Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
2886 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1791181 29-May-2017 15:50
4 people support this post
Send private message

jeffory123:

 

Interesting that a few current and former employees of NZ telco's are so confidant in the security of their networks and infrastructure :) Now I must admit I have only encountered a few former russian software engineer's from Vodafone but their coding/general security awareness left a lot to be desired and they were just generally dodgy. Now these were software engineers not infra guys but I'm not convinced their employee screening process is without flaws. Therefore I would not consider it a 0% risk of a rogue employee compromising their ACS server and it going unchecked.

 

I certainly was not made aware of any remote maintenance capability when I signed up with both Spark and Vodafone. The one good thing this article has done despite it's flaws is made people more aware of the fact so they can then educate themselves on the matter and then make an informed decision on whether to disable any remote access capability to their modem.

 

 

To me it's clear you have no idea of what the "actual" security issue is and how it can be exploited.

 

 1) It's not the ACS server that is what the article talks about it's the "Connection Request" port aka Port 8081 on the Huawei that is exposed to the internet by the router. There are issues all the time with various services that are internet facing. That's why servers get patched and updated.

 

 2) The "Connection Request" port can only be accessed using a random Username & Password that the ACS sets when the router first connects and downloads its profile

 

 3) "IF" The Username & Password for the "Connection Request" was compromised then all that would happen is the router to initiate a "Phone home" request back to the hard-coded ACS server. There is no configuration ability on the Router end to do anything as it's a simple "HTTP GET" request and that causes the router to phone home.

 

 4) "IF" there was a rogue ISP employee (be it Spark/Vodafone or any of the other worldwide ISP that use TR-069/ACS for Remote Management) then that stuff tends to get picked up by the logging in the ACS and is a career limiting move. I personally know the ACS well and there is VERY little the CSR Reps can do apart from rebooting the router and seeing how many devices are connected on the client side. It's all heavily logged and audited. One would think stealing customers banking / credit card information would be a more lucrative endeavour.

 

 5) Having Remote Management is vital in any Telco grade environment. Just like Windows Update updates your PC, the ACS can update your router. Customers appreciate being able to be remotely diagnosed and if a new firmware comes out how else are they supposed to get pushed out to literally hundreds of thousands of devices. Do you expect end-customers to be able to run through the manual steps to upgrade the firmware on their router.

 

 

 

In short if you see anything malicious, underhand or devious with wanting to have enterprise grade management of all the routers an ISP ships to their customers then you really need to put away the tin foil hat, disconnect your internet immediately as the GCSB are watching get outside and enjoy the fresh air.

 

Having remote management is configuration management 101.

 

Did you see the Lorde Remix?

 






20 posts

Geek


  # 1791435 29-May-2017 23:12
Send private message

Anyone know where the setting is on the spark HG630B modem?

 

 

 

BarTender:

 

 

 

 2) The "Connection Request" port can only be accessed using a random Username & Password that the ACS sets when the router first connects and downloads its profile

 

 

 

 

 

 

 

 

If the ACS server was compromised wouldn't it be able to issue a pre-defined username and password which would then open it up to an external non-monitored attack?


 
 
 
 


Mr Snotty
8909 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1791479 30-May-2017 07:37
One person supports this post
Send private message

jeffory123:

 

If the ACS server was compromised wouldn't it be able to issue a pre-defined username and password which would then open it up to an external non-monitored attack?

 

I think you should read the many other posts explaining it is not a security risk and that is not going to happen and just leave it alone. You're opening yourself up for attack by disabling it if there was ever a router exploit and Spark were unable to roll out a firmware update to you.





1080 posts

Uber Geek


  # 1791642 30-May-2017 11:34
Send private message

Hi Guys, I understand that this is a very useful and productive feature for customer support, and Bartender has explained that within the ISP's security and controls around the system is good, however I wonder if everyone is looking at the security implications from a consumer personal privacy/financial point of view, rather than a commercial or government espionage point of view.

 

We know all to well from the recent Wanna Cry attack that government espionage department's are always creating sneaky ways to hack into networks.

 

The Chinese are the most prolific espionage hackers in the world. They have entire Army divisions, occupying multi-story office blocks, dedicated to the task. Some of the sneakiest code facilitating the most significant data thefts from the Pentagon and Western companies has been written in 16 Bit languages, stongly suggesting Chinese/Korena/Japanese origins.

 

The Chinese government can exert ultimate control of any Chinese company they wish, and Huawei is a Chinese company owned by an ex Chinese Army Gneneral which means it is not only highly vulnerable to Chinese Govt manipulation, it may also be highly sympathetic to it. This system, is potentially a back door into a network that bypasses the first firewall. Sure, the IPS's server sets a random pass/login on setup, however is anyone sure that there is not a master pass/login, or even a whole other remote access system woven in with it?

 

Western spy departments were loading hacked spying firmware on adversaries Nokia's phones back in the 90's (even easier with modern smart phones), so dodgy firmware on modems out of China is plausible.

 

Malicious intent aside, Huawei hasn't been particularly sharp with security in the past - for example their Cell phones/Cell modems have historically been the easiest to network-unlock. 

 

I know that is will come across as a bit tin hat sounding to some people, but all I'm saying is think about security from a bigger/wider point of view.


2886 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1791702 30-May-2017 12:39
5 people support this post
Send private message

@tripper1000:

 

Hi Guys,



Can't believe people are seriously this foolish and tin foil wearing.

Router firmware gets compromised across 500k devices, or say you want to roll out a new feature like IPv6?. Do you:

A) Remotely update it using your centralised management server (Done overnight staggered over a week)

 

B) Do nothing as you know your end users can't be bothered or lack the skills to do it. (6 Months, under the very best of circumstances)

 

C) Send everyone a new router (got a spare 60 Million optimistically assuming $100 per router plus $20 for logistics, e-waste, DOAs and managing that project ?)

 


WannaCry is a perfect example of why remote management is so important. Did you turn off Windows Update to prevent your patches since Microsoft has a backdoor into your computer?

 

Do you know what else is done when a router is brought into the country. It's penetration tested to make sure it's not open to the interwebs and phoning home to our Chinese overlords. If you seriously think that Huawei would put a backdoor into their router and no one would spot it. Since as soon as it was known they did develop a backdoor they would be toast, no ISP would ever purchase from them again. It's just not worth the risk to Huawei's reputation and to infer it is nonsense.






28352 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1791716 30-May-2017 12:48
3 people support this post
Send private message

tripper1000:

 

 

 

Malicious intent aside, Huawei hasn't been particularly sharp with security in the past - for example their Cell phones/Cell modems have historically been the easiest to network-unlock. 

 

 

Doesn't that just prove the case as to why remote management is so essential? What happens when a flaw is discovered in a Huawei device? Should Spark and Vodafone email half a million customers with a .bin attachment telling them to update their router?

 

 

I know that is will come across as a bit tin hat sounding to some people, but all I'm saying is think about security from a bigger/wider point of view.

 

 

If Huawei (or any other provider) wanted to build a back door into a product they could (and for all we know might be already be doing this). None of this is related to TR-069 and TR-069 would not be suitable for such an exploit.


Stu

Hammered
5293 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1791722 30-May-2017 13:02
Send private message




Keep calm, and carry on posting.

 

 

 

Click to see full size Click to see full size


 
 
 
 


20 posts

Geek


  # 1792055 30-May-2017 22:37
Send private message

Can anyone confirm whether HG630B has this capability? I've been unable to track it down so far. I've also noticed the HG630B doesn't seem to have an online firmware check which seems a bit wierd considering the older spark modem i had about 6 years had that feature. If there is no quick online check (ideally automated) it kind of makes sense to leave it to spark but normally i like to manage it myself as I tend to be a lot faster than most big corps.


Mr Snotty
8909 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1792068 30-May-2017 23:30
One person supports this post
Send private message

jeffory123:

 

Can anyone confirm whether HG630B has this capability? I've been unable to track it down so far. I've also noticed the HG630B doesn't seem to have an online firmware check which seems a bit wierd considering the older spark modem i had about 6 years had that feature. If there is no quick online check (ideally automated) it kind of makes sense to leave it to spark but normally i like to manage it myself as I tend to be a lot faster than most big corps.

 

Yes it does. Spark have used TR-069 for years.

 

I also bet they're 10000x faster than you with rolling out new firmware. It is normally rolled out to your router and running before it is released onto their website. Leave it turned on, there is no point at all turning it off and it has not bothered you for the time you've had it turned on so why disable it in the first place?

 

To be honest. Spark and other ISP's should be hiding this option in their next firmware update.





1408 posts

Uber Geek


  # 1792069 30-May-2017 23:36
Send private message

Which modems and firmware versions do Spark roll out automatic firmware upgrades over TR-069 for? I'm pretty sure they don't for HG630b and the Thomson Gateways but I'm not sure about the HG659b and HG659 models. I know the Thomsons can be managed remotely for support purposes via the Motive Home Device Manager (HDM) platform.

 

 

Since Spark support a much wider range of modems/routers than the likes of 2degrees/Vodafone they would need to be careful in planning firmware upgrades sent over such a facility as they would not want to send out a wrong or bad firmware that would brick many modems. I guess you could compare it to carriers who send out mobile device firmware updates over the air (do any in NZ?)

 

 

It would also suck if they sent out a request to wipe/reset config to the wrong modem or one that had been passed on and used with another provider. Examples include resetting your bridge mode config or simply your wifi SSID.

BDFL - Memuneh
64805 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1792101 31-May-2017 07:43
Send private message
4235 posts

Uber Geek


  # 1792108 31-May-2017 07:59
2 people support this post
Send private message

I would of thought anyone truly worried about privacy/government spying/etc would be far more concerned about the DIA filter than an ISP ACS server.

1828 posts

Uber Geek
Inactive user


  # 1792125 31-May-2017 09:03
Send private message

Well that's the best bit of comedy I've read for a while 


2886 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1792171 31-May-2017 09:51
One person supports this post
Send private message

chevrolux: I would of thought anyone truly worried about privacy/government spying/etc would be far more concerned about the DIA filter than an ISP ACS server.

 

Or ISP employees committing Credit Card / banking fraud rather than rebooting / wanting to open a port up on your firewall / remote diagnostics of your DSL sync rates.

 

That Lorde Remix keeps on springing to mind.






466 posts

Ultimate Geek

Subscriber

  # 1792198 31-May-2017 10:30
One person supports this post
Send private message

Oh man, this thread is a trainwreck. So many people (many of them ISP employees) claiming in hyperbolic language that TR069 is a PERFECT technology that has NO security issues because NZ ISPs have FLAWLESS implementations. And you lot call yourself IT professionals?

 

 

 

Let's just make it clear - no technology is perfect. There's basically a guarantee that the TR069 protocol and/or implementations of it contain significant security flaws, which may or may not have been discovered. The entire model of allowing a backdoor into millions of modems is one that carries ludicrous risk, and introduces a single point of failure/compromise for *large swathes of the population*. What if someone got into the Spark ACS server? They could then turn all spark customers into botnet members in one fell swoop!

 

How many technologies have security implications that severe? What about if they installed malware to inspect and steal information from unencrypted data transmissions? What about if they used the compromised modems to launch a new mass malware attack against windows computers using the next SMB exploit? Imagine if WannaCry was launched not from email attachments but using the SMB1 exploit directly from consumer routers! The impact upon residential users would be ridiculous, especially considering how few people run off-site backups at home.

 

This leads to the situation where the security of millions of customers relies entirely on the competence of a tiny number of sysadmins at major ISPs - and what about the small ISPs, which want the benefits of TR069 but may not have access to experts on a rarely-deployed technology? What other technology would allow so many people to be attacked by a single security hole or misconfiguration? It seems to me like only security issues in major networking protocols or operating systems could have similar impact, and both of those have drastically more, highly experienced security researchers examining them.

 

And that assumes that all NZ ISPs do the whole TR069 thing perfectly. That means HTTPS, properly signed certificates, no acceptance of self-signed certificates. Those seem like basic qualifications, right? Well, according to the PC World article which was rubbished by sbiddle upthread (because apprantly attacks against the master C&C server isn't worth mentioning), "tests performed by Tal and his colleagues revealed that around 80 percent of real-world deployments don’t use encrypted connections. Even when HTTPS is used, in some cases there are certificate validation issues, with the customer equipment accepting self-signed certificates presented by an ACS." Here's the article.

 

Now, I don't know if NZ ISPs are as slack as the ISPs tested by this actual security professional, but those are worrying figures indeed, and I think it's high time for NZ ISPs to be pressured into publicising details of their TR-069 implementations, to reassure customers that they are doing everything correctly.

 

And that leaves out the fact that TR069 is a very rarely deployed technology, meaning very few security researchers have examined its implementations. When major OSS software like OpenSSL is discovered to have gaping security holes, what hope does a tiny install base, proprietary server program have? If someone managed to get a hold of the server which Spark et al use and spend some time discovering security issues, we could all be in serious doo-doo. Or not, perhaps it's perfect - but how could you know?

 

I think one thing we've learned in the past few years is that companies, no matter how large, cannot simply be trusted to do things properly, especially when it comes to security. Major anti-virus programs (note: from companies founded entirely upon security products) are discovered to have major security issues on a regular basis. Gigantic online services like Yahoo, which have huge in-built incentive to secure their services, are hacked and lose passwords and the trust of their customers. Why are people in this thread simply saying "Our ISPs have done it all properly, there is no security issue"? That doesn't make sense, and that is a dangerously slack attitude for the geeks who should be doing what we can to advocate for the security of less-able computer users.

 

The only real security benefit of TR069 is the ability to rapidly push firmware updates when router vulnerabilities are discovered. But this is only useful if the router is still receiving updates from the manufacturer, which typically only continues for 2-3 years. I have no doubt that the majority of consumers in NZ are using out-of-update-period routers, because they still work and nobody told them to change. If ISPs really cared about the security of their routers, they would provide subsidised  new routers to every customer using an old one. Of course this won't happen due to cost, but until it does, let's not pretend that TR069 has any security benefits* for the majority of NZ consumers who are happy with the old router they have because it works.

 

 

 

Sorry for the essay, but this thread really got my hackles up.

 

(*At most, a single service on a router discovered to have a vulnerability could be disabled en masse, assuming said service is optional (like DLNA or something), but that's a very fringe case.)


1 | 2 | 3 | 4 | 5 | 6
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Switch your broadband provider now - compare prices


Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.