HG659 security fails, ports 80 and 443 open, update firmware ASAP!

Forums › One New Zealand (including Vodafone, WxC, Farmside) › HG659 security fails, ports 80 and 443 open, update firmware ASAP!

dvkwong

31 posts

Geek

#181127 3-Oct-2015 13:38

Been with Vodafone a little over 6-7 weeks and I am surprised everyday!

Couple of days back 1st Oct somehow the wifi password had been changed mysteriously and today internet was playing up.

So I thought I would do a port check to make sure my internet is secure etc. I used the excellent shields up tool from grc here click common ports https://www.grc.com/x/ne.dll?bh0bkyd2

Was very surprised to find that port 80 and 443 were open! Navigate to my public ip address and can see the router home page omg!

And then my internet really stopped working but the telephone and Vodafone sky still worked perfectly. Spent a wasted hour on phone with Vodafone technical support turning stuff on and off...cause you know this is the magic cure for all ailments! Anyway after being told there is nothing more they can do and basically to go away and sort it out myself. Anyway 10 minutes after hanging up internet starts working again arrrrrrrrrrghhhhhhhhhh!!

So back to sorting out this port issue and other mysteries, first thing I did was download and upgrade firmware from here HG659-13V100R001C206B019_main.bin http://help.vodafone.co.nz/app/answers/detail/a_id/24400/~/upgrading-the-vodafone-homehub-%28hg659%29-firmware-to-the-latest-version

Previously was on the B009 version I think...

Went smoothly no issues except for admin password changing. Do another port check and surprise the ports are now in stealth mode by default great!

I did read a few posts from Vodafone on forum and Twitter saying having this port open is perfectly safe and secure nothing can go wrong.....closing this means WE can't help you. Yeah right Vodafone support had no idea what they were doing and having access to router made no difference.

Repeat NEVER EVER expose open ports to the internet ESPECIALLY port 80 and 443 to YOUR router unless you know what you are doing! <rant over>

Edit more rant: Changing Admin password disables pasting into password fields another FAIL, however does allow you to paste when logging in so good (I use 1Password). Read here for why disabling pasting is bad http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html

yitz

2074 posts

Uber Geek

#1399352 3-Oct-2015 13:55

Did you ever disable the firewall on your previous configuration? Navigating to your public IP address from within your LAN is different to coming in on the WAN side, different firewall rules will apply.

Updated firmware thread - http://www.geekzone.co.nz/forums.asp?forumid=40&topicid=177650

dvkwong

31 posts

Geek

#1399355 3-Oct-2015 14:05

yitz: Did you ever disable the firewall on your previous configuration? Navigating to your public IP address from within your LAN is different to coming in on the WAN side, different firewall rules will apply.

Updated firmware thread - http://www.geekzone.co.nz/forums.asp?forumid=40&topicid=177650

The firewall on router is disabled on this and previous configuration. Unfortunately I cannot recall if I tested from WAN so cannot confirm. However the GRC test is external so port 80/443 open would suggest you could still access web interface.

I would be interested to know if others who do have port 80 and 443 open can access there router web page using another internet connection Eg from mobile connection.

Andib

1363 posts

Uber Geek

ID Verified

Trusted

#1399357 3-Oct-2015 14:31

IIRC the HG659 interface is IP restricted to only allow logon from selected Vodafone IPs unlike the HG556a which was open and could be logged into by anyone who has your IP and the default support Username / password.
When I was working at Vodafone, Being able to remotely access router made all of our lives much easier. Try explaining to the average user how to navigate to the router and change the Wifi password!, MUCH easier to do it for the customer.

IMO if you're that concerned about security and your ports being open, an ISP router is not for you and you should get your own that you can manage yourself. For most customers ISP modems work sufficiently and allow ISP reps to help perform tasks that would otherwise confuse end users and take 10x as long to do.

PS your HG659 also likely has ports open for TR-069

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

dvkwong

31 posts

Geek

#1399389 3-Oct-2015 15:06

Andib: IIRC the HG659 interface is IP restricted to only allow logon from selected Vodafone IPs unlike the HG556a which was open and could be logged into by anyone who has your IP and the default support Username / password.
When I was working at Vodafone, Being able to remotely access router made all of our lives much easier. Try explaining to the average user how to navigate to the router and change the Wifi password!, MUCH easier to do it for the customer.

IMO if you're that concerned about security and your ports being open, an ISP router is not for you and you should get your own that you can manage yourself. For most customers ISP modems work sufficiently and allow ISP reps to help perform tasks that would otherwise confuse end users and take 10x as long to do.

PS your HG659 also likely has ports open for TR-069

So at the expense of making the wifi router user friendly to use, we should instead open every customers router to the internet in the off chance someone wants to change a wifi password. As noted the Vodafone support person I spoke to made no use of this interface.

IMO I am using a router provided by a global company not some 2 bit outfit, I expect better. The new firmware does tighten security so someone at Vodafone was using their brains.