Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: jeffbb on August 31, 2009, 02:14:43 PM
-
Hi
Has anyone heard of a serious security flaw with these routers . I came across the following link
http://www.jibble.org/o2-broadband-fail/
a right ding dong going on
quote :It affects all TG585v7 routers and TG585n routers. O2, Be*, or Generic.
from http://forum.o2.co.uk/viewtopic.php?t=26192
Regards Jeff
-
If it's true then it sounds serious, but without hard information and/or independent confirmation of the vulnerability it's hard to reach any conclusion. If I were using one of these I would certainly swap to something else until the situation is clarified.
-
I'm currently using a 585v7 but in modem only bridge mode. If this exploit is genuine I'm guessing it will have something to do with a HTML request to turn on the remote management and possibly add a new admin account or add another password to the current one.
-
Little information is given about what the security flaw is.
At a guess I would image it will be similar to the flaw on the Be routers (http://blogs.securiteam.com/index.php/archives/826) where the WAN side was left open for Be Techs to be able to remotely access the router.
-
Hi
quote : similar to the flaw on the 'url=http://blogs.securiteam.com/index.php/archives/826]Be routers[/url] where the WAN side was left open for Be Techs to be able to remotely access the router.
way above my head ???
As ZEN are using same routers I have posted on their site to see their reaction.
Regards Jeff
-
This "story" crops up regularly.
Google it and you'll find it started back in 2007 and has been reported several times in The Register.
-
Zen have confirmed this exploit for all suppliers using this modem and are urgently working with Thompson on a fix. In the meantime they recommend changing the password.
Kind regards,
Walter
-
Hi
quote : Zen have confirmed this exploit for all suppliers using this modem and are urgently working with Thompson on a fix
O2 quote : We provide you with a modem free of charge which is encrypted and secure to a level we find acceptable.
That is the difference :)
Regards Jeff
-
Seems like both Zen and Be are taking it seriously.
... and that Be has managed to escalate it to o2
Zen Internet has got in touch to see if their routers are affected. They seem quite proactive/receptive and will be taking the issue to Thomson as a result of their findings.
Possibly some more exciting news: I've successfully demonstrated the problem to BE (the smaller ADSL company that O2 bought a few years ago) and they have escalated the problem back to O2 on my behalf. Yay! BE uses similar routers to O2 Broadband, although only some of them are vulnerable. BE offers a staffed IRC support channel, which makes it incredibly quick and easy to report problems interactively.
Contact has been made! Chris Buggie (senior tech support manager at O2 Broadband) phoned me to apologise for the way this has been handled so far, and then to discuss the problem in detail. I explained the problem and talked him through some proofs of concept which were successfully demonstrated on his own O2 router. O2 is going to work with Thomson to introduce a fix. We also discussed ways to address the problem in the meantime. O2 Broadband customers can mitigate the risk of attack by enabling authentication on their router's HTTP configuration interface (by default, the device lets you browse directly to http://192.168.1.254 without requiring a password).
One other alarming thing that has become apparent during course of the day is that some other ISPs are affected by the same issue. This could means millions of broadband users in the UK are vulnerable
Still no exact details of the flaw... but judging from "mitigate the risk of attack by enabling authentication on their router"... sound like a default password issue?
If this is the case.. then it could well be that the routers are also open on the WAN side.. allowing someone to access the router from the outside.
PS. - Edited to add
The default password for these routers is left blank.. so if the owner hasnt changed the passy.. then this seems like it could be the most likely cause and allowing someone to say remotely access the router externally.
-
Thanks for pointing this out. We're currently checking with Thomson to verify whether the TG585v7's that we provide are vulnerable to this or not.
-
Good news. The TG585's that we provide are not affected by this issue because we ship them with pre-specifed usernames and passwords for router access. I've had confirmation back from Thomson to this effect and tested it here myself just to be on the safe side. 8)
-
Hmmm well the current beta firmware from BE for the 585v7 changes the password from blank to that of the router serial number so I presume that this will be rolled out as standard before long.
Edit: BE have distributed an email suggesting that you follow the instructions on the following Usergroup page (http://www.beusergroup.co.uk/technotes/index.php/How_To_Fully_Secure_The_Bebox) to secure the BeBox if you haven't already done so.
-
>> because we ship them with pre-specifed usernames and passwords for router access.
Thanks for that update John.
>> the current beta firmware from BE for the 585v7 changes the password from blank to that of the router serial number so I presume that this will be rolled out as standard before long.
Could well be. - wouldnt be a bad thing.
More and more ISPs seem to be using TR 069 (http://en.wikipedia.org/wiki/TR-069) to pre-configure their routers so this may well have an impact too.
However there is I suppose always a danger if a router is open for remote management and a SuperUser/ Tech Support passy gets leaked.
-
Orainser
Just seen your edit - judging from that information it certainly looks like it was the open port issue for remote management.. and the fact that the passy is set by default to blank.
I'm not too keen though on the advice to disable the ping responder. :mad:
-
>>>I'm not too keen though on the advice to disable the ping responder
Cue *internet black hole smiley*
The wording of the email suggests that it's a bit of a quick fix and that they are looking towards a longer term solution from Thomson.
-
>> Cue *internet black hole smiley*
Yep you got it :)
>> The wording of the email suggests that it's a bit of a quick fix and that they are looking towards a longer term solution from Thomson.
Lets hope so :fingers:
-
O2 have info on it here:-
http://service.o2.co.uk/IQ/SRVS/CGI-BIN/WEBCGI.EXE/,/?New,KB=Companion,question=ref%28user%29:str%28Broadband%29,CASE=12648
I guess the username is still SuperUser is it for o2 routers?
-
Those instructions are for logging in as Administrator, not SuperUser. Bearing in mind that the SuperUser account password is the same for all O2 routers unless changed, does that mean that a security hole still exists?
-
So when I need to change settings, IE WiFi name which one would I use?
-
So when I need to change settings, IE WiFi name which one would I use?
I'm not completely familiar with the O2 setup, but I'd have thought Administrator should allow you to do all the things that you need to manage your network. SuperUser will probably open up a few more technical options.
-
Those instructions are for logging in as Administrator, not SuperUser. Bearing in mind that the SuperUser account password is the same for all O2 routers unless changed, does that mean that a security hole still exists?
I put this to o2 and this was their response.
Any software security system can be cracked. There are many password cracks posted on the internet for many makes of routers. Please remember
the liklihood of this happening to you is still very small. The most common thing to happen is people using your broadband service, but if you
have wireless encyption this will prevent that.
Ensure your firewall is on your router and that its on your computer too. Update anti-spyware and anti-virus. If you have changed the password
on your router and use wireless encryption this is good enough. Having many layers is the key to good internet security, these consist of
1. XP or Vista password
2. Router password
3. router hardware firewall
4. wireless encryption
5. PC software firewall
6. PC anti-spyware
7. PC anti-virus
8. Internet explorer phishing filter
Remember the most common criminal activity is phishing emails and most hackers tend to target organisations and not individuals.
Hope this addresses some of your concerns.
-
Did anyone get this security email today I thought it was spam at first.
We’ve found a new risk to your O2 Home Broadband Wireless Box, so we’ve set-up an extra password.
It’s the 11-digit serial code starting with ‘CP’ on the bottom of your wireless box. It looks like this: CP123456789. (The digits in brackets aren’t included.)
If you’d like to change it to something you’re more likely to remember, head here
That’s it. Nothing else about your O2 Home Broadband service will change. Not even the password you use to connect wirelessly. And now it’ll be much more secure.
If you have any concerns, visit here
Kind regards,
O2 Broadband Team