Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




29 posts

Geek
+1 received by user: 2


Topic # 148602 24-Jun-2014 18:04
Send private message

So just got the monthly bill from Snap today and noticed that it included $80.30 in toll charges, which was strange as we have free national calling, and don't make international calls.



Looking at the toll charges in detail I saw they were mostly to Aruba and Madagascar, and whilst no one was at home...



So I logged into my Fritz!Box 7390 and had a look in the Event Log, which showed someone logging in under the account "snapadmin" and making changes just prior to the fraudulent calls...



and then they set up their own telephony device "IP telephone 1"...



which was allowed connection from the internet...




I promptly ran Snap and they've been amazing in fixing the problem:

Apparently there had been some glitch with my initial setup, where Snap should have connected to my Fritz!Box, done their automatic configuration changes and reset the password from their default one to a randomly generated one, but for some reason this hadn't happened (been with them for over a year now) meaning the remote access account was still set to the default (and apparently known) password.

They've got it all sorted now, and are reversing the toll charges so very happy with their prompt support, although a little concerned that this vulnerability had existed (and could possibly still exist for other customers).





View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
304 posts

Ultimate Geek
+1 received by user: 28


  Reply # 1073620 24-Jun-2014 18:13
2 people support this post
Send private message

That's unfortunate.

Good to hear that Snap has taken action at least and reversed the charges :)




Creator of Tallowmere.

BDFL - Memuneh
59172 posts

Uber Geek
+1 received by user: 10411

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1073623 24-Jun-2014 18:16
4 people support this post
Send private message

Just to show that even ONE device with a default password will be found... 




 
 
 
 


What does this tag do
862 posts

Ultimate Geek
+1 received by user: 161

Subscriber

  Reply # 1073624 24-Jun-2014 18:20
One person supports this post
Send private message

That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it

6845 posts

Uber Geek
+1 received by user: 3160

Moderator
Trusted
Subscriber

  Reply # 1073626 24-Jun-2014 18:22
3 people support this post
Send private message

I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.




Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


'That VDSL Cat'
6751 posts

Uber Geek
+1 received by user: 1279

Trusted
Spark
Subscriber

  Reply # 1073640 24-Jun-2014 18:34
Send private message

jnimmo: That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it


this was remote access, as in the webui looking at the log.

for them to block that by default, they would also be by default sending out devices with 443 blocked, which could cause issues for anyone doing any homeserver setups.


concerning that this happened however.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.




29 posts

Geek
+1 received by user: 2


  Reply # 1073641 24-Jun-2014 18:34
Send private message

michaelmurfy: I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.


Yeah, but the first thing I changed when I got it was the default password, but I'd expected snap to be in charge of their own account passwords on my device, since they needed remote access to it. 

Told my boss about this and he made fun of the fact that I got my CCNA Wireless cert 3 weeks ago and yet my "Wireless Access Point" got hacked into, until I pointed out the vulnerability hadn't had anything to do with the wireless side

6845 posts

Uber Geek
+1 received by user: 3160

Moderator
Trusted
Subscriber

  Reply # 1073644 24-Jun-2014 18:52
Send private message

Krullos:
michaelmurfy: I feel this is going be a trend with people going towards VoIP with their providers.

Most of them don't even change their default router passwords so if a provider doesn't set up the SIP details correctly then h4ck0rage.


Yeah, but the first thing I changed when I got it was the default password, but I'd expected snap to be in charge of their own account passwords on my device, since they needed remote access to it. 

Told my boss about this and he made fun of the fact that I got my CCNA Wireless cert 3 weeks ago and yet my "Wireless Access Point" got hacked into, until I pointed out the vulnerability hadn't had anything to do with the wireless side


This is my feeling.

 

Any remote access can be exploited. I refuse to allow any remote access and heck, my connection also has CG-NAT on it.




Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


What does this tag do
862 posts

Ultimate Geek
+1 received by user: 161

Subscriber

  Reply # 1073656 24-Jun-2014 19:17
Send private message

hio77:
jnimmo: That's a worry, I thought/hoped they would restrict the remote access to one of their own subnets to help prevent that - even if the default password had been changed there could be a vulnerability in the web server on it


this was remote access, as in the webui looking at the log.

for them to block that by default, they would also be by default sending out devices with 443 blocked, which could cause issues for anyone doing any homeserver setups.


concerning that this happened however.

The web server running on port 443 will be blocking access to home servers anyway. What I mean is I thought the firmware would have a way to restrict access to the local subnet or a Snap management address, which they could enable by default.

25666 posts

Uber Geek
+1 received by user: 5413

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1073666 24-Jun-2014 19:37
3 people support this post
Send private message

Using the correct tool it's possible to find thousands of Linksys/Cisco SPA devices with default passwords on the internet within a couple of minutes. It takes literally a few seconds to set a call forward on these and make calls which they'll be billed for.

There are plenty of cowboys out there in the VoIP world these days who know nothing about VoIP. They think they're experts because they've been to a course hosted by a reseller and now how to configure a phone.

It's much like people who set port forwards on port 5060 and don't lock down their hardware to only allow SIP traffic from their SIP proxy.

Most VoIP exploits are to numbers in Africa where those taking part normally get a cut of the interconnect. 





2652 posts

Uber Geek
+1 received by user: 634


  Reply # 1073672 24-Jun-2014 19:48
Send private message

We had the same problem; Snap said there are a few in the same boat. We contacted them after we found we were having problems with the line with people not able to ring us and us not able to ring out (assume the line was busy calling Madagascar at the time!). This led them to finding we also had been hacked. Snap fixed it relatively quickly and reversed all charges, but agree this is a vulnerability that no one should have been able to exploit if Snap had done their job correctly in the first place. They gave me a little sweetener to help with my current data shortfall, so I'm not too unhappy!

Edit: damn, in updating the router's firmware they've also deleted any call data so I don't get to see what exotic places I've been 'calling'. Hopefully this'll be on our next bill.

3178 posts

Uber Geek
+1 received by user: 979

Subscriber

  Reply # 1074425 25-Jun-2014 17:18
2 people support this post
Send private message

Hahahahaha I can not believe this has actually happened. This is actually terrible.

Good on them for reversing the charges but holy cr4p, can't believe it happened in the first place.

Talk DIrtY to me
4026 posts

Uber Geek
+1 received by user: 2070

Trusted
Subscriber

  Reply # 1074429 25-Jun-2014 17:23
Send private message

I hope that for Snap's sake they put a lid on this quickly or they'll be bleeding $$$$ for Africa.




Whatifthespacekeyhadneverbeeninvented?


Aussie
3956 posts

Uber Geek
+1 received by user: 1041

Trusted
Subscriber

  Reply # 1074517 25-Jun-2014 19:56
Send private message

michaelmurfy: 

Most of them don't even change their default router password.


OT, but I had a telstra tech come around due to a cable fault.... "oh, you've changed the default password... can I have the new one?"  
Um, no. I'll log you into to the router on my laptop.
Telstra cable modems/routers have built in wifi (which I disabled).


Good to see snap were on to it with the charges.

2958 posts

Uber Geek
+1 received by user: 839

Trusted
Subscriber

  Reply # 1074524 25-Jun-2014 20:06
7 people support this post
Send private message

Pretty sure I've tracked down the culprits!


Fully Operational
3343 posts

Uber Geek
+1 received by user: 1088

Trusted
Vocus
Subscriber

  Reply # 1074570 25-Jun-2014 21:07
Send private message

Have seen this happen... a sales guy had set up a router for testing, with remote access and default passwords.  Within a couple days, the account made some dodgy international calls.  We figured out that someone had logged in remotely and forwarded calls from the router, then called the local NZ number for the router (which they could readily glean from the web UI).  

They'd done it outside of hours, and put it all back to normal, so we might not have even known if not for our fraud detection algorithms.  It can happen surprisingly quickly if you have anything unsecured that is capable of making (or forwarding) phone calls.

We threatened to make him pay, but as it turned out the charges were very small - most of the destinations they tried to call we don't allow (this measure alone has saved us and our customers a lot in toll fraud).

One thing we've noticed with toll fraudsters in general, is they tend to target a device, and do a few tests first, then they'll come back and slam it at a later date, or just make a few calls a night and go for the long game hoping nobody notices.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08


Revera partners with Nyriad to deliver blockchain pilot to NZ Government
Posted 5-Dec-2017 20:01



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.