Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)[Snap] Fritz!Box 7390 hacked - toll charges to Aruba and Madagascar!
Krullos

193 posts

Master Geek
+1 received by user: 26

ID Verified

#148602 24-Jun-2014 18:04
Send private message

So just got the monthly bill from Snap today and noticed that it included $80.30 in toll charges, which was strange as we have free national calling, and don't make international calls.



Looking at the toll charges in detail I saw they were mostly to Aruba and Madagascar, and whilst no one was at home...



So I logged into my Fritz!Box 7390 and had a look in the Event Log, which showed someone logging in under the account "snapadmin" and making changes just prior to the fraudulent calls...



and then they set up their own telephony device "IP telephone 1"...



which was allowed connection from the internet...




I promptly ran Snap and they've been amazing in fixing the problem:

Apparently there had been some glitch with my initial setup, where Snap should have connected to my Fritz!Box, done their automatic configuration changes and reset the password from their default one to a randomly generated one, but for some reason this hadn't happened (been with them for over a year now) meaning the remote access account was still set to the default (and apparently known) password.

They've got it all sorted now, and are reversing the toll charges so very happy with their prompt support, although a little concerned that this vulnerability had existed (and could possibly still exist for other customers).

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
ChrisNZL
309 posts

Ultimate Geek
+1 received by user: 29


  #1073620 24-Jun-2014 18:13
Send private message

That's unfortunate.

Good to hear that Snap has taken action at least and reversed the charges :)




Creator of Tallowmere. Working on Tallowmere 2.



freitasm
BDFL - Memuneh
79608 posts

Uber Geek
+1 received by user: 38034

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1073623 24-Jun-2014 18:16
Send private message

Just to show that even ONE device with a default password will be found... 




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Geekzone and Quic social @ DataVault Auckland 18 Oct 2025 11AM - 2:30 PM

jnimmo
1097 posts

Uber Geek
+1 received by user: 255


  #1073624 24-Jun-2014 18:20
Send private message

That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it



michaelmurfy
meow
13367 posts

Uber Geek
+1 received by user: 10370

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1073626 24-Jun-2014 18:22
Send private message

I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

hio77
12999 posts

Uber Geek
+1 received by user: 3867

ID Verified
Trusted
Lizard Networks

  #1073640 24-Jun-2014 18:34
Send private message

jnimmo: That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it


this was remote access, as in the webui looking at the log.

for them to block that by default, they would also be by default sending out devices with 443 blocked, which could cause issues for anyone doing any homeserver setups.


concerning that this happened however.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 

Krullos

193 posts

Master Geek
+1 received by user: 26

ID Verified

  #1073641 24-Jun-2014 18:34
Send private message

michaelmurfy: I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.


Yeah, but the first thing I changed when I got it was the default password, but I'd expected snap to be in charge of their own account passwords on my device, since they needed remote access to it. 

Told my boss about this and he made fun of the fact that I got my CCNA Wireless cert 3 weeks ago and yet my "Wireless Access Point" got hacked into, until I pointed out the vulnerability hadn't had anything to do with the wireless side

michaelmurfy
meow
13367 posts

Uber Geek
+1 received by user: 10370

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1073644 24-Jun-2014 18:52
Send private message

Krullos:
michaelmurfy: I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.


Yeah, but the first thing I changed when I got it was the default password, but I'd expected snap to be in charge of their own account passwords on my device, since they needed remote access to it. 

Told my boss about this and he made fun of the fact that I got my CCNA Wireless cert 3 weeks ago and yet my "Wireless Access Point" got hacked into, until I pointed out the vulnerability hadn't had anything to do with the wireless side


This is my feeling.

 

Any remote access can be exploited. I refuse to allow any remote access and heck, my connection also has CG-NAT on it.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

 
 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
jnimmo
1097 posts

Uber Geek
+1 received by user: 255


  #1073656 24-Jun-2014 19:17
Send private message

hio77:
jnimmo: That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it


this was remote access, as in the webui looking at the log.

for them to block that by default, they would also be by default sending out devices with 443 blocked, which could cause issues for anyone doing any homeserver setups.


concerning that this happened however.

The web server running on port 443 will be blocking access to home servers anyway. What I mean is I thought the firmware would have a way to restrict access to the local subnet or a Snap management address, which they could enable by default.

sbiddle
30853 posts

Uber Geek
+1 received by user: 9992

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1073666 24-Jun-2014 19:37
Send private message

Using the correct tool it's possible to find thousands of Linksys/Cisco SPA devices with default passwords on the internet within a couple of minutes. It takes literally a few seconds to set a call forward on these and make calls which they'll be billed for.

There are plenty of cowboys out there in the VoIP world these days who know nothing about VoIP. They think they're experts because they've been to a course hosted by a reseller and now how to configure a phone.

It's much like people who set port forwards on port 5060 and don't lock down their hardware to only allow SIP traffic from their SIP proxy.

Most VoIP exploits are to numbers in Africa where those taking part normally get a cut of the interconnect. 

jonathan18
7413 posts

Uber Geek
+1 received by user: 2850

ID Verified
Trusted

  #1073672 24-Jun-2014 19:48
Send private message

We had the same problem; Snap said there are a few in the same boat. We contacted them after we found we were having problems with the line with people not able to ring us and us not able to ring out (assume the line was busy calling Madagascar at the time!). This led them to finding we also had been hacked. Snap fixed it relatively quickly and reversed all charges, but agree this is a vulnerability that no one should have been able to exploit if Snap had done their job correctly in the first place. They gave me a little sweetener to help with my current data shortfall, so I'm not too unhappy!

Edit: damn, in updating the router's firmware they've also deleted any call data so I don't get to see what exotic places I've been 'calling'. Hopefully this'll be on our next bill.

chevrolux
4962 posts

Uber Geek
+1 received by user: 2638
Inactive user


  #1074425 25-Jun-2014 17:18
Send private message

Hahahahaha I can not believe this has actually happened. This is actually terrible.

Good on them for reversing the charges but holy cr4p, can't believe it happened in the first place.

DarthKermit
5346 posts

Uber Geek
+1 received by user: 3317

Trusted

  #1074429 25-Jun-2014 17:23
Send private message

I hope that for Snap's sake they put a lid on this quickly or they'll be bleeding $$$$ for Africa.




Whatifthespacekeyhadneverbeeninvented?

blakamin
4431 posts

Uber Geek
+1 received by user: 1306
Inactive user


  #1074517 25-Jun-2014 19:56
Send private message

michaelmurfy: 

Most of them don't even change their default router password.


OT, but I had a telstra tech come around due to a cable fault.... "oh, you've changed the default password... can I have the new one?"  
Um, no. I'll log you into to the router on my laptop.
Telstra cable modems/routers have built in wifi (which I disabled).


Good to see snap were on to it with the charges.

Dratsab
3951 posts

Uber Geek
+1 received by user: 1694

Trusted
Lifetime subscriber

  #1074524 25-Jun-2014 20:06
Send private message

Pretty sure I've tracked down the culprits!

ubergeeknz
3344 posts

Uber Geek
+1 received by user: 1041

Trusted
Vocus

  #1074570 25-Jun-2014 21:07
Send private message

Have seen this happen... a sales guy had set up a router for testing, with remote access and default passwords.  Within a couple days, the account made some dodgy international calls.  We figured out that someone had logged in remotely and forwarded calls from the router, then called the local NZ number for the router (which they could readily glean from the web UI).  

They'd done it outside of hours, and put it all back to normal, so we might not have even known if not for our fraud detection algorithms.  It can happen surprisingly quickly if you have anything unsecured that is capable of making (or forwarding) phone calls.

We threatened to make him pay, but as it turned out the charges were very small - most of the destinations they tried to call we don't allow (this measure alone has saved us and our customers a lot in toll fraud).

One thing we've noticed with toll fraudsters in general, is they tend to target a device, and do a few tests first, then they'll come back and slam it at a later date, or just make a few calls a night and go for the long game hoping nobody notices.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright