Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
4419 posts

Uber Geek
+1 received by user: 1929

Trusted
Subscriber

  Reply # 2052576 10-Jul-2018 12:18
Send private message quote this post

vulcannz:

 

SaltyNZ:

 

What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.

 

 

LOL seriously would a VOIP provider operate open SIP without an SBC with no brute force protection? I hope not.

 

 

 

 

I couldn't say, not my area, but at the end of the day, the fraudulent usage was detected and notified.





iPad Air + iPhone SE + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.


118 posts

Master Geek
+1 received by user: 69

Trusted
2degrees

  Reply # 2052733 10-Jul-2018 14:22
5 people support this post
Send private message quote this post

mattRSK:

 

I am wondering if anyone else has experienced the following issue on 2Degrees home phone plus.

 

Toll calls have been made from my phone to France from Saturday morning until early Monday morning. The calls are short and I have been charged $5 each time. Totalling just over $400.

 

The strange thing is that no one in this house has ever made a call to France.

 

I received a text message from 2degrees at 9am this morning. They advised there had been high toll call usage and wanted to check if these were genuine.

 

I called 2degrees and advised they were not genuine. Only to be told that I will still have to pay the toll charges. As the calls were made from my account.

 

I have spoken to a supervisor who will talk to accounts.

 

I really would have thought there would be a system in place to detect abnormal usage. With a toll bar applied until confirmation is received from the user.

 

The explanation from 2degrees is that someone has used a brute force method to gain access to the modem. Via remote access. They have factory reset the modem. This will supposedly prevent any further charges. I find this a bit hard to believe. Although I have a toll bar in place now.

 

Does this sound familiar to anyone? 

 

 

Hi Matt,

 

I've done a bit of digging on this and thought I'd chime in. As per above, it was a brute force attack on the remote access feature of the fritzbox that enabled the individual to gain access to the box. This has been resolved by a factory reset to wipe all accounts and restore service. The version of firmware stated in this thread is not open to any specific known vulnerabilities. In this case it appears to be a soft password setup for remote access which was the culprit. Due to the factory reset, post-mortem is no longer possible. 

 

In terms of firmware - All firmware that is available via the update feature on the fritzbox should be installed, it's been regression tested by 2degrees and therefore made available to customers for consumption. Periodically 2degrees also do pushes of firmware to devices to make sure they are running the latest and greatest using the TR69 protocol. This can take some time as there are many thousands of devices out there. You also miss people depending on devices being powered on, people moving houses etc. The current firmware version available is 6.84, more details on what's included is here - https://en.avm.de/service/

 

Some customers do change passwords for SIP via the 2degrees broadband portal (https://secure.2degreesbroadband.co.nz/login), other than setting the complexity 'rules' for a password, it's somewhat out of our control. We do however limit access to connect to the Metaswitch platform (Home plus) from the 2degrees network only. What this effectively means is that you need to 'gain access' on the local lan or via the fritzbox  on the 2degrees network to make fraudulent calls.

 

There is also a bunch of early detection for fault type behavior in terms of monitoring spend/consumption of minutes/dollars. When this happens, Fraud Management systems are alerted and customers are notified accordingly.

 

It looks like Customer Care have been in contact with you, charges for this specific event removed.

 

Nick.

 

 

 

 

 

 




814 posts

Ultimate Geek
+1 received by user: 1

Trusted
Subscriber

  Reply # 2052884 10-Jul-2018 19:23
Send private message quote this post

Hi Nick

Yes, I have contacted customer services and these charges have been written off.

To be clear the remote access settings were setup up by 2degrees. You might want to look into whether these were secure enough.

Thanks for looking into it.

118 posts

Master Geek
+1 received by user: 69

Trusted
2degrees

  Reply # 2052889 10-Jul-2018 19:31
Send private message quote this post

Customer care are investigating this specific ticket, once concluded will take the appropriate remedial steps. Thanks for reaching out and helping with the investigation.

Nick.

3474 posts

Uber Geek
+1 received by user: 1250

Subscriber

  Reply # 2052890 10-Jul-2018 19:35
One person supports this post
Send private message quote this post

SaltyNZ:

 

sbiddle:

 

SaltyNZ:

 

What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.

 

 

The last time this happened to people it was the Fritzbox that was compromised not somebody brute forcing SIP credentials.

 

 

 

 

 

 

Ah, yes, not a lot you can do about that...

 

 

 

 

Seriously!!?!

 

There is SH1TLOADS that could be done about an unsecured routing sitting out wide open to the internet!!

 

Why the hell 2degrees have that remote access feature turned on and allowing connections from anywhere just boggles my mind.

 

 

 

But what Nick posted was interesting. It seems it was a simple password that got brute forced? So, OP... did you set up remote access with your own user passwords?


118 posts

Master Geek
+1 received by user: 69

Trusted
2degrees

  Reply # 2052892 10-Jul-2018 19:40
Send private message quote this post

chevrolux:

SaltyNZ:


sbiddle:


SaltyNZ:


What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.



The last time this happened to people it was the Fritzbox that was compromised not somebody brute forcing SIP credentials.


 



 


Ah, yes, not a lot you can do about that...



 


Seriously!!?!


There is SH1TLOADS that could be done about an unsecured routing sitting out wide open to the internet!!


Why the hell 2degrees have that remote access feature turned on and allowing connections from anywhere just boggles my mind.


 


But what Nick posted was interesting. It seems it was a simple password that got brute forced? So, OP... did you set up remote access with your own user passwords?



Thank you - I try to post 'interesting'stuff occasionally. The remote access feature is used to troubleshoot the box, should a customer get in a pickle :-). The feature can be turned on by the customer or the telco via TR 69 protocol.

Nick

268 posts

Ultimate Geek
+1 received by user: 54


  Reply # 2052901 10-Jul-2018 20:15
Send private message quote this post

This is why I hate TR-069. It's like painting a bullseye on your forehead.

 

Ideally you should be putting management access on unique ports then blocking any non-management-network traffic from reaching those devices. Changing management user names and credentials with a long complex password is essential too - I hate it when I see publicly manageable gear with the default admin name of 'admin'. This should be capital offence.

 

When you see how much automated scripting is constantly pummeling devices looking for holes I'm honestly surprised it hasn't become a massive problem in NZ.


26609 posts

Uber Geek
+1 received by user: 6101

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2052904 10-Jul-2018 20:30
One person supports this post
Send private message quote this post

vulcannz:

 

This is why I hate TR-069. It's like painting a bullseye on your forehead.

 

 

Do you actually understand TR-069 with a comment like that?!

 

I can't disagree more. TR-069 is the exact opposite - it's an in credibly powerful tool for RSP's and any provider not using it should be.

 

None of these exploits involve TR-069 but the great thing about TR-069 and having remote access capabilities is when (for example) a firmware exploit makes it into the wild an RSP can very simply patch every one of their routers and eliminate the risk to their end users.

 

 

 

 

 

 


3474 posts

Uber Geek
+1 received by user: 1250

Subscriber

  Reply # 2052909 10-Jul-2018 20:37
One person supports this post
Send private message quote this post

NickMack:

 

Thank you - I try to post 'interesting'stuff occasionally. The remote access feature is used to troubleshoot the box, should a customer get in a pickle :-). The feature can be turned on by the customer or the telco via TR 69 protocol.

Nick

 

So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?




814 posts

Ultimate Geek
+1 received by user: 1

Trusted
Subscriber

  Reply # 2052960 10-Jul-2018 21:30
Send private message quote this post

It was enabled by 2degrees to setup home phone.


4419 posts

Uber Geek
+1 received by user: 1929

Trusted
Subscriber

  Reply # 2052993 10-Jul-2018 21:59
Send private message quote this post

chevrolux:

 

 

 

So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?

 

 

 

 

TR-069 is used by practically every service provider on the planet.





iPad Air + iPhone SE + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.


3474 posts

Uber Geek
+1 received by user: 1250

Subscriber

  Reply # 2053008 10-Jul-2018 22:47
Send private message quote this post

SaltyNZ:

chevrolux:


 


So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?



 


TR-069 is used by practically every service provider on the planet.



I've got zero issue with TR069 being used. But that's not what got brute forces here was it? In fact (and happy to stand corrected), isn't that sort of the point of a TR069 client? Its simply a client that begins the provisioning process. It's the provisioning server that authenticates the device requesting the config.

So I'm saying, why are 2degrees enabling the direct HTTPS remote access feature of the Fritzbox and then not removing it?

118 posts

Master Geek
+1 received by user: 69

Trusted
2degrees

  Reply # 2054148 11-Jul-2018 10:04
Send private message quote this post

chevrolux:

 

NickMack:
chevrolux:

 

SaltyNZ:

 

 

 

sbiddle:

 

 

 

SaltyNZ:

 

 

 

What you could probably do is ask them to lock down the account so that it can only be logged into from your port, or at least from within the 2degrees network. That will greatly reduce the chances that some internet random will guess your SIP credentials in future.

 

 

 

 

 

 

The last time this happened to people it was the Fritzbox that was compromised not somebody brute forcing SIP credentials.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ah, yes, not a lot you can do about that...

 

 

 

 

 

 

 

 

 

 

Seriously!!?!

 

 

 

There is SH1TLOADS that could be done about an unsecured routing sitting out wide open to the internet!!

 

 

 

Why the hell 2degrees have that remote access feature turned on and allowing connections from anywhere just boggles my mind.

 

 

 

 

 

 

 

But what Nick posted was interesting. It seems it was a simple password that got brute forced? So, OP... did you set up remote access with your own user passwords?

 



Thank you - I try to post 'interesting'stuff occasionally. The remote access feature is used to troubleshoot the box, should a customer get in a pickle :-). The feature can be turned on by the customer or the telco via TR 69 protocol.

Nick

 

So is the potential scenario in this case that the HTTP/HTTPS access got enabled (either by 2degrees or OP), but wasn't removed and then, inevitably, hacked.. If it was OP that enabled it then fair game, not 2degrees fault. But if 2degrees enabled it and then forgot to disable, that seems like a broken process from their side that could potentially leave a bunch of routers vulnerable. I tend to think the latter obviously doesn't happen all that often otherwise we would see it on Stuff/Herald about the "poor customer who got ripped off", but still something I would of thought a company the size of 2degrees would just avoid altogether?

 

 

There should be no need for a ISP to enable remote access as everything is configurable via TR069. Since the device was factory reset to resolve and restore service, either way is hard to prove in terms of the state of the device.

 

Nick.

 

 


118 posts

Master Geek
+1 received by user: 69

Trusted
2degrees

  Reply # 2054260 11-Jul-2018 12:28
2 people support this post
Send private message quote this post

Hi All,

 

I've had a follow up meeting with Head of Customer Care to talk further about this issue. There will be some follow up training/education refreshers being run for the team on the best way to support and service our customers with respect to how best to provide remote support for Fritzbox devices. The only way we will be supporting customers is by using the TR69 protocol, not setting up remote access, as well as a real push on ensuring all customers are running the latest version of Firmware.

 

Nick.


1490 posts

Uber Geek
+1 received by user: 248

Trusted
2degrees

  Reply # 2054301 11-Jul-2018 13:01
Send private message quote this post

Hi mattRSK

 

Can you PM us your customer ID please?

 

Thanks 

 

^POB


1 | 2 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.