

I have been using the Smart Modem as it has better WiFi.

Ahh assumed you were with Spark. It will do the job. 👍

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

Gordy7

1906 posts

Uber Geek

ID Verified

Lifetime subscriber

#2757554 9-Aug-2021 21:49

MaxineN:

Gordy7:

I am on the Slingshot network at the moment and the Ultra Hub is now working ok.....

I have been using the Smart Modem as it has better WiFi.

Ahh assumed you were with Spark. It will do the job. 👍

If a Spark Smart Modem fix requires a firmware update then I will have to find a way to do an update...

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

Talkiet

4793 posts

Uber Geek

Trusted

#2757948 10-Aug-2021 13:13

Spark is aware of a security vulnerability (https://www.tenable.com/security/research/tra-2021-13) that is present on one of the modems offered to Spark and Skinny broadband customers (Spark Smart Modem - Arcadyan VRV9517).

We have been advised by Arcadyan that they do not believe the vulnerability could currently be successfully exploited on our Spark and Skinny modems, due to the specific build of our modems. Our own testing supports this. We have been monitoring and blocking attempted attacks from the IP addresses identified by Juniper and while we have seen a low level of attacks since the weekend, we’ve seen no evidence so far of successful exploits against the Spark or Skinny Smart Modems.

We’ve been working with Arcadyan and have been testing a new version of the modem software with a fix for the vulnerability since last week. As soon as this version is ready, it will automatically be pushed out to the relevant Spark and Skinny Smart Modems.

We will provide an update when we have a new version available. For customers that are using the Smart Modems with non-Spark connections, we will make the updated FW with the vulnerabilities fixed available soon. I’ll advise here of the official download location (which will be from a Spark server).

Cheers - Neil G

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

MaxineN

Max
1777 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2757973 10-Aug-2021 13:59

Hi Neil

That's fantastic news and I'm extremely happy with Spark's involvement in keep their customers and their modems safe.

Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

Gordy7

1906 posts

Uber Geek

ID Verified

Lifetime subscriber

#2757979 10-Aug-2021 14:17

Talkiet:

We will provide an update when we have a new version available. For customers that are using the Smart Modems with non-Spark connections, we will make the updated FW with the vulnerabilities fixed available soon. I’ll advise here of the official download location (which will be from a Spark server).

Cheers - Neil G

That is good news.... I have only just left the Spark network to join Slingshot... getting a FW update fix will increase confidence in the Smart Modem.

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

1 | 2 | 3 | 4