NZ Herald - Internet providers have backdoor access to customers' modems

Forums › New Zealand Broadband › NZ Herald - Internet providers have backdoor access to customers' modems

1 | 2 | 3 | 4 | 5 | 6

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#1791181 29-May-2017 15:50

jeffory123:

Interesting that a few current and former employees of NZ telco's are so confidant in the security of their networks and infrastructure :) Now I must admit I have only encountered a few former russian software engineer's from Vodafone but their coding/general security awareness left a lot to be desired and they were just generally dodgy. Now these were software engineers not infra guys but I'm not convinced their employee screening process is without flaws. Therefore I would not consider it a 0% risk of a rogue employee compromising their ACS server and it going unchecked.

I certainly was not made aware of any remote maintenance capability when I signed up with both Spark and Vodafone. The one good thing this article has done despite it's flaws is made people more aware of the fact so they can then educate themselves on the matter and then make an informed decision on whether to disable any remote access capability to their modem.

To me it's clear you have no idea of what the "actual" security issue is and how it can be exploited.

1) It's not the ACS server that is what the article talks about it's the "Connection Request" port aka Port 8081 on the Huawei that is exposed to the internet by the router. There are issues all the time with various services that are internet facing. That's why servers get patched and updated.

2) The "Connection Request" port can only be accessed using a random Username & Password that the ACS sets when the router first connects and downloads its profile

3) "IF" The Username & Password for the "Connection Request" was compromised then all that would happen is the router to initiate a "Phone home" request back to the hard-coded ACS server. There is no configuration ability on the Router end to do anything as it's a simple "HTTP GET" request and that causes the router to phone home.

4) "IF" there was a rogue ISP employee (be it Spark/Vodafone or any of the other worldwide ISP that use TR-069/ACS for Remote Management) then that stuff tends to get picked up by the logging in the ACS and is a career limiting move. I personally know the ACS well and there is VERY little the CSR Reps can do apart from rebooting the router and seeing how many devices are connected on the client side. It's all heavily logged and audited. One would think stealing customers banking / credit card information would be a more lucrative endeavour.

5) Having Remote Management is vital in any Telco grade environment. Just like Windows Update updates your PC, the ACS can update your router. Customers appreciate being able to be remotely diagnosed and if a new firmware comes out how else are they supposed to get pushed out to literally hundreds of thousands of devices. Do you expect end-customers to be able to run through the manual steps to upgrade the firmware on their router.

In short if you see anything malicious, underhand or devious with wanting to have enterprise grade management of all the routers an ISP ships to their customers then you really need to put away the tin foil hat, disconnect your internet immediately as the GCSB are watching get outside and enjoy the fresh air.

Having remote management is configuration management 101.

Did you see the Lorde Remix?

jeffory123

34 posts

Geek
+1 received by user: 4

ID Verified

#1791435 29-May-2017 23:12

Anyone know where the setting is on the spark HG630B modem?

BarTender:

2) The "Connection Request" port can only be accessed using a random Username & Password that the ACS sets when the router first connects and downloads its profile

If the ACS server was compromised wouldn't it be able to issue a pre-defined username and password which would then open it up to an external non-monitored attack?

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1791479 30-May-2017 07:37

jeffory123:

If the ACS server was compromised wouldn't it be able to issue a pre-defined username and password which would then open it up to an external non-monitored attack?

I think you should read the many other posts explaining it is not a security risk and that is not going to happen and just leave it alone. You're opening yourself up for attack by disabling it if there was ever a router exploit and Spark were unable to roll out a firmware update to you.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

tripper1000

1648 posts

Uber Geek
+1 received by user: 1176

#1791642 30-May-2017 11:34

Hi Guys, I understand that this is a very useful and productive feature for customer support, and Bartender has explained that within the ISP's security and controls around the system is good, however I wonder if everyone is looking at the security implications from a consumer personal privacy/financial point of view, rather than a commercial or government espionage point of view.

We know all to well from the recent Wanna Cry attack that government espionage department's are always creating sneaky ways to hack into networks.

The Chinese are the most prolific espionage hackers in the world. They have entire Army divisions, occupying multi-story office blocks, dedicated to the task. Some of the sneakiest code facilitating the most significant data thefts from the Pentagon and Western companies has been written in 16 Bit languages, stongly suggesting Chinese/Korena/Japanese origins.

The Chinese government can exert ultimate control of any Chinese company they wish, and Huawei is a Chinese company owned by an ex Chinese Army Gneneral which means it is not only highly vulnerable to Chinese Govt manipulation, it may also be highly sympathetic to it. This system, is potentially a back door into a network that bypasses the first firewall. Sure, the IPS's server sets a random pass/login on setup, however is anyone sure that there is not a master pass/login, or even a whole other remote access system woven in with it?

Western spy departments were loading hacked spying firmware on adversaries Nokia's phones back in the 90's (even easier with modern smart phones), so dodgy firmware on modems out of China is plausible.

Malicious intent aside, Huawei hasn't been particularly sharp with security in the past - for example their Cell phones/Cell modems have historically been the easiest to network-unlock.

I know that is will come across as a bit tin hat sounding to some people, but all I'm saying is think about security from a bigger/wider point of view.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#1791702 30-May-2017 12:39

@tripper1000:

Hi Guys,

Can't believe people are seriously this foolish and tin foil wearing.

Router firmware gets compromised across 500k devices, or say you want to roll out a new feature like IPv6?. Do you:

A) Remotely update it using your centralised management server (Done overnight staggered over a week)

B) Do nothing as you know your end users can't be bothered or lack the skills to do it. (6 Months, under the very best of circumstances)

C) Send everyone a new router (got a spare 60 Million optimistically assuming $100 per router plus $20 for logistics, e-waste, DOAs and managing that project ?)

WannaCry is a perfect example of why remote management is so important. Did you turn off Windows Update to prevent your patches since Microsoft has a backdoor into your computer?

Do you know what else is done when a router is brought into the country. It's penetration tested to make sure it's not open to the interwebs and phoning home to our Chinese overlords. If you seriously think that Huawei would put a backdoor into their router and no one would spot it. Since as soon as it was known they did develop a backdoor they would be toast, no ISP would ever purchase from them again. It's just not worth the risk to Huawei's reputation and to infer it is nonsense.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1791716 30-May-2017 12:48

tripper1000:

Malicious intent aside, Huawei hasn't been particularly sharp with security in the past - for example their Cell phones/Cell modems have historically been the easiest to network-unlock.

Doesn't that just prove the case as to why remote management is so essential? What happens when a flaw is discovered in a Huawei device? Should Spark and Vodafone email half a million customers with a .bin attachment telling them to update their router?

I know that is will come across as a bit tin hat sounding to some people, but all I'm saying is think about security from a bigger/wider point of view.

If Huawei (or any other provider) wanted to build a back door into a product they could (and for all we know might be already be doing this). None of this is related to TR-069 and TR-069 would not be suitable for such an exploit.

Dyson

Shop now for Dyson appliances (affiliate link).

Stu

Hammered
8739 posts

Uber Geek
+1 received by user: 2390

Moderator

ID Verified

Trusted

Lifetime subscriber

#1791722 30-May-2017 13:02

And it continues.

https://futurefive.co.nz/story/isps-build-backdoors-customer-modems-creating-security-breach/

Mind boggling. Truly mind boggling.

People often mistake me for an adult because of my age.

Keep calm, and carry on posting.

Referral Links: Sharesies -

Are you happy with what you get from Geekzone? If so, please consider supporting us by subscribing.

No matter where you go, there you are.

jeffory123

34 posts

Geek
+1 received by user: 4

ID Verified

#1792055 30-May-2017 22:37

Can anyone confirm whether HG630B has this capability? I've been unable to track it down so far. I've also noticed the HG630B doesn't seem to have an online firmware check which seems a bit wierd considering the older spark modem i had about 6 years had that feature. If there is no quick online check (ideally automated) it kind of makes sense to leave it to spark but normally i like to manage it myself as I tend to be a lot faster than most big corps.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1792068 30-May-2017 23:30

jeffory123:

Can anyone confirm whether HG630B has this capability? I've been unable to track it down so far. I've also noticed the HG630B doesn't seem to have an online firmware check which seems a bit wierd considering the older spark modem i had about 6 years had that feature. If there is no quick online check (ideally automated) it kind of makes sense to leave it to spark but normally i like to manage it myself as I tend to be a lot faster than most big corps.

Yes it does. Spark have used TR-069 for years.

I also bet they're 10000x faster than you with rolling out new firmware. It is normally rolled out to your router and running before it is released onto their website. Leave it turned on, there is no point at all turning it off and it has not bothered you for the time you've had it turned on so why disable it in the first place?

To be honest. Spark and other ISP's should be hiding this option in their next firmware update.

yitz

2238 posts

Uber Geek
+1 received by user: 594

#1792069 30-May-2017 23:36

Which modems and firmware versions do Spark roll out automatic firmware upgrades over TR-069 for? I'm pretty sure they don't for HG630b and the Thomson Gateways but I'm not sure about the HG659b and HG659 models. I know the Thomsons can be managed remotely for support purposes via the Motive Home Device Manager (HDM) platform.

Since Spark support a much wider range of modems/routers than the likes of 2degrees/Vodafone they would need to be careful in planning firmware upgrades sent over such a facility as they would not want to send out a wrong or bad firmware that would brick many modems. I guess you could compare it to carriers who send out mobile device firmware updates over the air (do any in NZ?)

It would also suck if they sent out a request to wipe/reset config to the wrong modem or one that had been passed on and used with another provider. Examples include resetting your bridge mode config or simply your wifi SSID.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41029

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1792101 31-May-2017 07:43

One or another (hypothetical) case of wrong configuration VS ability to update to newer versions, plug security holes, etc.

Too much ado about nothing.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#1792108 31-May-2017 07:59

I would of thought anyone truly worried about privacy/government spying/etc would be far more concerned about the DIA filter than an ISP ACS server.

Athlonite

1828 posts

Uber Geek
+1 received by user: 210
Inactive user

#1792125 31-May-2017 09:03

Well that's the best bit of comedy I've read for a while

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#1792171 31-May-2017 09:51

chevrolux: I would of thought anyone truly worried about privacy/government spying/etc would be far more concerned about the DIA filter than an ISP ACS server.

Or ISP employees committing Credit Card / banking fraud rather than rebooting / wanting to open a port up on your firewall / remote diagnostics of your DSL sync rates.

That Lorde Remix keeps on springing to mind.

ripdog

548 posts

Ultimate Geek
+1 received by user: 373
Inactive user

#1792198 31-May-2017 10:30

Oh man, this thread is a trainwreck. So many people (many of them ISP employees) claiming in hyperbolic language that TR069 is a PERFECT technology that has NO security issues because NZ ISPs have FLAWLESS implementations. And you lot call yourself IT professionals?

Let's just make it clear - no technology is perfect. There's basically a guarantee that the TR069 protocol and/or implementations of it contain significant security flaws, which may or may not have been discovered. The entire model of allowing a backdoor into millions of modems is one that carries ludicrous risk, and introduces a single point of failure/compromise for *large swathes of the population*. What if someone got into the Spark ACS server? They could then turn all spark customers into botnet members in one fell swoop!

How many technologies have security implications that severe? What about if they installed malware to inspect and steal information from unencrypted data transmissions? What about if they used the compromised modems to launch a new mass malware attack against windows computers using the next SMB exploit? Imagine if WannaCry was launched not from email attachments but using the SMB1 exploit directly from consumer routers! The impact upon residential users would be ridiculous, especially considering how few people run off-site backups at home.

This leads to the situation where the security of millions of customers relies entirely on the competence of a tiny number of sysadmins at major ISPs - and what about the small ISPs, which want the benefits of TR069 but may not have access to experts on a rarely-deployed technology? What other technology would allow so many people to be attacked by a single security hole or misconfiguration? It seems to me like only security issues in major networking protocols or operating systems could have similar impact, and both of those have drastically more, highly experienced security researchers examining them.

And that assumes that all NZ ISPs do the whole TR069 thing perfectly. That means HTTPS, properly signed certificates, no acceptance of self-signed certificates. Those seem like basic qualifications, right? Well, according to the PC World article which was rubbished by sbiddle upthread (because apprantly attacks against the master C&C server isn't worth mentioning), "tests performed by Tal and his colleagues revealed that around 80 percent of real-world deployments don’t use encrypted connections. Even when HTTPS is used, in some cases there are certificate validation issues, with the customer equipment accepting self-signed certificates presented by an ACS." Here's the article.

Now, I don't know if NZ ISPs are as slack as the ISPs tested by this actual security professional, but those are worrying figures indeed, and I think it's high time for NZ ISPs to be pressured into publicising details of their TR-069 implementations, to reassure customers that they are doing everything correctly.

And that leaves out the fact that TR069 is a very rarely deployed technology, meaning very few security researchers have examined its implementations. When major OSS software like OpenSSL is discovered to have gaping security holes, what hope does a tiny install base, proprietary server program have? If someone managed to get a hold of the server which Spark et al use and spend some time discovering security issues, we could all be in serious doo-doo. Or not, perhaps it's perfect - but how could you know?

I think one thing we've learned in the past few years is that companies, no matter how large, cannot simply be trusted to do things properly, especially when it comes to security. Major anti-virus programs (note: from companies founded entirely upon security products) are discovered to have major security issues on a regular basis. Gigantic online services like Yahoo, which have huge in-built incentive to secure their services, are hacked and lose passwords and the trust of their customers. Why are people in this thread simply saying "Our ISPs have done it all properly, there is no security issue"? That doesn't make sense, and that is a dangerously slack attitude for the geeks who should be doing what we can to advocate for the security of less-able computer users.

The only real security benefit of TR069 is the ability to rapidly push firmware updates when router vulnerabilities are discovered. But this is only useful if the router is still receiving updates from the manufacturer, which typically only continues for 2-3 years. I have no doubt that the majority of consumers in NZ are using out-of-update-period routers, because they still work and nobody told them to change. If ISPs really cared about the security of their routers, they would provide subsidised new routers to every customer using an old one. Of course this won't happen due to cost, but until it does, let's not pretend that TR069 has any security benefits* for the majority of NZ consumers who are happy with the old router they have because it works.

Sorry for the essay, but this thread really got my hackles up.

(*At most, a single service on a router discovered to have a vulnerability could be disabled en masse, assuming said service is optional (like DLNA or something), but that's a very fringe case.)

1 | 2 | 3 | 4 | 5 | 6