back to article Irish eyes are crying: Tens of thousands of broadband modems wide open to hijacking

Eir, Ireland's largest ISP, has tens of thousands of customers with insecure ADSL2+ modems that appear to be vulnerable to remote takeover. Earlier this month, a security researcher writing under the name "kenzo" has posted a proof-of-concept exploit that demonstrates how an attacker might take control of an Eir D1000 modem. …

  1. Anonymous Coward
    Anonymous Coward

    Why does an ISP need access to your hardware

    Answer: How else are they able to keep you secure if they can't modify your access and monitor your data.

    And if it leaves a backdoor for the spooks too.

    Good job people!

    1. Paul Crawford Silver badge

      Re: Why does an ISP need access to your hardware

      To be fair, they could also use it to push out updates to fix security vulnerabilities like this before they get comprehensively p0wned, as Joe Average user is unlikely/incapable of doing so. Oh wait...

      As for having the management port not locked to their own IP range, as they did in the past, that is just such a stupid fsck-up that some senior people should be getting the boot.

      1. Richard 12 Silver badge

        Re: Why does an ISP need access to your hardware

        Remote access for update and support are definitely very useful for an ISP in a domestic context.

        It's very valuable for the ISP support to be able to say "Your modem is working, it seems that your laptop isn't connected to it right now. Do you use Windows or Mac?"

        Then talk them through the setup including the SSID to pick and the password to type, and finally see the WiFi login (attempt).

        I suspect somebody in the dev team had been asking "Which IP range gets remote access?" for some time, had been ignored for months and eventually ordered "Just turn off the filter, the customer won't say"

    2. Lee D Silver badge

      Re: Why does an ISP need access to your hardware

      They already have access to, and can monitor your data.

      All the data that's not encrypted anyway. You're not doing anything sensitive over unencrypted channels, are you? That's just idiotic.

      And your ISP doesn't need to be in your router to monitor your data. By definition, they are providing that service to you anyway. They are in your router to monitor their equipment, upgrade it against firmware attacks like this for you, and tweak settings (i.e. upgrade your speed, upgrade the DOCSIS version compatibility, etc. etc.).

      If you don't trust them on your network, change your router or put something between your ISP's router and your own. That's what modem mode is for, for instance, and I've been doing that for 20+ years.

      But if you don't trust your ISP not to snoop, then you should be encrypting (you should be encrypting anyway, to be honest). And if you're encrypting then you don't need to trust your ISP - they can't snoop anything you're not sending them.

      If, however, you've connected their router direct to your home network / wifi with no device of your own in-between, then - yes - they theoretically have access to your wireless clients and your network, same as being plugged into a local network cable. Shocking that. If you use a device given to you, and put a password into it and connect using that password and use it for all your Internet, and plug it into your wired network, that device can access your wireless clients and wired network. I'm SHOCKED at that. Honestly? If that's the kind of attack you're worried about, you deploy a firewall of your own inside your network. A £30 box from PC World, problem solved, and it can follow you to any ISP, any network, any country.

      Hell, even in work, our leased lines, VDSL and ADSL come in to ISP-supplied routers, load-balancers switches, fibre converters, and then - guess what? They all go into an isolated, untrusted VLAN which only includes our gateway / firewall / router / IPS / IDS device. Guess how much snooping they can do over and above what we're sending them? Nothing. Guess how much they can get into our network? No more than anyone else with an Internet connection.

      1. Anonymous South African Coward Silver badge

        Re: Why does an ISP need access to your hardware

        A couple of good points made - and I also prefer a Smoothwall/pfSense between my network and the WWW.

        However, your average home user doesn't understand what all this tech talk means, and is just satisfied with plunking his laptops/desktops/IoT things into his router, After all, it works, so why should he/she/it make things com-pli-cerated by adding a firewall and other stuff?

        1. Version 1.0 Silver badge

          Re: Why does an ISP need access to your hardware

          They supply the device so it's reasonable to expect them to access and maintain it - in fact I'd say that it's their duty to maintain it. But there's no reason to trust them - I've always placed my own firewall between their hardware and my network so that I control who and what is allowed.

        2. Ole Juul

          Re: Why does an ISP need access to your hardware

          Perhaps I missed the details here, but if the ISP is using CGN (Carrier-grade NAT) then it would not be appropriate for users to have access to that configuration.

    3. Mage Silver badge

      Re: Why does an ISP need access to your hardware

      They don't. They have total control of your connection at their end. The whole idea is nuts.

    4. Christian Berger Silver badge

      Provisioning and maintainance mostly

      For example when a customer complains, the call-center agent can see how bad the line is, etc.

  2. Anonymous South African Coward Silver badge

    Derp durr.

    Backdoors are bad ideas.

    1. Version 1.0 Silver badge

      Backdoors are very useful on occasion, generic backdoors with hard coded passwords are a bad idea.

  3. Paul Crawford Silver badge

    To me a "backdoor" is an undocumented and sneaky addition, generally without an option to change its access credentials.

    However, having a management port that is properly documented and can be secured is another. Yes, it is a risk but that can be managed by having multiple layers of security.

    In this case its a double-fail - first the the login can be found from remote queries without needing the login, and second that such access was not restricted to a trusted and small IP range such as the ISP's own administrative machines (based on the sensibly paranoid approach that no single access method will be free of bugs or brute-forcing).

    1. John H Woods

      According to this pdf on TR-064...

      "Access to any action that allows configuration changes to the CPE MUST be password protected."

      ISPs and manufacturers can probably make a case for including the TR-064 configuration functionality but this looks like a bit of a half-baked effort. Surely when it gets to the bit of the requirements where ISP access to end-user routers is required people should automatically be thinking "Danger Will Robinson" rather than "Let's just add this"

  4. This post has been deleted by its author

    1. Paul Crawford Silver badge

      Re: "except for IP addresses"

      They *are* the ISP so presumably could have their routers configured to block incoming IP addresses to any customer that should not exist (such as their own internal range, "Martian packets", etc).

      Yes, I know, that is a level of security sense that goes one step above the already-failed step of limiting IP addresses in the first place...

      1. Doctor Syntax Silver badge

        Re: "except for IP addresses"

        "They *are* the ISP so presumably could have their routers configured to block incoming IP addresses to any customer that should not exist"

        They could also block any specific ports - such as 7547.

        1. Mage Silver badge

          Re: "except for IP addresses"

          And how does the ISP block WiFi based attacks?

          It's all nuts on ADSL. DOCSIS does unfortunately need remote access, though Cable Labs have improved security on that. There is no argument for Eir DSL modems to have remote management because users can plug their own combo modem/router/airpoint in unlike cable.

        2. Peter Gathercole Silver badge

          Re: "except for IP addresses" @Doctor Syntax

          Please think about what you said for a second or two. You've been around here long enough to know the problem with what you've said.

          Port 7547 is not a reserved port, and is in the ephemeral port range, so it is not beyond the bounds of possibility that it could legitimately be used by some other piece of software.

          Just blocking it could have unpredictable effects.

    2. Loyal Commenter Silver badge

      Re: "except for IP addresses"

      I was about to point out the same thing. It's not like IP spoofing is a thing, is it?

    3. Peter Gathercole Silver badge

      Re: "except for IP addresses" @Symon

      IP Spoofing. Not really applicable.

      There are two ways IP spoofing can have an effect. One is only possible if you are on the same physical network and subnet as the system you're trying to attack, and the other is if you are not trying to open a bi-directional session (normally only if you are attempting a DDoS packet flood or reflection attack, where you don't need any return packets).

      In theory, I suppose it could work if you were physically on the same network as the system you're masquerading as, and could knock the management server off the net, or subvert the ARP cache on the router, but if a hacker has physical access to your ISPs infrastructure, then you're probably screwed anyway!

      Anything else uses the source IP address in any packet as the destination for return packets, so they get routed to the systems you're masquerading as, not you (this is the reason it works in the same subnet, because there's no routing involved). So you never see any return packets, and thus cannot set up any TCP service as the initial handshake won't work.

      One last thought. You could try source-routing the packets, but most routers don't allow this anymore.

  5. Anonymous Coward
    Anonymous Coward

    Turn them off and on again, twice

    To be sure, to be sure...

    ...bye

  6. psychonaut

    bobby tables

    great handle!!

    1. pdebarra

      Re: bobby tables

      Always good to see an XKCD reference!

  7. John Smith 19 Gold badge
    Unhappy

    So first pen test question is "Do everything that should not be possible and see if it is."

    Sounds like a waste of time.

    Isn't.

  8. Mike Rochanel

    Frontier disables the firewall on all there DSL routers

    Frontier in the USA installs all their home DSL routers with the firewall turned off.

    1. Pen-y-gors Silver badge

      Re: Frontier disables the firewall on all there DSL routers

      Firewalls are for wimps! Someone breaks into your PC, you do the same as if they break into your home, you blow their frikkin' head off with your AK47

      1. Brewster's Angle Grinder Silver badge

        Re: Frontier disables the firewall on all there DSL routers

        The trouble is, when they break into your router you probably need an ICBM.

  9. infodox
    Alert

    TalkTalk also vulnerable, amongst others :)

    Figured I'd drop an update in here along with emailing the author, but we discovered that TalkTalk in the UK also ship vulnerable devices. Furthermore, we have unverified reports* of vulnerable devices being shipped by the following ISP's:

    * Post Office Broadband (UK)

    * Plusnet (UK)

    * Vodafone (Ireland)

    * Demon (UK)

    * unverified = have not personally tested/seen one, but have been sent information supporting the claims.

  10. RealBigAl

    Looks like they need to put a Cork in it.

  11. fnj

    NEVER trust an ISP-controlled firewall/router

    Happy horse-pukky like this is the reason I have my own SEPARATE cable modem and firewall/router (a Sonicwall). If my ISP would not allow me to use my own cable modem and foisted their own modem/router on me, I would still put my own firewall/router in series with it. I wouldn't be happy, but at least I would still be reasonably secure.

  12. Velv Silver badge
    Childcatcher

    Back doors are BAD!

    Watching War Games should be mandatory for everyone working in IT. There needs to a Certification and you don't get to work unless you've passed the movie exam

  13. Christian Berger Silver badge

    Where did ZyXEL get their reputation for providing usable hardware from?

    That must be from back when they made phone line modems. We once had a couple ZyXELs in our lab. One couldn't work with PPPoE usernames containing a #. With another firmware it would randomly forget settings. Another ZyXEL was unable to adapt to one simple quirk in the SIP of a certain provider.

  14. asdf Silver badge

    Only chance with ZyXEL

    The only chance you have of making ZyXEL DSL modems even have a chance of being secure is to put them in transparent bridging mode and have your open source firmware home router do the PPP and firewall work. Even then I sure wouldn't trust ZyXEL for enterprise or anything requiring a legal audit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019