If you get your internet service from O2, there's a good chance Paul Mutton can remotely log in to your router and make configuration changes that surreptitiously allow him to access computers on your network. That's because the UK-based ISP offers its customers free customized routers that are vulnerable to CSRF, or cross-site …
"If you get your internet service from O2, there's a good chance Paul Mutton can remotely log in to your router...."
Bet he fscking can't...
I do believe there's something fundamental missing here, and thats actually USING the O2-supplied router?!
Nobody 2- cos the Reg fucked up usernames and didn't bother to tell anybody
Roll your own
ZOMG!!! I'm with O2.
However, I never took their router out of the box. It seems that for building routers that 'If a job's worth doing, it's worth doing yourself.'
Telnet into your Be/O2 supplied TG585 and enter the following commands as administrator:
service system ifdelete name=TELNET group=wan
service system ifdelete name=FTP group=wan
service system ifdelete name=HTTP group=wan
service system ifdelete name=HTTPs group=wan
service system ifdelete name=PING_RESPONDER group=wan
This will remove the default services that are open on the web facing interface of the router and stop it responding to ping requests from the Internet.
To reinstate any of these services change ifdelete to ifadd
The command "user list" will list users of the system, I suggest removing all user accounts except administrator.
user delete name=tech
user delete name=Betech
After doing all this check your router against the shields up website.
If you use wireless please use a nonsensical/non-dictionary word for your WPA2 key, elsewise a hacker may just own your router through the front door/via your LAN.
If you really need remote access to your router specify an IP address or range for each service, for example:
service system ifadd name HTTPs ip 192.168.1.21 192.168.1.30 192
This takes effect immediately so be careful when doing this, be sure to add your current connecting IP address first. Be smart don't just take my word for it RTFM ;-)
article says cross-site request forgery
@adnim, disabling all those services facing the big, bad Interweb is irrelevant (though surely they don't leave all that enabled do they?), because a CSRF attack is all about tricking your web browser (already loaded up with credentials, or otherwise allowed to access your internal router) to do something on the attacker's behalf.
The article doesn't actually explain what CSRF is but I'm assuming that CSRF is being correctly identified as the form of attack.
A workaround, to mitigate (reduce but not remove) the risk until the vendor does whatever they need to do, is to change the address/network-space that your router allocates for its internal network address.
That way, at least, the attacker's scatter-gun presumption that it's 192.168.1.1 will be wrong. (All bets are off if you're specifically targeted, there's a lot of ways in which the information can leak, other than in comments on news articles. Even your browser can be tricked into divulging at least its own internal IP address, so perhaps don't put your router at .1 either!)
What he said
adnim nails it. Demon gave us one of these when upgrading to ADSL2+, I was shocked how many open WAN-facing ports it had. In my case I downloaded its config file ("Back up configuration") which is just a long INI-file, found the dodgy bits and snipped them out (with some help from the manual) then uploaded it back.
I can see why ISPs like these because they are very hackable, but they've really dropped the ball on this one. I have often cited the router as a major security plus to my average-consumer chums (vs. direct connection to the WAN) -- that advice is going to have to be carefully qualified in future.
What I don't get is...
Whats with the picking on o2?
If its a flaw with the base 585 firmware then why not go after Thompson?
And they only supply those 2 router types what does he expwcxt them to do pop down to PC world and buy him anonther make custom write the firmware then send it out to him?
<pats his 780>
Just the same as Be....
The same sort of thing happened with Be (O2's subsidiary company) years ago. Same crap - Thomson routers with ports open all over the damn place just to make life easier for Be/O2 support. Its NOT a Thomson problem, BE and O2 specify the routers are delivered like this.
Guess they're still just as dumb as ever.
Oh and adnim has the correct solution. One which has been known about for a good 3+ years too....
Rubbish routers anyway
I'm with BE (owned by O2) and they use they same routers. They are rubbish; they overheat, and display an interesting set of bugs when using wireless and wired connections simultaneously (or the two different boxes that BE sent me did anyway), and regularly disconnect (and take ages to reconnect).
Take my advice, put it in the cupboard when it arrives, and go and get yourself a Netgear or, well, anything that isn't a Thomson. Since I did that the service they provide has been impeccable and I haven't had to deal with their god-awful technical support any more....
I helped setup my parents router this weekend, i was only mildly suprised to see that it was using wep by default. what was more suprising was that by default there is no username and password required to login to the web interface!
O2 are the only ADSL supplier to use these PlusNet do too....!
@James R Grinter
No, disabling the services isn't irrelevant. The CSRF attack relies on the management stuff on the router being available over the WAN interface. If they are disabled then there isn't actually anything to attack.
I think it's more their attitude
It's more the fact that O2 couldn't have been less interested in the report if they had tried. Other ISPs have been in touch and are actively working with him. O2 just dismissed it repeatedly until the page was published and they couldn't ignore it...
In the meantime...
Having read the entire posting at http://www.jibble.org/o2-broadband-fail/ to try to get a little more technical insight and to assess the potential impact on my own router, there's a useful suggestion on how to mitigate the risk:
"...mitigate the risk of attack by enabling authentication on their router's HTTP configuration interface (by default, the device lets you browse directly to http://192.168.1.254 without requiring a password)".
Just to suggest the obvious, but perhaps ISPs (and end-users) might be warned of the inadvisability of leaving passwords blank. My ISP lists various security-related information, like WPA keys, on a custom sticker on the router itself. Perhaps a password might be configured and added to the sticker?
Tiscali also vulnerable
About 10 minutes prodding last night and I managed to do the same to my router - there's a whole in the TG585 big enough to drive a truck through. Contacting Tiscali now, let's see how long it takes to get to someone useful.
The reason people aren't going after Thompson is that both Be and O2 supply the routers with their own custom firmware, not Thompson's generic one. The fact that Thompson's generic one is also probably exposed to this is largely irrelevant as you'll struggle to get one of those routers with the Thompson generic firmware on it. If O2 / Be have modified the firmware to make it "theirs" they should have plugged those holes.
The worst thing about those routers is that they ship with an administrator account which actually doesn't have full rights to the box (no telnet access, for instance, so adnim's instructions on how to secure them are missing a fairly vital step). They also ship with a hidden SuperUser and O2Care account, with known passwords (google them) and listening for connections to admin them from the internet.
So CSRF, while a valid attack vector, is largely a waste of effort considering you can just log into them from the internet with the known SuperUser password and do what you want.
And @James, yes, they do leave those services exposed to the internet. Great, aren't they?
I think James R has a point, I am no expert with CSRF, (If a CSRF attack is possible via the WAN interface, it is likely also possible via the LAN interface) but for this attack to work via a web page the attacker would have to know the LAN IP of the router. As James mentioned the default IP for these routers is easy to guess 192.168.0.1, 192.168.0.254 etc. It would be wise to change this default, it would be wise to change every other default setting on the router too.
The account names and password for tech support access to the router are the SAME for every Be/O2 customer. These account names and passwords are public knowledge, and yes the ports I mentioned above are open on the WAN side by default. Anyone scanning an IP range that comes across one of these routers that are in use with the supplied default settings has admin access without any CSRF exploit.
As Rab said the problem with the CSRF vulnerability is the fault of Thompson and not Be/O2. However the router is supplied with default settings that are woefully insecure, this IS the fault of Be/O2.
AC:Rubbish routers gives good advice, if you are not tech savvy and understand the shortcomings of this router, bin it and get another.
O2 not entirely to blame
Don't know why O2 are being picked on when it's default router configuration which is the problem. Okay they could have told Thompson to deliver a customised version which was more locked down but it seems many routers have this kind of problem. The Thompson is perhaps better than most because it can be reconfigured as 'admin' suggest.
I have a number of these routers ( not on ADSL, used just as WAPs ) and I've found them very capable and flexible, far more so than others. It does mean some effort in configuring them, and they do run darned hot, but so too do others.
What is a pain on most routers is that WiFi is considered LAN so not possible to lock the administrative web portal to wired connections only.
What O2 does have to take the blame for is crap and dismissive customer service. Palming off legitimate complaints and warnings until the secret's out and the shit hits the fan. But that's standard MO for Big Business, is it not ?
If you use a few of these currently, are you able to get from your LAN boxes to other LAN boxes with no issues? I'm not. For instance, i have a ReadyNas wired into the router. I could access it no problems from my wireless clients two days ago. Today I can't. Rebooted the ReadyNAS, still can't get to it. The page starts to load (loads the title portion of the html) then hangs.
If i disconnect the readynas from the 585 and attach it to a linksys WRT box with the same wireless config, for testing purposes, no problem at all.
This is only one example of a LOT of similar lan access problems i've had with this router. IMO they're a piece of shit, best thrown away.
So a cheap router has bugs , boo bloody hoo
I used to have a Thomspon router curtesy of BT broadband. It had a habit of locking up occasionally. But not I have cable I don't use a router at all. I have my laptop connected directly to the cable modem, I have no virus or malware protection or firewall set up , i visit all sort of websites with browser security at minimum and I've not once had any problems with hackers or viruses despite seeing shed loads of hack attempts coming down the line in tcpdump. But then I run Linux.
after a chat on Be IRC
As far as I am aware at this time... if an Administrator password is set, any attempt to exploit this flaw will result in a login box for the router to be displayed. If you have a blank admin password change it. if a login prompt for your router is displayed at any time unexpectedly, don't login. This is exploitable from the Internet, and if you have a blank admin password or default support accounts enabled you are vulnerable.
Sorry, but the whole point of CSRF is that the attack comes from the INSIDE, so disabling external interfaces is prudent, but irrelevant.
@ AC, Re @Jason
Yes, I'm sure that worked in testing, everyone could see everyone else. AFAIR each was set to DHCP on a different subset of 10.0.0.x and all connected to the same cable ( ie, dumb hub ). Another cable to web server also with a 10.0.0.x IP. Was just a captive portal for playing with.
So if you've changed the default IP for the router (and actually deleted it rather than just add a new one) and you've gone into user management and set a user name and a password then this doesn't work.
Isn't this rather like saying that front doors supplied by Wickes are a security risk if you leave them unlocked because they didn't specifically tell you to fit a lock?
First, trawling the 192.168.0/24 range is pretty quick, and if you bolt 168.1 and 168.2 on you're hitting 99% of setups with only 768 tests. You can do this in a few seconds. When was the last time you saw a router in the 172.16/16 or 10/8 range?
Second, at least the Tiscali firmware answers to a pseudo-domain name in the ".lan" domain, and I'd expect many modern routers to answer to a zeroconf ".local" address . So in many cases there's no need to guess IP addresses at all.
Incidentally I've had a chat with Paul who found the original issue and the Tiscali problem is a new one, although I suspect closely related. Sounds like open season on the TG585 at the moment.
More than one Bath
"a security researcher located near the UK's Bath"
I'd like to point out that the UK has at least two Baths and a minimum of one shower to every four houses.
im getting my o2 installed tomorrow, my o2 wireless box 2 will be used briefly to check the service is ok then im whipping out a Linksys WAG354G because it looks better, is smaller, stands on its side and doesnt have this sort of problem
pint for the fact i pay less
Router address change: point taken.
I cannot connect to my TG585 using a pseudo-domain name although the documentation states I should be able to.
As I mentioned simply setting an Administrator password nullifies the attack to the point that user intervention is required for the attack to be successful. Providing that is, the default support accounts are removed.
Tiscali and TG585
Tiscali provide the TG585 to their customers, and have been notified but it would appear that they are ignoring the issue. Shame on Tiscali.
So I've tried to follow adnims instructions above, but the Administrator user doesn't have permissions to delete the tech and BeTech users. Any advice on how to get around that?
Update on Tiscali and the TG585
On contacting the Tiscal Technical Assistance team regarding this matter, they responded with the following:
"I would like to mention that the router is an electronic device that is powered with an external power supply. However, the Thomson Router TG585 does not have vulnerability issues."
Have Tiscali got this right, well I guess the only way I'm going to find that out is by contacting Thomson and to see what they say.
My oversight sorry.
Save the configuration file user.ini by navigating to
Configuration>Backup & Restore
click the "Backup Configuration Now" button and save user.ini
Open user.ini in Notepad or similar text editor search for the [ mlpuser.ini ] section add "role=root" without quotes to the end of the account you use to administrate the router
[ mlpuser.ini ]
add name=Administrator password=_CYP_<xxx-hash_removed-xxx> role=root
Save the file and upload it to the router by clicking on the "Restore Configuration Now" button on the same page you saved it from, Browse... to your edited user.ini file first using the browse button.
Telnet into the router using the changed account. You now have full root access to the device and can do ANYTHING to the system. I will not be held responsible if you brick your router, although a factory reset or firmware reflash should sort it out if you do accidentally make bad changes.
Thanks for the guide but my ini file shows
add name=Administrator password=_CYP_<hash removed> role=Administrator hash2=72db35e064da4d2eb3b9207ab91cde33 defuser=enabled
should I just change the role=Administrator to role=root?
Is it worth removing these lines for the other accounts as well?
Good and bad
Good that O2 are automatically fixing the issue and not relying on customers to fix it! Shame it took naming and shaming to get them offf THEIR arses to do it in the 1st place.
- DAYS from end of life as we know it: Boffins tell of solar storm near-miss
- Put down that Oracle database patch: It could cost $23,000 per CPU
- Bose says today IS F*** With Dre Day: Beats sued in patent battle
- The END of the FONDLESLAB KINGS? Apple and Samsung have reason to FEAR
- Review Porsche Panamera S E-Hybrid: The plug-in for plutocrats