Routers, IP Cameras/Phones & IoT Devices can be Security Risks even with the Latest Firmware, and a Strong Admin Password

Orange Pi Development Boards

I’ve just read an interesting article entitled “who makes the IoT things under attack“, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.

That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.

zte-zxhn-f600wI’ve started by scanning the TP-Link router in the local network:


UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.

Now I did the same on the ZTE modem in the local network first:


The telnet port is opened that’s not good… I would be much worse if  it was also open with the public IP:


Oh boy…. That’s not good at all. Can I access it from the outside?


No, because I don’t know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!


That’s huge as it means millions of modem routers can be access (likely) around the world with minimal knowledge, I would not even consider this a hack…. Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username / password. This little trick should also works on other ZTE modems/routers, and since the HTTP server is also running by default, you don’t even need to check the model number as the server field indicates it’s a ZTE device…


I don’t know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:


Normally, this is no problem as you can remount the root partition in read/write mode:


But it’s not working in this case… I’m not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:

busybox
BusyBox v1.01 (2015.01.15-08:36+0000) multi-call binary

Currently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,
df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,
ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,
lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,
reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,
tftp, top, traceroute, umount, wget

A temporary solution is to kill telnet:


But obviously telnet will run again, at next boot time…

Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they’ll be able to change the password, or disable them remotely in due time…

Support CNX Software - Donate via PayPal or become a Patron on Patreon

45
Leave a Reply

avatar
45 Comment threads
0 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
13 Comment authors
cnxsofthwtiArnabzoobabTheguyuk Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Shomari
Guest

… this is a MASSIVE issue that cannot be overstated. The amount of vulnerable connected devices is staggering.

kdayns
Guest
kdayns

..and ISP is punished by originating DDOS from it.
but punishment should also be also monetary.

thesandbender
Guest

As a general rule I never, ever trust a device I don’t have complete control over… including integrated routers from ISPs. Almost all of them have a “bridge” mode where the firewall/router is turned off and they just shuffle packets between the cable/dsl/fiber and the Ethernet port. You can then put a firewall you control behind it and not have traffic double NAT’ed. Most often the ISP’s won’t tell you about bridge mode or how to enable it but a fair amount of digging will turn it up. This doesn’t solve the problem of the cable modem being turned into a DDoS zombie but it at least makes your network a bit safer.The one thing I have noticed happening more often now is ISPs doing NAT’ing at their perimeter firewall, so you get a NAT’d IP no matter what you do. Most ISPs doing this are selling it as a security feature (which I kind of buy for less technically inclined people) and will usually give you a routable IP if you call up and ask.

Alessandro
Guest
Alessandro

I get different port states if I scan my pubblic IP
from LAN or from an online service, ie.
from LAN:
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
8200/tcp open trivnet1
20005/tcp open btx

from outside:
80/tcp filtered http

80/udp open|filtered http

8200/tcp filtered trivnet1

20005/tcp filtered btx

scary results anyway, since I still can’t determine what trivnet and btx are…

tkaiser
Guest
tkaiser

If you search on zoomeye.org for ‘port:23 country:TH’ there are just 200.000 listed 😉

tkaiser
Guest
tkaiser

@cnxsoft
Well, I really hope that it’s not exhaustive but you could double check on Shodan and Censys. At least it should be obvious that finding vulnerable devices is as easy as taking them over especially if you can already rely on a botnet doing the job.

Given the actual trend to connect each and every IoT crap to various clouds from where access to other IoT devices assigned to the same account is possible this will get even more funny in the (not so distant) future.

thesandbender
Guest

I also take the extra step of filtering outbound traffic for IoT devices, a lot of them do things they’re not telling you about or ignore directives you give them. For example, we have a Foscam webcam in our toddlers room. It was ignoring the assigned DNS server (regardless of manual or DHCP IP settings) and contacting it’s own. It was also trying to register with their dynamic DNS service even when you told it not to. It can get to be a pain to manage, especially for IoT devices that do need to access the internet (e.g. we have a home automation setup) but you don’t really have a choice if you want any semblance of security.

nobe
Guest
nobe

from what i understand, the main problem isn’t the iot devices themselves (don’t get me wrong, they’re still a problem as long as you’re concerned about security/privacy/etc…)
the main problem comes from all those ISPs who can’t even configure a firewall correctly!

and this problem exists since a very long time :
as an example, you’d be surprised to know how many network printers are accessible from everywhere

tkaiser
Guest
tkaiser

@cnxsoft
telnetd is sooo boring since it allows only virtual access to a device. Better search for dumb people using ‘smart locks’, get into their IFTTT or SmartThings or whatever cloud account and have physical access to their home.

TLS
Guest
TLS

And this is why I asked my service provider to put my cable modem/router combo into bridge mode so I can use my own router…

tkaiser
Guest
tkaiser

@thesandbender
I would use a Foscam IP camera (or any other commercially available device with a network connection and cloud or P2P ambitions) only after replacing the firmware. If that’s not possible I would throw it away. Very nice read:
“It opens up all Foscam users not only to attacks on their cameras themselves (which may be very sensitive), but an exploit of the camera also enables further intrusions into the home network”

tkaiser
Guest
tkaiser

The era of home automation… also called the “golden age of surveillance”

zoobab
Guest

It remembers me the security hole in the Belgacom Box 2:

http://www.zoobab.com/bbox2

Login/Password was the same for all the boxes open in telnet on the private interfaces (LAN and WLAN), and at the days, the default settings of the main provider were an open SSID.

So you could become root on the router from the street if the SSID was open.

Some student named “Vendetta” made a tour of Brussels, stole all the PPP crendentials that were stored on some config file on the box, and threatened Belgacom to publish more credentials if they were not changing their data quota policy.

zoobab
Guest

@thesandbender
Actually most of the people who visit my page about the Belgacom Box 2:

http://www.zoobab.com/bbox2

Search on how to put in in bridge mode.

I worked in a company where the Belgacom engineers were putting the “entreprise” version of it on bridged mode, because the router was falling apart when there were too many NAT sessions, so they were installing the router in bridged mode, with another router next to it 🙂

zoobab
Guest

As I can see in your busybox output, you have wget available, so it would be easy to load some static binary from /tmp/.

Can you do a cat /proc/cpuinfo?

The Dex
Guest

@nobe
ISPs’ problems? How and why?

Why would my ISP decide what ports I need to access from the outside? Maybe I need a telnet connection to one of my legacy servers (TIP: telnet was used before SSH to remote-admin servers).
Secondly, maybe I have secured it and want to access my network printer directly. Again, why should my ISP decide?

No, it’s not an ISP issue. It’s a user’s issue (lack of awareness) + manufacturer’s lack of interest. They both need to be responsible with what they do online (as with what they do offline)

Theguyuk
Guest
Theguyuk

The sad part about this is while everybody discusses the ins and outs, somebody will see this as a business opportunity to sell a service or product to stop it. Aimed at uneducated folk like me.

zoobab
Guest

@cnxsoft
According to this page:

https://wiki.openwrt.org/doc/hardware/soc/soc.broadcom.bcm63xx

BCM63168 == BMIPS4350 V8.0

1ghz with USB3.

Will ask around to xcompile some full busybox for it…

zoobab
Guest

@zoobab
This is the same SOC as the BBOX3: http://www.zoobab.com/bbox3-sagemcom
Search for “bcm63168”.

Last time I looked at it, is was pretty easy to create a new profile in openwrt because the arch was already existing.

zoobab
Guest

This Zoomeye search works better:

“port:23 country:TH F600W”

The Dex
Guest

@Theguyuk
To stop what?

DDoSing has been problematically for years; and there are businesses that already sell this.
Firewalling has been implemented since early days of servers/networking; and there are businesses that already sell this.

There is nothing new about this. It’s just how networks&devices work since TCP/IP and UDP have been implemented (25+ years).

So… what’s new?

Theguyuk
Guest
Theguyuk

@The Dex
In away that highlights my point. Technical able people already know this but lots of non technical users don’t have a clue. They just assume, expect everything is safe. Lots of people still don’t have a firewall or run virus software. They just use the software and hardware and never consider risks. They drive sales just by consuming.

You can consider we have never been here before with so much connected devices.

Slightly off topic but the Hola VPN app story shows how easy to exploit peoples devices can be. Then you have Rooting, Jail breaking devices and Kodi addons with their security risk. Many here are technical aware but a lot of readers also just come for CNX-Softwares product reviews before buying. They find the security issues to technical as its not their field, job or interest.

Arnab
Guest

I’m confused, how this problem could be solved without flashing OpenWrt ? I’ve seen many Tenda routers affected with similar problem, and they don’t support OpenWrt.

Theguyuk
Guest
Theguyuk

There are routers supplied by broadband companies that will not accept any other software, EE and SKY for instance. I have several old SKY modems that you cannot change firmware and a EE modem with same problem. So how would home users secure them.

hwti
Guest
hwti

@cnxsoft
Busybox 1.01 (from 2005, so they used a 10 years old version…) mount wants two parameters, even on a remount, or it looks in fstab.
try : mount -o remount,rw,relatime ubi:rootfs_ubifs /

The Dex
Guest

@Theguyuk
I do agree with you!

So, from your point-of-view, how would you proceed? Or what would you want to be done? One thing I do not “universally” agree: driving sales. There are companies that are inflicting serious costs out of this.

Take the Mirai botnet (although is not the only one – there are several variants “lurking” around, dedicated to ARM-based/embedded devices): this can hit SMEs and leave them in total digital-blindness. And same goes to bigger ones too.

The Dex
Guest

@cnxsoft
We’re open to investigate and propose a solution, if there is one available (and I do think that at least one should be available).

Since we don’t have direct access to the devices you are using we can’t say that it’s gonna work 100%, but we can try. 🙂

theguyuk
Guest
theguyuk

@The Dex

That is a hard question to answer. Out of the box, secure by design for manufactures of modems is part of the answer but that would need to be a requird industry standard.

For older modems whats possible? Can you make a cheap inline filter, something to block attacks on hardware you cannot change or flash. A hardware gate keeper, is that even possible?

The Dex
Guest

@theguyuk
Usually there is the possibility to modify the firmware and “patch” the backdoor – for example, close the telnet service/change the interface where it is listening or change the default passwords (depends on some factors, of course).
If the router provides firewalling, maybe there is a possibility to default enable firewalling of those services or port forwarding them to a sinkhole.

Fact is that most of these devices use OpenSource solutions; and the sources should be available, as per license requirements. But, besides some serious manufacturers that take note of this, many don’t. But, again, they can be legally obliged.

Oh well…

zoobab
Guest

@cnxsoft
Any serial console on the board? Usually there is one…

tkaiser
Guest
tkaiser

cnxsoft :
The tricky part might be to find their IP addresses

That’s the most easy part and it’s already mentioned how they did that: Using Shodan you can search for any type of (vulnerable) device. And this is not the only specialiced search engine for the Internet of Sh*t (critical infrastructure connected to the net with default passwords or no authentication at all). Censys is a known alternative and zoomeye.org gets more and more popular even if westerners have their trouble with the Chinese UI.

tkaiser
Guest
tkaiser

@cnxsoft
But even if such devices or Linux distros targeting IoT devices would force their users to change the passwords due to the code base containing flaws that are easily exploitable it might not change that much. Way too much enabled services, outdated code, unpatched kernels (with root exploits available like Dirty COW) lead to a large attack surface

BTW: regarding Dirty COW at least Armbian users are save after doing an ‘apt-get upgrade’: http://docs.armbian.com/Release_Changelog/