back to article Buggy home routers expose O2 customers to hijacking

If you get your internet service from O2, there's a good chance Paul Mutton can remotely log in to your router and make configuration changes that surreptitiously allow him to access computers on your network. That's because the UK-based ISP offers its customers free customized routers that are vulnerable to CSRF, or cross- …

COMMENTS

This topic is closed for new posts.
  1. Nobody 2
    Grenade

    really?

    "If you get your internet service from O2, there's a good chance Paul Mutton can remotely log in to your router...."

    Bet he fscking can't...

    I do believe there's something fundamental missing here, and thats actually USING the O2-supplied router?!

    Nobody 2- cos the Reg fucked up usernames and didn't bother to tell anybody

  2. Demosthenese
    Happy

    Roll your own

    ZOMG!!! I'm with O2.

    However, I never took their router out of the box. It seems that for building routers that 'If a job's worth doing, it's worth doing yourself.'

  3. adnim
    Coffee/keyboard

    Mitigation

    Telnet into your Be/O2 supplied TG585 and enter the following commands as administrator:

    service system ifdelete name=TELNET group=wan

    service system ifdelete name=FTP group=wan

    service system ifdelete name=HTTP group=wan

    service system ifdelete name=HTTPs group=wan

    service system ifdelete name=PING_RESPONDER group=wan

    save all

    This will remove the default services that are open on the web facing interface of the router and stop it responding to ping requests from the Internet.

    To reinstate any of these services change ifdelete to ifadd

    The command "user list" will list users of the system, I suggest removing all user accounts except administrator.

    for example:

    user delete name=tech

    user delete name=Betech

    After doing all this check your router against the shields up website.

    If you use wireless please use a nonsensical/non-dictionary word for your WPA2 key, elsewise a hacker may just own your router through the front door/via your LAN.

    If you really need remote access to your router specify an IP address or range for each service, for example:

    service system ifadd name HTTPs ip 192.168.1.21 192.168.1.30 192

    This takes effect immediately so be careful when doing this, be sure to add your current connecting IP address first. Be smart don't just take my word for it RTFM ;-)

  4. James R Grinter

    article says cross-site request forgery

    @adnim, disabling all those services facing the big, bad Interweb is irrelevant (though surely they don't leave all that enabled do they?), because a CSRF attack is all about tricking your web browser (already loaded up with credentials, or otherwise allowed to access your internal router) to do something on the attacker's behalf.

    The article doesn't actually explain what CSRF is but I'm assuming that CSRF is being correctly identified as the form of attack.

    A workaround, to mitigate (reduce but not remove) the risk until the vendor does whatever they need to do, is to change the address/network-space that your router allocates for its internal network address.

    That way, at least, the attacker's scatter-gun presumption that it's 192.168.1.1 will be wrong. (All bets are off if you're specifically targeted, there's a lot of ways in which the information can leak, other than in comments on news articles. Even your browser can be tricked into divulging at least its own internal IP address, so perhaps don't put your router at .1 either!)

  5. Havin_it
    Boffin

    What he said

    adnim nails it. Demon gave us one of these when upgrading to ADSL2+, I was shocked how many open WAN-facing ports it had. In my case I downloaded its config file ("Back up configuration") which is just a long INI-file, found the dodgy bits and snipped them out (with some help from the manual) then uploaded it back.

    I can see why ISPs like these because they are very hackable, but they've really dropped the ball on this one. I have often cited the router as a major security plus to my average-consumer chums (vs. direct connection to the WAN) -- that advice is going to have to be carefully qualified in future.

  6. Rab Sssss
    Grenade

    What I don't get is...

    Whats with the picking on o2?

    If its a flaw with the base 585 firmware then why not go after Thompson?

    And they only supply those 2 router types what does he expwcxt them to do pop down to PC world and buy him anonther make custom write the firmware then send it out to him?

    <pats his 780>

  7. Anonymous Coward
    FAIL

    Just the same as Be....

    The same sort of thing happened with Be (O2's subsidiary company) years ago. Same crap - Thomson routers with ports open all over the damn place just to make life easier for Be/O2 support. Its NOT a Thomson problem, BE and O2 specify the routers are delivered like this.

    Guess they're still just as dumb as ever.

    Oh and adnim has the correct solution. One which has been known about for a good 3+ years too....

  8. Anonymous Coward
    Stop

    Rubbish routers anyway

    I'm with BE (owned by O2) and they use they same routers. They are rubbish; they overheat, and display an interesting set of bugs when using wireless and wired connections simultaneously (or the two different boxes that BE sent me did anyway), and regularly disconnect (and take ages to reconnect).

    Take my advice, put it in the cupboard when it arrives, and go and get yourself a Netgear or, well, anything that isn't a Thomson. Since I did that the service they provide has been impeccable and I haven't had to deal with their god-awful technical support any more....

  9. Alan Birtles

    Not suprised

    I helped setup my parents router this weekend, i was only mildly suprised to see that it was using wep by default. what was more suprising was that by default there is no username and password required to login to the web interface!

  10. Anonymous Coward
    Grenade

    Other supplies

    O2 are the only ADSL supplier to use these PlusNet do too....!

  11. Paul Eagles

    @James R Grinter

    No, disabling the services isn't irrelevant. The CSRF attack relies on the management stuff on the router being available over the WAN interface. If they are disabled then there isn't actually anything to attack.

  12. rocklobster

    I think it's more their attitude

    It's more the fact that O2 couldn't have been less interested in the report if they had tried. Other ISPs have been in touch and are actively working with him. O2 just dismissed it repeatedly until the page was published and they couldn't ignore it...

  13. David Heydecker

    In the meantime...

    Having read the entire posting at http://www.jibble.org/o2-broadband-fail/ to try to get a little more technical insight and to assess the potential impact on my own router, there's a useful suggestion on how to mitigate the risk:

    "...mitigate the risk of attack by enabling authentication on their router's HTTP configuration interface (by default, the device lets you browse directly to http://192.168.1.254 without requiring a password)".

    Just to suggest the obvious, but perhaps ISPs (and end-users) might be warned of the inadvisability of leaving passwords blank. My ISP lists various security-related information, like WPA keys, on a custom sticker on the router itself. Perhaps a password might be configured and added to the sticker?

  14. Anomalous Cowherd Silver badge

    Tiscali also vulnerable

    About 10 minutes prodding last night and I managed to do the same to my router - there's a whole in the TG585 big enough to drive a truck through. Contacting Tiscali now, let's see how long it takes to get to someone useful.

  15. Anonymous Coward
    Thumb Down

    @Rab

    The reason people aren't going after Thompson is that both Be and O2 supply the routers with their own custom firmware, not Thompson's generic one. The fact that Thompson's generic one is also probably exposed to this is largely irrelevant as you'll struggle to get one of those routers with the Thompson generic firmware on it. If O2 / Be have modified the firmware to make it "theirs" they should have plugged those holes.

    The worst thing about those routers is that they ship with an administrator account which actually doesn't have full rights to the box (no telnet access, for instance, so adnim's instructions on how to secure them are missing a fairly vital step). They also ship with a hidden SuperUser and O2Care account, with known passwords (google them) and listening for connections to admin them from the internet.

    So CSRF, while a valid attack vector, is largely a waste of effort considering you can just log into them from the internet with the known SuperUser password and do what you want.

    And @James, yes, they do leave those services exposed to the internet. Great, aren't they?

  16. adnim

    Points raised...

    I think James R has a point, I am no expert with CSRF, (If a CSRF attack is possible via the WAN interface, it is likely also possible via the LAN interface) but for this attack to work via a web page the attacker would have to know the LAN IP of the router. As James mentioned the default IP for these routers is easy to guess 192.168.0.1, 192.168.0.254 etc. It would be wise to change this default, it would be wise to change every other default setting on the router too.

    The account names and password for tech support access to the router are the SAME for every Be/O2 customer. These account names and passwords are public knowledge, and yes the ports I mentioned above are open on the WAN side by default. Anyone scanning an IP range that comes across one of these routers that are in use with the supplied default settings has admin access without any CSRF exploit.

    As Rab said the problem with the CSRF vulnerability is the fault of Thompson and not Be/O2. However the router is supplied with default settings that are woefully insecure, this IS the fault of Be/O2.

    AC:Rubbish routers gives good advice, if you are not tech savvy and understand the shortcomings of this router, bin it and get another.

  17. Jason Bloomberg

    O2 not entirely to blame

    Don't know why O2 are being picked on when it's default router configuration which is the problem. Okay they could have told Thompson to deliver a customised version which was more locked down but it seems many routers have this kind of problem. The Thompson is perhaps better than most because it can be reconfigured as 'admin' suggest.

    I have a number of these routers ( not on ADSL, used just as WAPs ) and I've found them very capable and flexible, far more so than others. It does mean some effort in configuring them, and they do run darned hot, but so too do others.

    What is a pain on most routers is that WiFi is considered LAN so not possible to lock the administrative web portal to wired connections only.

    What O2 does have to take the blame for is crap and dismissive customer service. Palming off legitimate complaints and warnings until the secret's out and the shit hits the fan. But that's standard MO for Big Business, is it not ?

  18. Anonymous Coward
    Anonymous Coward

    @Jason

    If you use a few of these currently, are you able to get from your LAN boxes to other LAN boxes with no issues? I'm not. For instance, i have a ReadyNas wired into the router. I could access it no problems from my wireless clients two days ago. Today I can't. Rebooted the ReadyNAS, still can't get to it. The page starts to load (loads the title portion of the html) then hangs.

    If i disconnect the readynas from the 585 and attach it to a linksys WRT box with the same wireless config, for testing purposes, no problem at all.

    This is only one example of a LOT of similar lan access problems i've had with this router. IMO they're a piece of shit, best thrown away.

  19. Anonymous Coward
    Happy

    So a cheap router has bugs , boo bloody hoo

    I used to have a Thomspon router curtesy of BT broadband. It had a habit of locking up occasionally. But not I have cable I don't use a router at all. I have my laptop connected directly to the cable modem, I have no virus or malware protection or firewall set up , i visit all sort of websites with browser security at minimum and I've not once had any problems with hackers or viruses despite seeing shed loads of hack attempts coming down the line in tcpdump. But then I run Linux.

    /smug

  20. adnim

    after a chat on Be IRC

    As far as I am aware at this time... if an Administrator password is set, any attempt to exploit this flaw will result in a login box for the router to be displayed. If you have a blank admin password change it. if a login prompt for your router is displayed at any time unexpectedly, don't login. This is exploitable from the Internet, and if you have a blank admin password or default support accounts enabled you are vulnerable.

  21. The First Dave
    Boffin

    @Paul Eagles

    Sorry, but the whole point of CSRF is that the attack comes from the INSIDE, so disabling external interfaces is prudent, but irrelevant.

  22. Jason Bloomberg

    @ AC, Re @Jason

    Yes, I'm sure that worked in testing, everyone could see everyone else. AFAIR each was set to DHCP on a different subset of 10.0.0.x and all connected to the same cable ( ie, dumb hub ). Another cable to web server also with a 10.0.0.x IP. Was just a captive portal for playing with.

  23. Anonymous Coward
    FAIL

    Hmmmm...

    So if you've changed the default IP for the router (and actually deleted it rather than just add a new one) and you've gone into user management and set a user name and a password then this doesn't work.

    Isn't this rather like saying that front doors supplied by Wickes are a security risk if you leave them unlocked because they didn't specifically tell you to fit a lock?

  24. Anomalous Cowherd Silver badge

    @adnim

    First, trawling the 192.168.0/24 range is pretty quick, and if you bolt 168.1 and 168.2 on you're hitting 99% of setups with only 768 tests. You can do this in a few seconds. When was the last time you saw a router in the 172.16/16 or 10/8 range?

    Second, at least the Tiscali firmware answers to a pseudo-domain name in the ".lan" domain, and I'd expect many modern routers to answer to a zeroconf ".local" address . So in many cases there's no need to guess IP addresses at all.

    Incidentally I've had a chat with Paul who found the original issue and the Tiscali problem is a new one, although I suspect closely related. Sounds like open season on the TG585 at the moment.

  25. Anonymous Coward
    WTF?

    More than one Bath

    "a security researcher located near the UK's Bath"

    I'd like to point out that the UK has at least two Baths and a minimum of one shower to every four houses.

  26. Yorkshirepudding
    Pint

    failboat

    im getting my o2 installed tomorrow, my o2 wireless box 2 will be used briefly to check the service is ok then im whipping out a Linksys WAG354G because it looks better, is smaller, stands on its side and doesnt have this sort of problem

    afaik lol

    pint for the fact i pay less

  27. adnim

    @Anomalous Cowherd

    Router address change: point taken.

    I cannot connect to my TG585 using a pseudo-domain name although the documentation states I should be able to.

    As I mentioned simply setting an Administrator password nullifies the attack to the point that user intervention is required for the attack to be successful. Providing that is, the default support accounts are removed.

  28. Tom 106

    Tiscali and TG585

    Tiscali provide the TG585 to their customers, and have been notified but it would appear that they are ignoring the issue. Shame on Tiscali.

  29. Anonymous Coward
    Anonymous Coward

    Need help

    So I've tried to follow adnims instructions above, but the Administrator user doesn't have permissions to delete the tech and BeTech users. Any advice on how to get around that?

  30. Tom 106

    Update on Tiscali and the TG585

    On contacting the Tiscal Technical Assistance team regarding this matter, they responded with the following:

    "I would like to mention that the router is an electronic device that is powered with an external power supply. However, the Thomson Router TG585 does not have vulnerability issues."

    Have Tiscali got this right, well I guess the only way I'm going to find that out is by contacting Thomson and to see what they say.

  31. adnim

    @AC:Need Help

    My oversight sorry.

    Save the configuration file user.ini by navigating to

    Configuration>Backup & Restore

    click the "Backup Configuration Now" button and save user.ini

    Open user.ini in Notepad or similar text editor search for the [ mlpuser.ini ] section add "role=root" without quotes to the end of the account you use to administrate the router

    for example

    [ mlpuser.ini ]

    add name=Administrator password=_CYP_<xxx-hash_removed-xxx> role=root

    Save the file and upload it to the router by clicking on the "Restore Configuration Now" button on the same page you saved it from, Browse... to your edited user.ini file first using the browse button.

    Telnet into the router using the changed account. You now have full root access to the device and can do ANYTHING to the system. I will not be held responsible if you brick your router, although a factory reset or firmware reflash should sort it out if you do accidentally make bad changes.

  32. doveman

    @admin

    Thanks for the guide but my ini file shows

    add name=Administrator password=_CYP_<hash removed> role=Administrator hash2=72db35e064da4d2eb3b9207ab91cde33 defuser=enabled

    should I just change the role=Administrator to role=root?

    Is it worth removing these lines for the other accounts as well?

    add name=tech

    add name=BeTech

  33. Simon B
    Thumb Up

    Good and bad

    Good that O2 are automatically fixing the issue and not relying on customers to fix it! Shame it took naming and shaming to get them offf THEIR arses to do it in the 1st place.

This topic is closed for new posts.

Other stories you might like

  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Your snoozing iOS 15 iPhone may actually be sleeping with one antenna open
    No, you're not really gonna be hacked. But you may be surprised

    Some research into the potentially exploitable low-power state of iPhones has sparked headlines this week.

    While pretty much no one is going to utilize the study's findings to attack Apple users in any meaningful way, and only the most high-profile targets may find themselves troubled by all this, it at least provides some insight into what exactly your iOS handheld is up to when it's seemingly off or asleep. Or none of this is news to you. We'll see.

    According to the research, an Apple iPhone that goes asleep into low-power mode or is turned off isn't necessarily protected against surveillance. That's because some parts of it are still operating at low power.

    Continue reading
  • Google tracked record 58 exploited-in-the-wild zero-day security holes in 2021
    Friends are always tellin' me, you're a user ... Just be good to free()

    Google's bug hunters say they spotted 58 zero-day vulnerabilities being exploited in the wild last year, which is the most-ever recorded since its Project Zero team started analyzing these in mid-2014.

    This is more than double the earlier record of 28 zero-day exploits detected in 2015. And miscreants are still using the same old techniques to get away with their mischief.

    "With this record number of in-the-wild zero-days to analyze we saw that attacker methodology hasn't actually had to change much from previous years," wrote Google security researcher Maddie Stone in Project Zero's third annual review of exploited programming blunders. 

    Continue reading
  • Cooler heads needed in heated E2EE debate, says think tank
    RUSI argues for collaboration, while others note all 'scans' compromise secure encryption

    End-to-end encryption (E2EE) has become a global flashpoint in the ongoing debate between the security of private communications versus the need of law enforcement agencies to protect the public from criminals.

    The Register has written at length about this increasingly strident back-and-forth that is seeing proponents of both sides more entrenched in their beliefs.

    London-based think tank the Royal United Services Institute (RUSI) released a report [PDF] this week laying out the contours of the privacy-vs-safety debate, weighing the needs and exploring possible solutions.

    Continue reading
  • Borat RAT: Multiple threat of ransomware, DDoS and spyware
    Thought Sacha Baron Cohen was a terrible threat actor? Get a load of this: encrypts/steals data, records audio/video and controls keyboard

    A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.

    RATs are typically used by cybercriminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cybersecurity biz Cyble.

    "The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.

    Continue reading
  • Emma Sleep Company admits checkout cyber attack
    Customers wake to a nightmare as payment data pilfered from UK website

    Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

    Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

    "This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

    Continue reading
  • US says Russian ran online marketplace of stolen logins
    Cyber-souk offered bundle deals of account access and credit card info, says Uncle Sam

    A Russian national was indicted in the US on Tuesday for allegedly running an online marketplace selling access to credit card, shopping, and web payment accounts belonging to tens of thousands of victims.

    Igor Dekhtyarchuk, 23, who is on the FBI's Cyber's Most Wanted list, is suspected to be the mastermind of an underground cyber-souk dubbed "Marketplace A" by the US Department of Justice. The site, launched in 2018 and known as a carding shop in the cyber-security industry, sold login details for people's internet banking and retail accounts so that fraudsters could, for instance, go on spending sprees on a stranger's dime.

    Marketplace A functioned like any other online store, and even had bundle deals, such as an offer to buy access to two online retail accounts and get some credit card information thrown in, for the same victim, it was claimed. The credentials were priced according to a victim's account balances; miscreants allegedly had to pay more for data associated with accounts with more money to steal from.

    Continue reading
  • DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off
    Researcher tells world after being stonewalled

    There is a live cross-site scripting (XSS) vulnerability in takedowns website DMCA-dot-com's user interface. It's existed for more than a year and the site's operators don't appear to be interested in fixing it.

    Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

    "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface allowed him to create an XSS.

    Continue reading
  • CafePress fined for covering up 2019 customer info leak
    Watchdog demands $500,000 after millions of people's info stolen and sold

    The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers' personal information.

    In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz. In a settlement proposed by the US watchdog, Residual Pumpkin will pay up the half-million dollars.

    The complaint highlighted that in February 2019 criminals stole, and then sold on the dark web, a treasure trove of personal information they found relatively easily on CafePress systems. This data included: more than 20 million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and the last four digits of for tens of thousands of credit cards.

    Continue reading
  • App, security teams need closer bond to fend off cyberattacks
    Enterprises should shift left to protect themselves, says Immersive Labs

    Enterprises need to create a more strategic alliance between their application security and cybersecurity teams if they are going to better protect themselves against cyberthreats.

    Organizations can no longer wait for attacks to happen and then respond, according to Sean Wright, principal application security SME at Immersive Labs, creators of an enterprise platform that measures the cyber capabilities of their workforce. Instead, they need to embrace the shift-left mantra that calls for more security-related tasks – with testing being a big one – being performed earlier in the software development process, essentially weeding out potential flaws and vulnerabilities before they're compromised by attackers.

    The end result should be to reduce the risk to the organization, Wright told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022