[Snap] Fritz!Box 7390 hacked - toll charges to Aruba and Madagascar!

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] Fritz!Box 7390 hacked - toll charges to Aruba and Madagascar!

Krullos

138 posts

Master Geek

ID Verified

#148602 24-Jun-2014 18:04

So just got the monthly bill from Snap today and noticed that it included $80.30 in toll charges, which was strange as we have free national calling, and don't make international calls.

Looking at the toll charges in detail I saw they were mostly to Aruba and Madagascar, and whilst no one was at home...

So I logged into my Fritz!Box 7390 and had a look in the Event Log, which showed someone logging in under the account "snapadmin" and making changes just prior to the fraudulent calls...

and then they set up their own telephony device "IP telephone 1"...

which was allowed connection from the internet...

I promptly ran Snap and they've been amazing in fixing the problem:

Apparently there had been some glitch with my initial setup, where Snap should have connected to my Fritz!Box, done their automatic configuration changes and reset the password from their default one to a randomly generated one, but for some reason this hadn't happened (been with them for over a year now) meaning the remote access account was still set to the default (and apparently known) password.

They've got it all sorted now, and are reversing the toll charges so very happy with their prompt support, although a little concerned that this vulnerability had existed (and could possibly still exist for other customers).

1 | 2

308 posts

Ultimate Geek

#1073620 24-Jun-2014 18:13

That's unfortunate.

Good to hear that Snap has taken action at least and reversed the charges :)

Creator of Tallowmere. Working on Tallowmere 2.

Backblaze

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).

freitasm

BDFL - Memuneh
76388 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1073623 24-Jun-2014 18:16

Just to show that even ONE device with a default password will be found...

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

jnimmo

1073 posts

Uber Geek

#1073624 24-Jun-2014 18:20

That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it

michaelmurfy

cat
12247 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1073626 24-Jun-2014 18:22

I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.

Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

hio77

'That VDSL Cat'
12984 posts

Uber Geek

ID Verified

Trusted

Voyager

Subscriber

#1073640 24-Jun-2014 18:34

jnimmo: That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it

this was remote access, as in the webui looking at the log.

for them to block that by default, they would also be by default sending out devices with 443 blocked, which could cause issues for anyone doing any homeserver setups.

concerning that this happened however.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Krullos

138 posts

Master Geek

ID Verified

#1073641 24-Jun-2014 18:34

michaelmurfy: I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.

Yeah, but the first thing I changed when I got it was the default password, but I'd expected snap to be in charge of their own account passwords on my device, since they needed remote access to it.

Told my boss about this and he made fun of the fact that I got my CCNA Wireless cert 3 weeks ago and yet my "Wireless Access Point" got hacked into, until I pointed out the vulnerability hadn't had anything to do with the wireless side

michaelmurfy

cat
12247 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1073644 24-Jun-2014 18:52

Krullos:
michaelmurfy: I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.

Yeah, but the first thing I changed when I got it was the default password, but I'd expected snap to be in charge of their own account passwords on my device, since they needed remote access to it.

Told my boss about this and he made fun of the fact that I got my CCNA Wireless cert 3 weeks ago and yet my "Wireless Access Point" got hacked into, until I pointed out the vulnerability hadn't had anything to do with the wireless side

This is my feeling.

Any remote access can be exploited. I refuse to allow any remote access and heck, my connection also has CG-NAT on it.

jnimmo

1073 posts

Uber Geek

#1073656 24-Jun-2014 19:17

hio77:
jnimmo: That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it

this was remote access, as in the webui looking at the log.

for them to block that by default, they would also be by default sending out devices with 443 blocked, which could cause issues for anyone doing any homeserver setups.

concerning that this happened however.

The web server running on port 443 will be blocking access to home servers anyway. What I mean is I thought the firmware would have a way to restrict access to the local subnet or a Snap management address, which they could enable by default.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1073666 24-Jun-2014 19:37

Using the correct tool it's possible to find thousands of Linksys/Cisco SPA devices with default passwords on the internet within a couple of minutes. It takes literally a few seconds to set a call forward on these and make calls which they'll be billed for.

There are plenty of cowboys out there in the VoIP world these days who know nothing about VoIP. They think they're experts because they've been to a course hosted by a reseller and now how to configure a phone.

It's much like people who set port forwards on port 5060 and don't lock down their hardware to only allow SIP traffic from their SIP proxy.

Most VoIP exploits are to numbers in Africa where those taking part normally get a cut of the interconnect.

jonathan18

6998 posts

Uber Geek

ID Verified

Trusted

#1073672 24-Jun-2014 19:48

We had the same problem; Snap said there are a few in the same boat. We contacted them after we found we were having problems with the line with people not able to ring us and us not able to ring out (assume the line was busy calling Madagascar at the time!). This led them to finding we also had been hacked. Snap fixed it relatively quickly and reversed all charges, but agree this is a vulnerability that no one should have been able to exploit if Snap had done their job correctly in the first place. They gave me a little sweetener to help with my current data shortfall, so I'm not too unhappy!

Edit: damn, in updating the router's firmware they've also deleted any call data so I don't get to see what exotic places I've been 'calling'. Hopefully this'll be on our next bill.

chevrolux

4962 posts

Uber Geek
Inactive user

#1074425 25-Jun-2014 17:18

Hahahahaha I can not believe this has actually happened. This is actually terrible.

Good on them for reversing the charges but holy cr4p, can't believe it happened in the first place.

DarthKermit

5346 posts

Uber Geek

Trusted

#1074429 25-Jun-2014 17:23

I hope that for Snap's sake they put a lid on this quickly or they'll be bleeding $$$$ for Africa.

Whatifthespacekeyhadneverbeeninvented?

blakamin

4431 posts

Uber Geek
Inactive user

#1074517 25-Jun-2014 19:56

michaelmurfy:

Most of them don't even change their default router password.

OT, but I had a telstra tech come around due to a cable fault.... "oh, you've changed the default password... can I have the new one?"
Um, no. I'll log you into to the router on my laptop.
Telstra cable modems/routers have built in wifi (which I disabled).

Good to see snap were on to it with the charges.

Dratsab

3934 posts

Uber Geek

Trusted

Lifetime subscriber

#1074524 25-Jun-2014 20:06

Pretty sure I've tracked down the culprits!

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#1074570 25-Jun-2014 21:07

Have seen this happen... a sales guy had set up a router for testing, with remote access and default passwords. Within a couple days, the account made some dodgy international calls. We figured out that someone had logged in remotely and forwarded calls from the router, then called the local NZ number for the router (which they could readily glean from the web UI).

They'd done it outside of hours, and put it all back to normal, so we might not have even known if not for our fraud detection algorithms. It can happen surprisingly quickly if you have anything unsecured that is capable of making (or forwarding) phone calls.

We threatened to make him pay, but as it turned out the charges were very small - most of the destinations they tried to call we don't allow (this measure alone has saved us and our customers a lot in toll fraud).

One thing we've noticed with toll fraudsters in general, is they tend to target a device, and do a few tests first, then they'll come back and slam it at a later date, or just make a few calls a night and go for the long game hoping nobody notices.

1 | 2