Security flaw in Airtel DSL modems



Hi,

I've found a few problems with the way DSL modems by a vendor Bharti and provided by Airtel (an Indian ISP) are setup. I've been talking
with Airtel on this over the past couple of months to try to get them to close the vulnerability. They feel that they have addressed the issue appropriately. Please find the details of the vulnerability below in the forwarded emails. The vulnerability can be verified by trying a telnet on any random Airtel IP (say 122.167.xx.xx).

Cheers,
Shishir

---------- Forwarded message ----------
From: Shishir Birmiwal <shr@xxxxxxxxxxxx>
Date: Tue, Sep 2, 2008 at 1:14 PM
Subject: Re: Security flaw in airtel provided DSL modems
To: care.karnataka@xxxxxxxxx


Hello,

Following up on our conversations, I am sharing with you further details of this vulnerability. These problems have been confirmed in 220 bx series of DSL modems and are also present in a number of other modems.

1. The modems have accounts besides "admin" which have super-user [root, uid=guid=0] access. There accounts are "nobody", "user", "support". At the time of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but people rarely do [can be verified by logging in using default admin password on random airtel modem IPs]. The passwords for (and even the existance of) the other accounts are not revealed.

2. These accounts have their passwords set to the same simple crackable [using JtR] value across _all_ modems. Worse yet, the passwords are available as javascript variables in clear text in the HTML UI for changing passwords. They are apparently there for user input validation (is the old password correct?). Using these
passwords, one can log as super-user on _any_ airtel modem provided to subscribers.

3. All airtel modems have their external login port (telnet) enabled.
A telnet to the modem, after logging in gives access to the internal (linux) system shell, from where a malicous user (cracker) can change
system configuration and modify/tap network traffic. Most subscribers are not technically inclined to even know what it means - far from
being able to turn it off.

4. The modems also provide an interface for updating their firmware.
The firmware image is readily available for download from airtel's website, and many other websites. The firmware image consists of a
linux kernel, root file-system, configuration and (maybe) other binary blobs. There seems to be no security/check on firmware image's
authority. It is easy to modify a firmware image and replace the root-filesystem with a malicious root-filesystem. Worse yet, the modified root file-system could effectively disable further firmware updates. A malicious firmware image could provide an attacker with complete access and control on the modem and the network traffic on the modems.

5. Once an attacker has access to a modem (through telnet and/or a firmware update), he/she can launch the following attacks and/or more:
* use MITM attacks to capture encrypted data, including passwords, credit-card numbers and other confidential data
* inject malicious content into the network stream which can hijack the user's system [viruses, trojans, malware, bots]
* sniff, tap and monitor the network user and his/her actions online
* redirect user's traffic and subject the user to SPAM, Ads, or use DNS poisoning in inventive ways
* generate network traffic to launch DDoS attacks - effectively hijacking the user's internet connection and making them zombie bots
* redirect nefarious network activities through hijacked modems to make it difficult/impossible to track the attack source/origin, and carry out illegal activities. In such cases, the blame might go to an innocent Airtel subscriber as his/her IP would apparently be the source of the illegal activity.

There is no limit to the creativity of attackers once a vulnerability is available, so these are just my guesses. There may be other attacks
possible. I believe, the ones I have listed are bad enough.

6. The telnet / HTTP modem configuration interface provides user identifiable content [phone number, ISP login and password]


I believe that the problems I have listed are serious enough to warrant some action from your side to protect your customers. I believe that sharing this information with you early has helped/will help you work out a strategy which you can use to close these problems. In the same spirit, I have given you over a month's time
since my initial notification (of 30 days) and am giving you more time till September 15 to address these problems in a manner that you see
fit. I had tried to contact you in Feb on the same issue, but had not received any response.

One of the causes that has given an urgency to this problem is that I have discovered people reporting this vulnerability in underground
networks. It is only time before they stumble on the full problem and exploit this. By sharing this information with you, I am enabling you
to close this issue early.

Thank you for your time.

Cheers,
Shishir



On Fri, Jul 25, 2008 at 9:32 PM, Shishir Birmiwal <shr@xxxxxxxxxxxx> wrote:

------------------------
This advisory is being provided to you under the policy documented at
http://www.wiretrip.net/rfp/policy.html. You are encouraged to read
this policy; however, in the interim, you have approximately 5 days to
respond to this initial email. This policy encourages open
communication, and I look forward to working with you on resolving the
problem detailed below.
-------------------------

Hello,

I have discovered a problem in the way accounts are setup in the
airtel issued modems (esp. in 220bx series of modems).
As a result of the problem, the modem can be hijacked by malicious
parties and the modems can be used as bots or for harvesting
personal/confidential information, tapping all internet usage,
spamming, (D)DoS, and launching MITM attacks, among other activities.
Essentially, the problem allows a remote network entity to log into
the modem and acquire root privilege. Once running as root, the entity
can intercept, monitor and change all internet traffic of the modem
user.

The security flaw deals with the way:
* account(s) are created
* default settings for remote access to the modem are set
* mechanism in which the passwords are protected/displayed to the user
* the way in which the password(s) are created/set for each modem

Due to the serious nature of the flaw, I would not like to divulge
more details to this broad list of people I have emailed. I will be more than
happy to give details if an appropriate/authorised entity emails back.
I would like to raise this concern and flag this to you in hopes that
you will be able to push out a firmware update patch to fix these
issues.

I intend to disclose this vulnerability online in 30 days. You have 5 days to
respond to this email, failing which, I will report this issue online in 5 days
from today.

Cheers,
Shishir



Relevant Pages

  • Re: Most reliable USB ADSL modem?
    ... what they're doing especially polite hence my not particularly good ... I don't think you can really compare USB 3G modems and USB ADSL modems. ... the communication between the 3G modem and your ... The network communication itself isn't ...
    (uk.comp.os.linux)
  • Re: remote access for a few PCs...
    ... and servers on this network. ... How difficult was it for you to set up the RAS connection? ... a couple Win2K servers and a couple Win2K3 servers. ... you mean just "modems"? ...
    (microsoft.public.win2000.networking)
  • Re: Switching on BTs 21C Network
    ... The tricky bit is dial-up modems, faxes, etc. ... Will it just be a straight PCM conversion using G711 codecs or is there a relay process using modems at either end? ... Come to that, will voice still be using G711 or will the network use greater compression by default, or even silence suppression to conserve bandwidth? ... Wouldn't it be nice to have the option of a wideband codec like the one Skype uses? ...
    (uk.telecom)
  • Re: Managing several internet connection via modem
    ... We are trying to launch severals Dial Up and make severals ftp ... with each network conenction. ... Imaging you have 2 modems installed on you PC, ... >> InternetOpen/InternetConnect functions. ...
    (microsoft.public.vc.language)
  • Re: Preventing Desktop Modems
    ... > employees trying to setup their systems with modems in them. ... You need to scan the phone network for modems. ... First, use a router. ...
    (comp.security.misc)