Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[broadstairs]

The safest thing to do with both tr064 and tr069 is to disable if that option exists. It should then show as stealth. I'd do it on any router even one supplied by an ISP if the option is there. No way would I ever allow an ISP to access my router without my knowledge - I simply dont trust them.

Stuart

[sevenlayermuddle]

No option to disable it on my the Billion.

It had been Assigned a factory username & password for both ACS and 'connect request'.  No obvious way of seeing what the password was, but I do hope it wasn't just some default string common to all devices...

My hunch is it was all innocent, and that I'm panicking prematurely.   Billion seem to attract their share of techies, and have a good reputation.   Just weird that with the old fw the port was open, but stealthed with the newer fw, vintage circa June 2015 iirc.

[roseway]

I'm grateful to you for finding this out. I use a 7800DXL as a router, and the same port (30005) was open. Upgrading the firmware fixed it, as in your case.

[sevenlayermuddle]

@Roseway, thanks for confirming it wasn't my imagination.   I did think about PM-img if you didn't pipe up to make sure you'd seen it.  But  I now feel less of a Wally for not having noticed that port was configured and open earlier, or picked up the new fw sooner.

There were a few mentions of TR 069 in the release notes, but nothing explicit about any major vulnerability being fixed.

[ejs]

http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/

[kitz]

Thanks ejs

We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers, Econet, with chipsets RT63365 and MT7505 with SDK version #7.3.37.6 and #7.3.119.1 v002 respectively.

Hmm so what about the Huawei HG532 used by TalkTalk?
They've already owned up to the D-Link DSL 3680 which uses the same chipset or could this be down to the specific f/w with them listing the SDK.

[ejs]

It will be nothing to do with the hardware itself, so it will depend on how much TalkTalk customised their firmware for their HG532. They might have used the stock TR-069 / TR-064 software supplied by the chipset provider, or they might have replaced it with some other software. Or the HG532 may have been built by some other company than Econet, but using the same Ralink / MediaTek chips, so may have had different software even before being customised for TalkTalk.

I don't think Econet make the RT63365 and MT7505 chips, but they may make some, but not all, of the devices using those chips.

[ejs]

https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/
(the summary in that article of TR-069 describes it in general but not actually what the open port on the router is for)

[Weaver]

Does anyone know of a test case or test tool or the Mirai vulnerability in question? I could do with testing my own newest router.