Why does an ISP need access to your hardware
Answer: How else are they able to keep you secure if they can't modify your access and monitor your data.
And if it leaves a backdoor for the spooks too.
Good job people!
Eir, Ireland's largest ISP, has tens of thousands of customers with insecure ADSL2+ modems that appear to be vulnerable to remote takeover. Earlier this month, a security researcher writing under the name "kenzo" has posted a proof-of-concept exploit that demonstrates how an attacker might take control of an Eir D1000 modem. …
To be fair, they could also use it to push out updates to fix security vulnerabilities like this before they get comprehensively p0wned, as Joe Average user is unlikely/incapable of doing so. Oh wait...
As for having the management port not locked to their own IP range, as they did in the past, that is just such a stupid fsck-up that some senior people should be getting the boot.
Remote access for update and support are definitely very useful for an ISP in a domestic context.
It's very valuable for the ISP support to be able to say "Your modem is working, it seems that your laptop isn't connected to it right now. Do you use Windows or Mac?"
Then talk them through the setup including the SSID to pick and the password to type, and finally see the WiFi login (attempt).
I suspect somebody in the dev team had been asking "Which IP range gets remote access?" for some time, had been ignored for months and eventually ordered "Just turn off the filter, the customer won't say"
They already have access to, and can monitor your data.
All the data that's not encrypted anyway. You're not doing anything sensitive over unencrypted channels, are you? That's just idiotic.
And your ISP doesn't need to be in your router to monitor your data. By definition, they are providing that service to you anyway. They are in your router to monitor their equipment, upgrade it against firmware attacks like this for you, and tweak settings (i.e. upgrade your speed, upgrade the DOCSIS version compatibility, etc. etc.).
If you don't trust them on your network, change your router or put something between your ISP's router and your own. That's what modem mode is for, for instance, and I've been doing that for 20+ years.
But if you don't trust your ISP not to snoop, then you should be encrypting (you should be encrypting anyway, to be honest). And if you're encrypting then you don't need to trust your ISP - they can't snoop anything you're not sending them.
If, however, you've connected their router direct to your home network / wifi with no device of your own in-between, then - yes - they theoretically have access to your wireless clients and your network, same as being plugged into a local network cable. Shocking that. If you use a device given to you, and put a password into it and connect using that password and use it for all your Internet, and plug it into your wired network, that device can access your wireless clients and wired network. I'm SHOCKED at that. Honestly? If that's the kind of attack you're worried about, you deploy a firewall of your own inside your network. A £30 box from PC World, problem solved, and it can follow you to any ISP, any network, any country.
Hell, even in work, our leased lines, VDSL and ADSL come in to ISP-supplied routers, load-balancers switches, fibre converters, and then - guess what? They all go into an isolated, untrusted VLAN which only includes our gateway / firewall / router / IPS / IDS device. Guess how much snooping they can do over and above what we're sending them? Nothing. Guess how much they can get into our network? No more than anyone else with an Internet connection.
A couple of good points made - and I also prefer a Smoothwall/pfSense between my network and the WWW.
However, your average home user doesn't understand what all this tech talk means, and is just satisfied with plunking his laptops/desktops/IoT things into his router, After all, it works, so why should he/she/it make things com-pli-cerated by adding a firewall and other stuff?
They supply the device so it's reasonable to expect them to access and maintain it - in fact I'd say that it's their duty to maintain it. But there's no reason to trust them - I've always placed my own firewall between their hardware and my network so that I control who and what is allowed.
To me a "backdoor" is an undocumented and sneaky addition, generally without an option to change its access credentials.
However, having a management port that is properly documented and can be secured is another. Yes, it is a risk but that can be managed by having multiple layers of security.
In this case its a double-fail - first the the login can be found from remote queries without needing the login, and second that such access was not restricted to a trusted and small IP range such as the ISP's own administrative machines (based on the sensibly paranoid approach that no single access method will be free of bugs or brute-forcing).
According to this pdf on TR-064...
"Access to any action that allows configuration changes to the CPE MUST be password protected."
ISPs and manufacturers can probably make a case for including the TR-064 configuration functionality but this looks like a bit of a half-baked effort. Surely when it gets to the bit of the requirements where ISP access to end-user routers is required people should automatically be thinking "Danger Will Robinson" rather than "Let's just add this"
This post has been deleted by its author
They *are* the ISP so presumably could have their routers configured to block incoming IP addresses to any customer that should not exist (such as their own internal range, "Martian packets", etc).
Yes, I know, that is a level of security sense that goes one step above the already-failed step of limiting IP addresses in the first place...
And how does the ISP block WiFi based attacks?
It's all nuts on ADSL. DOCSIS does unfortunately need remote access, though Cable Labs have improved security on that. There is no argument for Eir DSL modems to have remote management because users can plug their own combo modem/router/airpoint in unlike cable.
Please think about what you said for a second or two. You've been around here long enough to know the problem with what you've said.
Port 7547 is not a reserved port, and is in the ephemeral port range, so it is not beyond the bounds of possibility that it could legitimately be used by some other piece of software.
Just blocking it could have unpredictable effects.
IP Spoofing. Not really applicable.
There are two ways IP spoofing can have an effect. One is only possible if you are on the same physical network and subnet as the system you're trying to attack, and the other is if you are not trying to open a bi-directional session (normally only if you are attempting a DDoS packet flood or reflection attack, where you don't need any return packets).
In theory, I suppose it could work if you were physically on the same network as the system you're masquerading as, and could knock the management server off the net, or subvert the ARP cache on the router, but if a hacker has physical access to your ISPs infrastructure, then you're probably screwed anyway!
Anything else uses the source IP address in any packet as the destination for return packets, so they get routed to the systems you're masquerading as, not you (this is the reason it works in the same subnet, because there's no routing involved). So you never see any return packets, and thus cannot set up any TCP service as the initial handshake won't work.
One last thought. You could try source-routing the packets, but most routers don't allow this anymore.
Figured I'd drop an update in here along with emailing the author, but we discovered that TalkTalk in the UK also ship vulnerable devices. Furthermore, we have unverified reports* of vulnerable devices being shipped by the following ISP's:
* Post Office Broadband (UK)
* Plusnet (UK)
* Vodafone (Ireland)
* Demon (UK)
* unverified = have not personally tested/seen one, but have been sent information supporting the claims.
Happy horse-pukky like this is the reason I have my own SEPARATE cable modem and firewall/router (a Sonicwall). If my ISP would not allow me to use my own cable modem and foisted their own modem/router on me, I would still put my own firewall/router in series with it. I wouldn't be happy, but at least I would still be reasonably secure.
That must be from back when they made phone line modems. We once had a couple ZyXELs in our lab. One couldn't work with PPPoE usernames containing a #. With another firmware it would randomly forget settings. Another ZyXEL was unable to adapt to one simple quirk in the SIP of a certain provider.
The only chance you have of making ZyXEL DSL modems even have a chance of being secure is to put them in transparent bridging mode and have your open source firmware home router do the PPP and firewall work. Even then I sure wouldn't trust ZyXEL for enterprise or anything requiring a legal audit.