back to article ISP popped router ports, saving customers the trouble of making themselves hackable

Singaporean broadband subscribers were left vulnerable to attackers after their ISP opened remote access ports on their gigabit modems and forgot to close them. The discovery was made by NewSky Security researcher Ankit Anubhav, who used Shodan to scan for SingTel routers open on port 10,000 – the default Network Data …

  1. Long John Brass
    Coat

    Only an id10t...

    What kind of idiot would...

    Wait a sec, lemme check something...

    *clickity* *click* Hmmmm *clickity* *clack*; Nope; Yes we're good Phew!

    Only a damned fool would leave a debugging port open after the work is finished

    1. Yet Another Anonymous coward Silver badge

      Re: Only an id10t...

      But since this is Singapore the resolution is to post a notice saying "It is forbidden to hack routers with open port 10,000"

      1. sanmigueelbeer Silver badge

        Re: Only an id10t...

        Say what you want about Singaporeans, however, the vulnerability was fixed very quickly.

        1. Chronos

          Re: Only an id10t...

          The point is the vulnerability shouldn't have been there in the first place. More proof, were such needed, that using an ISP supplied router is tantamount to giving them your house keys.

          Pray tell, how was this port opened in the first place and, more importantly, how did the ISP close it without a backdoor?

          1. Dan 55 Silver badge

            Re: Only an id10t...

            Pray tell, how was this port opened in the first place and, more importantly, how did the ISP close it without a backdoor?

            TR-069

            You might be able to go to the router's webadmin page and turn it off, however some ISPs set things up on the router so you can't. Lots of potential for fun because the port your ISP uses for TR-069 is bound to become public knowledge, the ISP might not have shut everyone from outside their network out because they're clueless like that, and then you have every botnet around banging on that port for that ISP and something's bound to give.

            1. Christian Berger

              TR-069

              Well that's actually a widely exploited vector. If you hear about "Millions of Routers becoming part of a botnet", that's usually a flaw in the TR-069 implementation. It's just far to complex to be implemented correctly by BSP-reskinners.

              1. Chronos
                Pint

                Re: TR-069

                BSP-reskinners

                I'm having that phrase. Take generic chipset, slap some logos into fs/overlay/www/images and put pink feet and some flashing lights on it.

                Have a beer.

          2. Robert Helpmann??
            Childcatcher

            Re: Only an id10t...

            The point is the vulnerability shouldn't have been there in the first place.

            I respectfully disagree with you here. I cannot think of a single IT outfit that hasn't screwed things up royally at some point. It's going to happen. What I am more concerned with is how it is handled. While we do not have all the details on this, it seems to have been dealt with appropriately once it was made known to the ISP.

            1. Jamie Jones Silver badge

              Re: Only an id10t...

              The point is the vulnerability shouldn't have been there in the first place.
              I respectfully disagree with you here. I cannot think of a single IT outfit that hasn't screwed things up royally at some point.

              I agree with Chronos (the original poster). Sure, everyone screws up, but that's not the same thing as intentionally having an open port. It's not just a mistake in forgetting to close it, it should never exist - someone could exploit it any time it's open, and it also implies no encryption on the connection.

              If they need some access, it should always be encrypted and password/key protected.. There should never be a case of a vulnerability just because they forgot to close it.

          3. cmaurand

            Re: Only an id10t...

            "Pray tell, how was this port opened in the first place and, more importantly, how did the ISP close it without a backdoor?"

            if it's actual telco equipment, they can do it by SS7 out of band management.

    2. Aitor 1

      Re: Only an id10t...

      Worse still, packets to that port should be filtered at network level unless they come from their router management team. Otherwise there is a window of opportunity to pawn, and scripts WILL get them.

  2. Doctor_Wibble
    Stop

    Mass probing services

    I think this is the only time I've seen these used correctly - i.e. for a specific test that then results in something actually being done to resolve it rather than completely ignoring the end users who are the ones who end up having to pick up the pieces, possibly with the privilege of paying for them too.

    This does not change my opinion that the primary 'benefit' of these services is to enable rapid botnet deployment and mass hacks.

  3. onefang
    Coat

    Many years ago I was at the airport, with my friend who was off for a holiday in Singapore. Singapore government had a guy there that was checking if all people on the way to their country where "suitable". I had a bit of a chat with him. Apparently I would have been turned back had I attempted to go there, due to my unix beard.

    That'll be why they have this sort of technical problem, lack of proper beards.

    I'll get my coat, though it wont cover my beard.

  4. elvisimprsntr

    An example why I don't use ISP provided hardware.

    1. asdf

      amen

      Yep even have LEDE on my DSL modem but alas did have to find a dsl binary blob from a reputable source as the one that comes with LEDE is garbage for my model. Still beats trusting my ISP and their fail hardware for sure.

  5. steviebuk Silver badge

    This is why I feel....

    ...I'm justified in paying a bit of money to buy my own quality router instead of using the ones provided by ISPs. I've done that for years. In the new house, that will be the excuse for wasting over £200 on one. Can't use my old one as the new place will have fibre.

    1. Anonymous Custard Silver badge
      Trollface

      Re: This is why I feel....

      Just done the same myself (my Fritz!Box 7590 should be arriving sometime between tomorrow and the end of the week, whilst my faithful old D6200 goes to have a rest in the attic after many years faithful service (as it's only ADSL and can't do VDSL).

      The fact that my ISP supplied router is a £35 POC that doesn't even have gigabit Ethernet ports being part of it, and also the fact that I can't firmware upgrade it myself (and the supplied firmware is known to be buggy), plus to cap it all off even after a full factory reset they can't connect to the damn thing either to do it for me. And they've even seemingly locked it out of useful stuff like being able to change the DNS or put it into modem-only mode to daisy-chain it to the D6200.

      Given they can't do the one thing that would be required, time to go self-administered and get some decent kit in place.

      1. LeahroyNake

        Re: This is why I feel....

        I have a 'spare' FritzBox supplied by Xen internet. Unfortunately they have taken some features out / it can't be used in bridged modem only mode grrr.

        Thankfully the Draytek 130 VDSL is not that expensive and just does as it's told !

        1. AMBxx Silver badge
          Thumb Up

          Re: This is why I feel....

          I have the older Fritzbox 7490. Very nice piece of kit. When an update caused a problem with just one VOIP provider, they were very responsive, took all the logs and included the solution in the next update.

          From my perspective, all that's missing the ability to see which PC is using all the bandwidth. They like the idea though and are planning to add it in the future.

          I just wish their central heating controllers were cheaper.

        2. Christian Berger

          Re: This is why I feel....

          "Unfortunately they have taken some features out / it can't be used in bridged modem only mode grrr."

          As far as I can tell, they have fixed that in newer versions.

  6. adam payne

    ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed.

    So I take it your putting a process in place that will make sure that your tech support team check before they disconnect.

    Surely that's standard best practice?

  7. Anonymous Custard Silver badge
    Joke

    How many people...?

    ...were surprised it was SingTel not TalkTalk?

    1. Anonymous Coward
      Anonymous Coward

      Re: How many people...?

      "...were surprised it was SingTel not TalkTalk?"

      It just means TalkTalk are better at keeping things like this secret !!!!

      (Lots of practice to get it right ..... hiding stuff NOT Administration of their network :) )

    2. Korev Silver badge
      Joke

      Re: How many people...?

      Would Dido SingTel?

    3. Velv
      Coat

      Re: How many people...?

      Not surprised in the slightest that it wasn’t TalkTalk, they don’t bother trying to fix faults in the first place.

  8. Aodhhan

    This is what happens when you hire individuals to do information security and networking with nothing but a bit of schooling behind them.

    I also pin this on management, who obviously do not have proper change management + testing policies and procedures being enforced.

    1. Fading
      Coat

      Soon to appear...

      In a Monday El Reg - Who Me? article......

  9. Cynic_999 Silver badge

    Ultra-efficiet

    They are to be commended for not closing the port so that they don't have to waste time re-opening it when the next bug is reported. Same reason that I never put tools back in the tool box.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021