Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)Fraudulent Toll Charges
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
SaltyNZ
8232 posts

Uber Geek

Trusted
2degrees
Lifetime subscriber

  #2052576 10-Jul-2018 12:18
Send private message

vulcannz:

 

SaltyNZ:

 

What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.

 

 

LOL seriously would a VOIP provider operate open SIP without an SBC with no brute force protection? I hope not.

 

 

 

 

I couldn't say, not my area, but at the end of the day, the fraudulent usage was detected and notified.




iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.



NickMack
962 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2052733 10-Jul-2018 14:22
Send private message

mattRSK:

 

I am wondering if anyone else has experienced the following issue on 2Degrees home phone plus.

 

Toll calls have been made from my phone to France from Saturday morning until early Monday morning. The calls are short and I have been charged $5 each time. Totalling just over $400.

 

The strange thing is that no one in this house has ever made a call to France.

 

I received a text message from 2degrees at 9am this morning. They advised there had been high toll call usage and wanted to check if these were genuine.

 

I called 2degrees and advised they were not genuine. Only to be told that I will still have to pay the toll charges. As the calls were made from my account.

 

I have spoken to a supervisor who will talk to accounts.

 

I really would have thought there would be a system in place to detect abnormal usage. With a toll bar applied until confirmation is received from the user.

 

The explanation from 2degrees is that someone has used a brute force method to gain access to the modem. Via remote access. They have factory reset the modem. This will supposedly prevent any further charges. I find this a bit hard to believe. Although I have a toll bar in place now.

 

Does this sound familiar to anyone? 

 

 

Hi Matt,

 

I've done a bit of digging on this and thought I'd chime in. As per above, it was a brute force attack on the remote access feature of the fritzbox that enabled the individual to gain access to the box. This has been resolved by a factory reset to wipe all accounts and restore service. The version of firmware stated in this thread is not open to any specific known vulnerabilities. In this case it appears to be a soft password setup for remote access which was the culprit. Due to the factory reset, post-mortem is no longer possible. 

 

In terms of firmware - All firmware that is available via the update feature on the fritzbox should be installed, it's been regression tested by 2degrees and therefore made available to customers for consumption. Periodically 2degrees also do pushes of firmware to devices to make sure they are running the latest and greatest using the TR69 protocol. This can take some time as there are many thousands of devices out there. You also miss people depending on devices being powered on, people moving houses etc. The current firmware version available is 6.84, more details on what's included is here - https://en.avm.de/service/

 

Some customers do change passwords for SIP via the 2degrees broadband portal (https://secure.2degreesbroadband.co.nz/login), other than setting the complexity 'rules' for a password, it's somewhat out of our control. We do however limit access to connect to the Metaswitch platform (Home plus) from the 2degrees network only. What this effectively means is that you need to 'gain access' on the local lan or via the fritzbox  on the 2degrees network to make fraudulent calls.

 

There is also a bunch of early detection for fault type behavior in terms of monitoring spend/consumption of minutes/dollars. When this happens, Fraud Management systems are alerted and customers are notified accordingly.

 

It looks like Customer Care have been in contact with you, charges for this specific event removed.

 

Nick.

 

 

 

 

 

 




https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz 

mattRSK

822 posts

Ultimate Geek

Trusted

  #2052884 10-Jul-2018 19:23
Send private message

Hi Nick

Yes, I have contacted customer services and these charges have been written off.

To be clear the remote access settings were setup up by 2degrees. You might want to look into whether these were secure enough.

Thanks for looking into it.



NickMack
962 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2052889 10-Jul-2018 19:31
Send private message

Customer care are investigating this specific ticket, once concluded will take the appropriate remedial steps. Thanks for reaching out and helping with the investigation.

Nick.




https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz 

chevrolux
4962 posts

Uber Geek
Inactive user


  #2052890 10-Jul-2018 19:35
Send private message

SaltyNZ:

 

sbiddle:

 

SaltyNZ:

 

What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.

 

 

The last time this happened to people it was the Fritzbox that was compromised not somebody brute forcing SIP credentials.

 

 

 

 

 

 

Ah, yes, not a lot you can do about that...

 

 

 

 

Seriously!!?!

 

There is SH1TLOADS that could be done about an unsecured routing sitting out wide open to the internet!!

 

Why the hell 2degrees have that remote access feature turned on and allowing connections from anywhere just boggles my mind.

 

 

 

But what Nick posted was interesting. It seems it was a simple password that got brute forced? So, OP... did you set up remote access with your own user passwords?

NickMack
962 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2052892 10-Jul-2018 19:40
Send private message

chevrolux:

SaltyNZ:


sbiddle:


SaltyNZ:


What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.



The last time this happened to people it was the Fritzbox that was compromised not somebody brute forcing SIP credentials.


 



 


Ah, yes, not a lot you can do about that...



 


Seriously!!?!


There is SH1TLOADS that could be done about an unsecured routing sitting out wide open to the internet!!


Why the hell 2degrees have that remote access feature turned on and allowing connections from anywhere just boggles my mind.


 


But what Nick posted was interesting. It seems it was a simple password that got brute forced? So, OP... did you set up remote access with your own user passwords?



Thank you - I try to post 'interesting'stuff occasionally. The remote access feature is used to troubleshoot the box, should a customer get in a pickle :-). The feature can be turned on by the customer or the telco via TR 69 protocol.

Nick




https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz 

vulcannz
436 posts

Ultimate Geek
Inactive user


  #2052901 10-Jul-2018 20:15
Send private message

This is why I hate TR-069. It's like painting a bullseye on your forehead.

 

Ideally you should be putting management access on unique ports then blocking any non-management-network traffic from reaching those devices. Changing management user names and credentials with a long complex password is essential too - I hate it when I see publicly manageable gear with the default admin name of 'admin'. This should be capital offence.

 

When you see how much automated scripting is constantly pummeling devices looking for holes I'm honestly surprised it hasn't become a massive problem in NZ.

 
 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #2052904 10-Jul-2018 20:30
Send private message

vulcannz:

 

This is why I hate TR-069. It's like painting a bullseye on your forehead.

 

 

Do you actually understand TR-069 with a comment like that?!

 

I can't disagree more. TR-069 is the exact opposite - it's an in credibly powerful tool for RSP's and any provider not using it should be.

 

None of these exploits involve TR-069 but the great thing about TR-069 and having remote access capabilities is when (for example) a firmware exploit makes it into the wild an RSP can very simply patch every one of their routers and eliminate the risk to their end users.

 

 

 

 

 

 

chevrolux
4962 posts

Uber Geek
Inactive user


  #2052909 10-Jul-2018 20:37
Send private message

NickMack:

 

Thank you - I try to post 'interesting'stuff occasionally. The remote access feature is used to troubleshoot the box, should a customer get in a pickle :-). The feature can be turned on by the customer or the telco via TR 69 protocol.

Nick

 

So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?

mattRSK

822 posts

Ultimate Geek

Trusted

  #2052960 10-Jul-2018 21:30
Send private message

It was enabled by 2degrees to setup home phone.

SaltyNZ
8232 posts

Uber Geek

Trusted
2degrees
Lifetime subscriber

  #2052993 10-Jul-2018 21:59
Send private message

chevrolux:

 

 

 

So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?

 

 

 

 

TR-069 is used by practically every service provider on the planet.




iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.

chevrolux
4962 posts

Uber Geek
Inactive user


  #2053008 10-Jul-2018 22:47
Send private message

SaltyNZ:

chevrolux:


 


So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?



 


TR-069 is used by practically every service provider on the planet.



I've got zero issue with TR069 being used. But that's not what got brute forces here was it? In fact (and happy to stand corrected), isn't that sort of the point of a TR069 client? Its simply a client that begins the provisioning process. It's the provisioning server that authenticates the device requesting the config.

So I'm saying, why are 2degrees enabling the direct HTTPS remote access feature of the Fritzbox and then not removing it?

NickMack
962 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2054148 11-Jul-2018 10:04
Send private message

chevrolux:

 

NickMack:
chevrolux:

 

SaltyNZ:

 

 

 

sbiddle:

 

 

 

SaltyNZ:

 

 

 

What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.

 

 

 

 

 

 

The last time this happened to people it was the Fritzbox that was compromised not somebody brute forcing SIP credentials.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ah, yes, not a lot you can do about that...

 

 

 

 

 

 

 

 

 

 

Seriously!!?!

 

 

 

There is SH1TLOADS that could be done about an unsecured routing sitting out wide open to the internet!!

 

 

 

Why the hell 2degrees have that remote access feature turned on and allowing connections from anywhere just boggles my mind.

 

 

 

 

 

 

 

But what Nick posted was interesting. It seems it was a simple password that got brute forced? So, OP... did you set up remote access with your own user passwords?

 



Thank you - I try to post 'interesting'stuff occasionally. The remote access feature is used to troubleshoot the box, should a customer get in a pickle :-). The feature can be turned on by the customer or the telco via TR 69 protocol.

Nick

 

So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?

 

 

There should be no need for a ISP to enable remote access as everything is configurable via TR069. Since the device was factory reset to resolve and restore service, either way is hard to prove in terms of the state of the device.

 

Nick.

 

 




https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz 

NickMack
962 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2054260 11-Jul-2018 12:28
Send private message

Hi All,

 

I've had a follow up meeting with Head of Customer Care to talk further about this issue. There will be some follow up training/education refreshers being run for the team on the best way to support and service our customers with respect to how best to provide remote support for Fritzbox devices. The only way we will be supporting customers is by using the TR69 protocol, not setting up remote access, as well as a real push on ensuring all customers are running the latest version of Firmware.

 

Nick.




https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz 

2degreesCare
1537 posts

Uber Geek

Trusted
2degrees

  #2054301 11-Jul-2018 13:01
Send private message

Hi mattRSK

 

Can you PM us your customer ID please?

 

Thanks 

 

^POB

1 | 2 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright