back to article ABBA-solutely crapulous! Swedish router-maker won't patch gaping hole

European customer-premises equipment (CPE) kit-maker Inteno has said it isn't going to patch a hole that has been sitting in some of its routers for the last nine months, saying it's not the firm's problem. That's bad news if a European carrier, Inteno's key customers, dropped one of the problematic devices into your home. …

  1. Voland's right hand Silver badge

    This size of this hole is being blown out of proportion

    The ACS server is supposed to reside on the provider internal management network. The CPE connects to it via its provider facing interface.

    In order to perform a MiTM on it, you need to either insert yourself into that network or change the routing in the provider network. If you can do that to a provider, they have much bigger worries to worry about.

    1. Pascal Monett Silver badge

      Well that's fine for the providers, then, but what of the models that can apparently end up in a home ?

      The article states specifically that some vulnerable models can end up there.

      1. Martin Summers Silver badge

        I think you've missed the point Pascal. The router is sat at the customers premises and talking to the management server on the network at the service provider end. The OP's point is that if someone has managed to get themselves on that network to be able to stage a MITM then they have much more serious pressing problems.

        1. big_D Silver badge

          @Martin Summers anyone who manages to get onto that network? Like the hundreds of thousands of other customers for the ISP, so no chance of any of them being malicious then (or an open WiFi point that is connected to the network?

          1. Anonymous Coward
            Anonymous Coward

            a "Managment Network" is not the Internet. You aren't going to find any WiFi access point on it, and customer premise equipment cannot see or contact each other. The attack would have to originate within someone inside the carrier network, probably by someone with enough access that they could just as easily reconfigure the real management server as stage a man in the middle attack.

            1. Down not across Silver badge

              a "Managment Network" is not the Internet.

              Generally no. Although, for TR-069 management of CPE, the traffic is on the outside interface (and CWMP can even be proxied inside) and in most cases your router's WAN interface already has a public address which of course doesn't mean it wouldn't still be within the providers network behind some filtering/firewall rather than public internet.

              Given the address is likely to be via DHCP (and ACS URL is likely to be via DHCP Option 43), it is quite likely the network to be filtered at least with regards to DHCP and ACS traffic.

              So it whilst it might not be "internet" per se, it certainly is somewhat open to the internet.

      2. Down not across Silver badge

        Well that's fine for the providers, then, but what of the models that can apparently end up in a home ?

        The article states specifically that some vulnerable models can end up there.

        More than likely. The whole point is to manage the CPE B-NT (typically your xDSL router) remotely.

        This is nothing new. This has been reported for many years. Worst offenders are (or were) using only HTTP and not even encrypting, so not validating certificates is more of a minor offense.

        I think the vendor should fix the firmware to validate certificates regardless of whether any provider requests it or not.

        I've always turned TR-069 off as I don't want the provider to go mucking with configuration or push firmwares without me knowing and potentially breaking something. Of course it depends on the provider whether that is an option or not.

        It's not that bad a system if implemented properly, but with money and least effort often winning over doing it right how often is that likely to happen.

        TR-069 in case anyone is interested and too lazy to find it themselves.

  2. Anonymous Coward
    Anonymous Coward

    My experience

    Never ever buy computer gear from companies that specialize in consumer grade 'also ran' stuff for the home.

    They are low on features, low on quality, and low on support. They generally make a range of flavor of the week toys they stop supporting as soon as they leave the factory. Outfits like Sitecom are to be avoided at all cost (Note to The Register : please provide the Sitecom legal representatives with my identity information if they wish to sue me. I very much look forward to seeing them in court.)

  3. Fruit and Nutcase Silver badge

    Mamma Mia!

    Take a Chance on Me

    Under Attack

    SOS

    1. Small Furry Animal
      Pint

      Re: Mamma Mia!

      Groan!!

      +1 and a beer for that

    2. Chris King Silver badge

      Re: Mamma Mia!

      And given what the first poster said - Man In The Middle.

      1. TRT Silver badge

        Re: Mamma Mia!

        It's all about money, money, money.

        1. Fruit and Nutcase Silver badge

          Re: Mamma Mia!

          @TRT

          It's all about money, money, money.

          ...The Winner Takes it All

    3. ecofeco Silver badge

      Re: Mamma Mia!

      Well played sir. Well played.

      Mama Mia!

  4. Mike 125

    wrong

    ᗅᗺᗷᗅ, not ABBA.

    1. Anonymous Coward
      Anonymous Coward

      Re: wrong

      But "ᗺ" is not a proper letter. It ONLY appears in Unicode because it's used in aboriginal Canada (eg. Nunavut) as a syllabic. IOW, it's just a trademark and besides doesn't sort. Not to mention it's not on most keyboards. If AᗺBA doesn't want to lose its place near the top of the alphabetical band list, it needs to respect B being used in place of ᗺ. Besides, I believe the band trademarks the name both ways just to be safe.

      1. TRT Silver badge

        Re: wrong

        Isn't the name the initials of the members?

      2. Anonymous Coward
        Anonymous Coward

        Re: wrong

        Er, I think the OP was being a little tongue-in-cheek. The band's name was ABBA, the backwards "B" is just a stylised part of their most famous logo.

        I mean, a couple of their older releases used the one seen here, but I don't think anyone (#) counts the uber-1970s "highlight sparkles" are part of the name either. :-)

        (#) Except possibly weirdo editors on Wikipedia who add pointless "stylised as" bits to articles...

    2. nijam

      Re: wrong

      > ᗅᗺᗷᗅ, not ABBA.

      They're topologically identical, in other words just a slightly different (and admittedly unconventional) typeface.

  5. Anonymous Coward
    Anonymous Coward

    Provider is responsible

    Inteno is "made to a budget" equipment that you usually get with your ISP subscription. I have had them from two different ISPs, and service personell in both cases indicated that it was far from the best kit you could get. It is, however, the responsibility of the vendor, not the manufacturer, to provide service. They get a very good price on the condition that they are the ones responsible to the end user. This is the same as with other consumer products - the store where you buy stuff is the one where you need to complain.

    1. Down not across Silver badge

      Re: Provider is responsible

      It is, however, the responsibility of the vendor, not the manufacturer, to provide service. They get a very good price on the condition that they are the ones responsible to the end user.

      So do the service providers write their own firmware for the kit?

      If not, then it still is the manufacturer's responsilibility to fix issues in firmware rather than shift all blame to the service provider (who can certainly be blamed for their choice of vendor).

      1. david 12 Silver badge

        Re: Provider is responsible

        >So do the service providers write their own firmware for the kit?<

        The service providers PROVIDES firmware for the kit. I don't even have a way to upgrade mine: my service provider checks and reverts when I attach.

        No doubt the service providers will be rushing out an upgrade, soon after a high-profile hacking case is reported on the evening TV. Until then....

        1. Down not across Silver badge

          Re: Provider is responsible

          The service providers PROVIDES firmware for the kit. I don't even have a way to upgrade mine: my service provider checks and reverts when I attach.

          I never suggested the end user would have any part in it. The service providers indeed usually push firmware updates to the CPEs. One of the features of TR-069.

          My point was about who writes the firmware. Do all the service providers have software engineers for embedded systems who write and modify the firmware? Seems unlikely especially for the smaller ones.

          I would expect the firmware to come from the manufacturer with the service providers perhaps having the capability to add or modify branding and repackage.

  6. Captain DaFt

    As a Muppet fan...

    I'm disappointed the sub heading wasn't:

    "Swedish Router Börk Börk Börked!"

    1. MrT

      Re: As a Muppet fan...

      "Where de checkin'...?"

    2. Anonymous South African Coward Silver badge

      Re: As a Muppet fan...

      Here you go

      http://s2.quickmeme.com/img/64/64c32d3e154811c4b71cc66bb248bd2be4610a95c80b05e26e78e167b41dbcf8.jpg

  7. a_mu

    kit

    do we have a list of affected kit ?

    1. MrDamage

      Re: kit

      They listed the known aFfected models in the article, so nah, we don't have a list.

      /sarcasm

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020