Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug

Security Issues For Many Alcatel DSL Modems 114

gle was one of many readers to write about an interesting security problem: "If you own an Alcatel DSL modem, you will be interrested to know that virtually anybody on the planet is probably able to reconfigure you modem, steal your passwords, sniff your data, install a custom firmware into it, or just break it for fun. Lack of proper authentification, and various back-doors have been pointed out amongst various design flaws. The man who discovered this is Tsutomu Shimomura, who got famous at getting Kevin Mitnick arrested. Alcatel claims 36% share of the DSL market, with more than 1.7 million units installed ..." So if you have DSL, you might want to check the label on the side of the modem about now.
This discussion has been archived. No new comments can be posted.

Security Issues For Many Alcatel DSL modems

Comments Filter:
  • by Anonymous Coward
    On that note, what ways are there to secure a Cisco 675? I've been searching the net for a way to disable telnet on the external interface without locking myself out on the inside as well. Is there any reason to be this cautious, or am I just paranoid?

    .forsight
  • by Anonymous Coward on Wednesday April 11, 2001 @06:40AM (#299328)
    I'm Renaud Deraison (no slashdot account, sorry) I did not discover anything. I just pointed out that Alcatel modems are passwordless by default. Shimomura extends that by saying that even if you set a password, it can be bypassed. But you have to be able to directly connect to the modem to exploit that, that is, you need to either be the ISP of your target, or have control on a host on the target's lan.
  • Good. Takedown is horribly innaccurate.
  • If you have a speedstream 5260 it looks like the innards are from Alcatel. More info here. [efficient.com]

    That's the model Sympatico just gave me last week.

    Fuck.

    G
  • Damn, it's good to see a Blake's 7 .sig

    I worshiped Avon when I was 12. Still have my square logic cubes sitting next to my monitor - it's amazing how effective they can be for problem solving.

    Don Negro

  • (logic cubes? were those the little blocks that he used with different words on them and rearranged them randomly to try and figure out a problem that seemed to have no answer?:)

    Yep.

    Don Negro

  • >what were they thinking?


    "All your modems are belong to us" . . .


    [duck]


    hawk

  • Americans don't bash french products for not being american, but for being french. We have a long history of mocking the french. I'd say it came from the brits, but we mock them, too (when we can't find any french to mock :). I think it's because they do so much of the work for us (eating snails, the National Commision on Linguistic Purity, the silly notion that french is still the dominant international language [OK, it's currently a step ahead of latin . . .])


    hawk, shuddering at the notion that someone might take this seriously

  • Go read the Security Advisory...

    I did, long before it made it to /.

    This attack is available over IP. Don't need inside access. Don't need to crack any of your boxes inside. Just need the IP of your DSL modem and some spoofing.

    Good luck trying that. Since you need to access the LAN via the VPN tunnel your UDP packets get blocked right there in the INPUT chain. Spoofing is also easily detected. Also if you read the advisory correctly you wouldn't even need the exact IP address of the modem. That is of course if your ECHO packets manage to get past the firewall, again, good luck trying...

    While the security issues are grave, they are not as easily exploitable, and with proper care a non-issue. I noticed Alcatel's stupidity the first day I got my modem, open telnet to the settings menu. Wish I had made some real noise back then, I could have become a "l33t security expert" ;-)

    -adnans
  • by Adnans ( 2862 ) on Wednesday April 11, 2001 @05:24AM (#299336) Homepage Journal
    If you own an Alcatel DSL modem, you will be interrested to know that virtually anybody on the planet is probably able to reconfigure you modem, steal your passwords, sniff your data, install a custom firmware into it, or just break it for fun.

    This is mostly bullshit! First you'd have to gain access to the computer or network the Alcatel modem is on. And for that you'd have to gain root. The only outside attacks possible are out of your hands anyway (someone will need to tap your phoneline or break into your telco provider).

    However, the default security setting of the Alcatel modem IS pathetic in the sense that it has an open frontdoor!

    Some things you need to take care of:
    • Change the default IP address. Not very helpful, but it's better than the 10.0.0.138 default everyone knows.
    • Set a password!
    • Block all non-essential traffic to the modem. That means blocking FTP, TELNET, TFTP and HTTP when not configuring the modem. Configuration is only needed once. Not blocking this traffic means anyone can still gain access through the "EXPERT" login.
    • The above point means you cannot safely attach your Alcatel modem to a firewall-impaired HUB.
    • Bug Alcatel / your DSL provider about this!

    The most disturbing flaw is the fact that IF someone gains access to your modem they can render it unusable, requiring hardware replacement :(

    -adnans (blessed/cursed with one of these)
  • We're all very happy for you. Smoke a phatty for me.
  • I work for BT Openworld, and I have alerted some of the technical types about the possibility of a problem.

  • Check out this file.

    I got a user's manual with my ADSL 1000, which includes, err, umm, a discussion of the Web interface to it; as I remember, it even mentioned the 10.0.0.138 IP address. Maybe Sasktel weren't as nice as Pac Bell in that regard (or maybe he didn't check out the box the modem came in).

    The manual didn't discuss the Telnet UI, though.

  • I'm thinking it's so they can update it from their offices whenever they please,

    ...which I rather suspect they do using some non-IP protocol running, for example, atop ATM.

  • (xDSL is an Alcatel technology)

    I assume you mean "ADSL" rather than "xDSL", as there are several technologies to which the term "xDSL" refers (HDSL, SDSL, and ADSL, for example), many of which appear to have in common only the fact that they send Digital signals over the Subscriber Line.

    Could you please cite some references to support the assertion that "ADSL is an Alcatel technology", or explain what you mean by "ADSL is an Alcatel technology" if you don't mean to imply that Alcatel invented ADSL? I have seen, in several places (admittedly, the ones I found were all from companies in the USA, so perhaps they're all part of the plot to discredit Alcatel), claims that, in fact, ADSL was originally conceived by Bellcore, and, in this Texas Instruments application report [ti.com] (see section B.3. "History of ADSL standards"), a claim that "the DMT line-coding technique was developed around 1987 as a result of the research performed by Professor John M. Cioffi at Stanford University".

    Perhaps Alcatel is the main manufacturer of ADSL equipment, and they may have contributed a lot to the development of ADSL technology, but I've yet to see any indication that they invented ADSL, or even DMT, so it does not appear to be an "Alcatel technology" in the sense that they are the originators of ADSL.

    This story is only an attempt to break the image of company in USA. In fact all that thing was cleverly prepared : the "hacker" that discovered it made a public advertisement whereas, for security, usually people who found security holes are asked to contact the company first in order to avoid crackers take advantage of the information. Moreover he contacted some friends and the media even before the post on the Internet.

    Indeed? Are you asserting that this is part of some plot by competitors to discredit Alcatel? If so, do you have any evidence to support that assertion? (There wasn't anything in the transfert article making any such claim.)

  • Yeah - cable modums have way l33t3R seKuriT dewd.

    At least someone has to hack yer DSL modem - Cable modem is just a distributed E-net. Anyone on your node (ie your neighborhood) and see what anyone else is looking at just be asking to.

    Hope yer not surfin' any pr0n you don't want they guy down the street knowin' about. Or doing anything sensitive from work at home...

    =tkk

  • by malkavian ( 9512 ) on Wednesday April 11, 2001 @04:52AM (#299343)
    All I can say is 'Ouch!'.
    I'm damn glad I've got a cable modem, which doesn't seem to be doing all this crazy stuff.
    I find it rather perturbing that anybody in their right mind these days could leave an unauthenticated TFTP server running, with permissions to overwrite a password.
    Even if it is 'supposed' to be run from the LAN side of the device.
    Backdooring is also very very evil. All it takes is for one black hat to acquire the cryptovariables and algorithm, then it's script kiddie heaven!
    Alcatel, being one of the major telecoms providers, I'd have thought would be a little more careful about the production and security of their devices. It's not as if it'd break their bank hiring a few good security consultants to go over their device before selling it. Lawsuits that may ensue due to their negligence in correctly allowing security configuration of the device may seriously damage it though.
    All this in mind, having a device with this lax security on it is a contravention of most ISPs TOS. I know I'd get thrown off in an instant if I had a machine this insecure on my cable!
    Again, it looks like a victory for the beancounters (we can shave a few grand off the development costs by not hiring security consultants, and that'll make this department look nicer on the profit side. Who cares abbout the other departments who have to cope with the flak later).
    I think I'l just say I've very disappointed with a company of this standing to have procedures this lax, and leave it at that.

    Cheers,

    Malk
  • At least, they call Shimomura a "hacker"... :) :) :)

    --

  • IntlHarvester wrote:
    Is this only a problem in PPTP mode or something?

    IANABT (I Am Not A Broadband Technician), but I'd guess that it's mostly an issue for folks running PPPoE and such where the Alcatel unit itself has an IP address. I've lucked out with my DSL provider (HellSouth - er, BellSouth to those not familiar with 'em ;) and managed to keep mine running as a bridge so far (easier to deal with under Linux - no messing with the extra overhead PPPoE adds on).

  • one of the first things I did on my Cisco DSL router was to reset the exec and enable passwords.

    This Alcatel really sucks if you can't even do that.


    Oh, yeah; whereas Cisco never leaves wide-open back doors in their products [cisco.com].

    -
  • The only way in seems to be IMHO by cracking the DSLAM (concentrator) or by pinching my copper wire from the wall and do some jolly nice tricks with it.

    Well, *IF* you're not running a firewall, there's supposedly some reflection attacks they can do off you, but if you're not running a firewall you're in way worse shape than just this vulnerability.

    -
  • About all the people who say they love that they have cable, me too! :)

    It's also interesting to seem some of the more capable /. talk about how they took over the router :)



    ---
  • I'm curious about that -- I have the older model (1000ADSL) in a similar configuration as you with a fixed IP. Can't get the thing to answer to telnet even if I take the firewall/router out of the way.

    Is this only a problem in PPTP mode or something?
    --
  • Umm, most anyone in the loop for DSL and Cablemodem security (and hacking) knew of this for a long time. Heck, the old RCA cablemodems had a backdoor that would allow the changing of the MAC address.

    this is old news, and was not "discovered" by mr "kevin catcher"... leaked maybe...

  • acutally, this isn't quite true per my last understanding...

    unless i've missed a great deal of information, the motorola cybersurfers that time warner hands out have domaining that disallows you (without some type of administrative control over the cable modem) to receive frames destined for any other serial number of modem. basically their encapsulation is loosely encrypted (i doubt it's actually secure).

    the reason i mention this is that you said "anyone" which i don't believe is accurate... someone SKILLED, yes, ANYONE, no. :)

    i.e. their promiscuous mode doesn't appear to be able to be enabled without some "inside knowledge".

    is my information aged?

    (i only see broadcasts to *ALL* MAC addresses (i.e. destination MAC of FF:FF:FF:FF:FF:FF, and to my specific MAC address of my firewall's external ethernet interface)

    cheers.

    Peter
  • hear hear.

    bellsouth is satan. i hate them with a passion that burns hotter than the sun. may their assets turn to dust and their board of directors be banished back to the pit from whence they came...

    honestly, i'm not joking... a bunch of filty fucks, all of them.

    my $0.25
    -k
  • I read the whole thing. One of the threads running through it was "How I seduced this woman away from her man."
  • As this is the modem that BT insist you use for the residential service.

    Strange how this was noticed not long after Alcatel released proprietary drivers for Linux...
  • A few notes on your mini-screed:

    Either it is no big deal and no security furor need transpire, OR he should have gone to Alcatel. You can't argue both, OK?

    As it turns out, he DID contact Alcatel, and they rebuffed him, even denying (among other things) that the expert mode code existed in the product. That was obviously false, as a technical manual (previously available from Alcatel's Russian site) mentioned it, and it is present in plaintext when the code was disassembled.

    "..decided he could make some quick bucks" How is he making quick bucks from this? If anything, it is a major-ass headache to have your phone ringing off the hook 24/7 and explaining things over and over to journalists. He is not going to start consulting more often or write a book, "DSL Takedown" about it (I fervently hope).
  • This story looks like:
    Alcatel == French
    Alcatel != USA
    So lets bash french products!

    Like if Cisco products dont have the same features of the Remote Control Class.

  • There *is* a block preventing firmware updates on the external port. It is possible to disable this block but, obviously, only from the LAN port.
    The entire 'vulnerability' is based on the rather farout presumption, that there is an ECHO server on the local LAN that the wannabe haxor can 'just' compromise and use to attack the ADSL modem.

    /pah
  • by wiredog ( 43288 ) on Wednesday April 11, 2001 @05:01AM (#299358) Journal
    Alcatel told zdnet [zdnet.com] the remote update is "a feature that is intended to allow communications service providers to remotely upgrade the software within their customers' modems."
  • Regular IOS access lists, assuming the 675 runs IOS in the same way the 80x dial-up boxen do.

    I have an 803 at home for dial-up (ISDN), and it's the same interface / config as everything else, right up to a GSR - one reason I like Cisco.

    Regards,
    Tim.
  • by anticypher ( 48312 ) <anticypherNO@SPAMgmail.com> on Wednesday April 11, 2001 @06:36AM (#299360) Homepage
    I just used up all my moderator points, or I'd up this comment.

    Renaud Deraison is known in french security circles for his nessus scanner, a program similar to nmap. He published his findings at the end of last year, but it wasn't widely trumpeted at the time. Shimomura is a publicity whore who copied Deraison's comments (probably used the fish, the grammar follows the same butchering) and claimed the discovery as his own. A few days ago, there was a press release going around touting Shimomura's discovery, not a CERT advisory, just a press release from the San Diego Super Computer Research Center.

    The french paper Le Liberation [liberation.fr] ran a story [liberation.fr] filled with horror but little detail. Some of the claims are ridiculous, such as how someone who cracks the modem has unlimited access to every file on all the computers behind it, and how any machine on the internet can access the modems which sit on unaddressable IP addresses (the 10.x.x.x private IPs from RFC 1918)

    Today Le Libe is running a follow up story [liberation.fr] where Alcatel denies the backdoors were placed intentionally, and claims there is a security program installed on the modems to prevent cracking by unauthorised persons.

    I have a Speed Touch Home modem, and I've played with these backdoors. In /. speak, they are a number of IP services, the "simple" services (echo, chargen, etc), an HTTP server, an FTP server, a telnet server, and a TFTP server. The modem has a simple internal file system, and if you know the names of the files, you can copy them or overwrite them with TFTP. If you connect with telnet (or FTP), it presents you with the MAC address of the modem, and asks for a password, which is a simple hash of the MAC address. Deraison either intercepted his provider connecting and reverse engineered the hash, or he had access to some engineering docs at an ISP, or played around and figured it out. Either way, an impressive hack, in the good sense of the word.

    Since the modem uses "private" IP addresses, and access is limited to the local LAN or from the DSLAM, he didn't consider this to be a big problem. The modems typically sit on the DSLAMs private address range, and only connect the users computer to the BAS using PPoE or PPPoA, and can't really generate traffic to the internet. To gain access to the modems, you would either have to crack the DSLAM, crack the users computer, be on the same DSLAM (and thus same subnet) as the target, or intercept the copper wires and play DSLAM. Of these scenari, only cracking a computer on the LAN behind the modem would be possible from the internet at large, and if you can do that, why bother with a stupid little DSL modem?

    I agree with Betcour (and a large crowd on fr.comp.securite) on this, Shimomura is tooting his own horn because his bank account is empty after Cybertraque flopped at the cinema. Did Takedown ever open in the U.S.? If it didn't, count your blessings, it was bad, not Ed Wood bad, just unredeemably bad.

    the AC
  • by Steve G Swine ( 49788 ) on Wednesday April 11, 2001 @06:12AM (#299361) Journal
    Lack of proper authentification...

    That's authentimacation , thank you very much.

    Homer
  • by Betcour ( 50623 ) on Wednesday April 11, 2001 @05:20AM (#299362)
    According to the Webzine transfert.net, this is just a PR stunt from Shimomura. The thing was discovered in november 2000 by Renaud Deraison, who makes the Nessus security checking program. This is a very minor problem, as only someone able to spoof IP 10.0.0.138 can try to use the exploit. Deraison updated his Nessus program to check for the flaw but didn't make a securitu alert because he didn't think it was worth it.

    Now Shimomura, 4 months later, decided he could make some quick bucks with the idea and told about it to a few people, then to the press and CERT. A normal security alert goes to the manufacturer first (to give him a chance to make a patch) and then to the CERT. Obviously Shimomura is a lamer trying to claim his someone else work and make some fame out of a minor event and the medias ignorance.
  • 2001-04-10 11:17:17 Alcatel SpeedTouch ADSL modems have backdoor (articles,Privacy) (rejected)
  • Last month or so, I telnetted into my Alcatel modem. (10.0.0.128, I think?) Anyways, I had read the PDF manual I had found.

    So, poking around, I made a typo. No biggie, right?

    I reset the modem. Uh-oh. No 'net. Damn, I hope I didn't break it. Look at the clock. It was 2:23AM. Okay, keep trying for a while.

    Damn, still doesn't work. Call a fried. Nope, she can't connect either. UH-OH.

    Call Sympatico(my provider). Having troubles? I ask. Yup, they are. Uh-oh. Well, could you tell me the *exact* time the trouble started? "Sorry sir, I don't know," the first-line techie responds. "Okay, mind if I speak to an engineer? Thanks :)" I say.

    Anyways, to make a long story short, the problems started at around 2:19:23AM. Pretty much the exact time I made that typo. Coincidence? Possibly.

    I probably shouldn't be posting this to Slashdot ...

    (Oh, yeah, this is an Alcatel modem ;)

    Barclay family motto:
    Aut agere aut mori.
    (Either action or death.)
  • In France, people that use Alcatel ADSL modem are mostly people that have a Netissimo (the ADSL connection provided by our monopolistic phone company) that use PPTP authentication and Ethernet connection (they now have an offer with USB modem whose I'm not familiar with). This is what early customers had. BTW, PPTP as implemented with the modem was buggy and required to modify the PPTP software on the customer computer to work (Windows was buggy enough to not require any change).

    Now, France Telecom (the only ADSL operator for home and SOHO) is deploying PPPoE on new POPs, so people (like me) get ECI modems instead of Alcatel.

  • ...there aren't that many devices around shaped like a manta ray!
  • ORCKIT DSL modem, telnet 10.0.0.138 , default password - "password"

    Oh, how lame :-)
  • Is there any info on Newbridge MainStreet Xpress ADSL modems? I was told by the tech who installed my modem to leave it on so that they could do firmware updates. This whole article does not give me a warm fuzzy. What is the joe average user supposed to do?
  • Comment removed based on user account deletion
  • Comment removed based on user account deletion
  • The major damage potential is ricochet attacks via WinXX:

    Typical ADSL user has WinXX, and mebbe some firewall, connected to modem via xed cable...
    Step 1. WinXX machine gets gets script-kiddied (not very hard to imagine)
    Step 2. modem gets hacked from the Win host, firmware overwritten, in such a way only the cracker can rewrite it.
    Step 3. zillions of DOS attacks.
    Step 4. the telcos go shopping for a few million new modems. Alcatel places winning bid :)
    Step 5 Go to Step 1 above
  • http://www.alcatel.com/consumer/dsl/security.htm

    --
  • He prolly has a dialup 56K or less

    That aint internet access whatever it is ;)

    Hell I have a 1.1mbit SDSL at home and I am constnatly bitching about our ISDN at work. ;p

    Jeremy

  • Yeah, it's good to check at CERT. And, from what I see here [cert.org], CERT didn't really retract too much (there's a long list of problems they mention)
  • ...actually, I'm at work.
  • by _underSCORE ( 128392 ) on Wednesday April 11, 2001 @05:11AM (#299376) Homepage Journal
    Thanks to NorthPoint going down, my DSL modem is 100% secure...

    ...it's 100% useless, but totally secure.

    Two weeks without Internet access and still surviving.

    -_underSCORE
  • Go read the Security Advisory...

    In this example, one can send packets to the TFTP server from the outside by sending TFTP UDP packets with a source address of 255.255.255.255 and a source port of TFTP to the UDP ECHO port of any system on the internal network with a functioning UDP ECHO server. When the "ECHO server" replies to the request, it will interpret the (now) destination address of 255.255.255.255 as local broadcast, and the packet will be broadcast on the Ethernet with the destination port set to UDP TFTP.

    Many networking devices (including the Speed Touch) provide a UDP ECHO service, and in many cases (again, including the Speed Touch) there is no way to disable the service.

    This attack is available over IP. Don't need inside access. Don't need to crack any of your boxes inside. Just need the IP of your DSL modem and some spoofing.

  • Obviously, we are each looking at the issue from a different perspective. I apologize for the Go read the article, because I now see that you could have both read the article and drawn a correct conclusion based upon what you know/what you are familiar with. It seems we are both speaking from our known reference points.

    Now, about your use of PPPoE and the "Since you need to access the LAN via the VPN tunnel your UDP packets"

    You are correct but only in the case of running PPPoE. If you have a static IP (like me), then your Alcatel is accessible from the Internet and that attack will work. The ECHOed UDP packets never reach your firewall (unless you've homebrewed a super l33t DSLAM firewall that sits on the Telco side) because the Alcatel is kind enough to ECHO them for you (back to itself) before it gets on the Ethernet. There goes your spoof detection too. Nope haven't tried it myself yet. Yep it sounds doable if you ask me.

    I believe it is significant because all the PacBell DSL rolled out in the first year is static, and on Alcatel 1000. PacBell "enhanced" services are static too. It also appears by reading specs that Alcatel has cross-licensed its stuff to other vendors. Westell for sure (see: http://www.dslreports.com/forum/remark,658656;root =equip,36;mode=flat [dslreports.com]and scroll down a bit).

    Well, it may have been a slighlty heated discussion here. I am glad you wrote back so I could learn a little from you. PPPoE == protection in this case. Now, if I could just convince myself that the ASI guys are capable of reprovisioning my line with PPPoE on the WAN side, and keep my /29 CIDR block on the DMZ. Nope, don't think they can handle it...

  • Does anyone have a picture of the stupid thing? It would be really, REALLY nice to have a picture of either the specific model in question or a "Some may be slightly different" with a picture of one that's CLOSE to it.

    Or comments on markings, or such. Mine is not from this company but I was curious what type/model was affected by the notice and found that there are no "With Alcatel name and model numbers xxx and xxx" I mean is it ALL their models? Is it one specific? Even the warning page doesn't give specifics.

    DanH
    Cav Pilot's Reference Page [cavalrypilot.com]
  • Two weeks without Internet access and still surviving.

    Now there's a meta-quote, if ever there was....

    #include <stddiscl.h>

  • Does this apply to Alcatel USB modems, or just ethernet-hub -based modems?

    AFAIK, a USB device doesn't have a 10.x.x.x address at all; and as has been pointed out, 10.x.x.x is private from the net.

    Someone clarify this to save many /.ers from trawling CERT...


    #include <stddiscl.h>

  • I tried the nmap thing but got this:

    bash-2.05# nmap -sS -sU -O -v 10.0.0.138

    Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
    Host (10.0.0.138) appears to be down, skipping it.
    Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

    Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds

    Does this mean my modem isn't vulnerable or is the IP different? Comments would be appreciated.
  • Nevermind. My ISP assured me that I'm not remotely vulnerable (and I believe them, go figure) so I can't say that I care much anymore. Further the reason that I didn't get a response from the modem seems to be that I wasn't configured in the right IP/submask.

    On a sidenote.. my ISP said people in the Netherlands are vulnerable because they use pptp (whatever that is) and their public IP is on the modem.

  • The Alcatel Speed Touch ADSL modem is a Ethernet to ADSL bridge/router

    That and the photographs shows me that they're talking about a completely different device to the one used by the BT Openworld residential service, which is a USB device.
    Unless the USB device (stingray) has the same problem, then this does not affect almost all UK ADSL users.
    Can anyone confirm or deny this with sources rather than speculate?

    Hacker: A criminal who breaks into computer systems
  • A recent receipt of mine shows:

    22.015Gal DSL @$1.499 Total: $33.00

    My car runs just fine with it and I think it is safe!
  • Oh man, I'm glad I stopped when I did!!

    --
  • by seanmeister ( 156224 ) on Wednesday April 11, 2001 @05:17AM (#299387)
    My god, even the SDSC advisory makes it a point to mention that Tsutomu Shimomura is the guy that nailed Kevin Mitnick. I mean, ok dude you're l33t, but enough already!! I actually tried reading Takedown, but I gave up after two chapters of Shimomura's ego-stroking.

    At least the CERT Advisory managed to avoid the Mitnick angle....

    --

  • .......unless there using an Alcatel boxen apparently. :)

  • This is absolutelly nothing new. As the engineer who controls all xDSL modems/routers for a large player in the industry, security for xDSL CPE is horrid. You will find major security issues with all CPE.
  • I must agree I do love my 675 :)
  • I got mine like 2 years ago and usworst sent it with a management cable. mine is just in bridge mode with a Linux based firewall right behind it.
  • No you only got half of that right:

    "How I seduced this woman away from her man while eating tofu and kayaking thru the mountings with one hand tied behind my back."

  • I run a Cisco 675e for my DSL and the sad part about this, for every one of these Alcatel's that have a vulneriblity, there are probably 2 cisco's out there without an executive or enable password set. Maybe Alcatel is just keeping up with with the abilities of 90% of our DSL users, which is slim to none.
  • Seemed like a while to me....

    But then again, I had a very boring day yesterday....
  • Better to sign up to something like CERT [cert.org] advisories than rely on random postings to Slashdot.

    Really.

    This was announced on their list about 14 hours ago.
  • why they even allow connections to the firmware from the external modem port is beyond me. there should just be a switch that physically prevents external IP's from talking to the command hardware.

    what were they thinking?

    /m

  • When I first got the fool thing, I changed the IP address it responded to. At the moment, my particular modem has the address 10.1.2.1/24. Guess what? That particular subnet is not accessible through my ISP (net 10 is blocked) and I don't have any other system with that subnet defined.

    When I want to play, I define a second net address on my Linux firewall to create an interface on that port, and manually update the router tables accordingly.

    I wonder how many people have tried to find my Alcatel 1000?

  • At least on the IOS systems, if you don't specify a password on vty 0 4, it won't let you telnet in to the router. Specifically, you'll get the following error "Password required, but none set". This will have no effect on the console port.

    However, I've never looked at the command structure for a 675, so I don't know if it's the same. You could try removing the password, and quickly try to telnet to it to see if that works,...
  • Anybody got any information on possible security issues with other cable modems from other manufacturers?
    At the moment, I'm glad I've got Motorola...
  • In the UK, part of the TOS for BT's ADSL is that you're not allowed to modify the modem, as it blocks requests on port 80 to stop you hosting a website. I phoned them up to ask about this, and they threatened to fine me for "damage incurred", kick me of the service, etc.

    And now it turns out that anyone can do it!


    Is there anything which cannot be programmed?
  • My Alacatel 1000 has been chugging along for almost a year with zero hiccups until last week, when my connection just went dead. I checked all the usual suspects, i.e. router/hub/firewall, power and cable connections, and even made sure I paid the bill - but nothing. Figuring it was my fault I finally reformatted the HD, figuring I would connect afterword to download drivers. Southwestern Bell tech support tried to help, but they came up with nothing except giving me an "escalation" with a case ID # and a call three days later. I just got off the phone with the escalated guy and it turns out that my problem was that someone on the network side probably rebooted one of the servers and forgot to include this model modem in its settings, because it's older. Now this is how geeky I am: the first page I tried when I knew it was fixed was Slashdot and much to my horror this was the second article I read. I thought I was totally screwed and some little prick in fact hacked my modem - either way I want to know exactly how to fix these settings so I can worry less.
  • by mirko ( 198274 ) on Wednesday April 11, 2001 @05:26AM (#299402) Journal
    According to this article [transfert.net] (in French: use the fish [altavista.com]), this is a bit over-hyped.
    --
  • I own such a modem and was alarmed yesterday, by our belgian ADSL user group. My Question:

    Is my modem vulnerable when I use PPPoE? The way I see it, my modem is not reachable from the Outside World, because all IP trafic is encapsulated in PPP. Even if one was to root my machine, access to the Modem would be restricted until the PPPoE link goes down, in which case the attacker closes his only way in.

    The only way in seems to be IMHO by cracking the DSLAM (concentrator) or by pinching my copper wire from the wall and do some jolly nice tricks with it.

    My BEF 10,-

    Dave
  • Cisco Broadband Operating System
  • Better to sign up to something like CERT advisories than rely on random postings to Slashdot.

    Really.

    This was announced on their list about 14 hours ago.


    14 whole hours! Gosh.
  • Thanks to NorthPoint going down, my DSL modem is 100% secure...

    ...it's 100% useless, but totally secure.

    Two weeks without Internet access and still surviving.


    And you posted this message, how?

    LIAR!
  • Alcatel Speed Touch Home Bridge hooked to Cheap Linksys firewall/router hooked to Cisco 1900 series switch. Not all of the Speed Touch equipment is the same. If you are using a cross over cable to connect to the shitty thing then you need to firewall your machine not the router.
  • That was strangely poetic, for a lamer.
  • ...so I'm a bit worried, of course. While there is a possible attack via the DSLAM or an attacker with access to your copper pair and a DSLAM emulator, those are a bit above the script kiddie level.

    As to TCP/IP attacks, it can be a real bitch to talk to a host outside your subnet but on the same LAN. Even setting an ARP entry, I couldn't get a response from my modem. I have to use a second machine with two shared ethernets, and set its DSL-side interface to the 10.0.0.x subnet. And I have to set it back to let that machine run normally. (I could put a third Ethernet card in, but it's not really worth the effort.) So I'm not too worried about spoofed UDP packets being bounced into it.

    What did surprise me, though, was that the challenge/response code for my old 1000 was computable from the CGI script at http://security.sdsc.edu/self-help/alcatel/challen ge.cgi [sdsc.edu]. So at least now I can telnet into the thing. But so can anyone else, if they can perform the necessary TCP/IP routing wizardry to get to it.

    Unfortunately, there doesn't seem to be anything that I can do to it from telnet that I can't do with the web interface.

  • I haven't made any packet rules yet, what are yours like? Though I'll still keep my zonealarm running on my windows boxen.

    And did you find a management cable? I had to track one down through ebay.
  • The 674 doesn't use IOS (sigh, goodbye cheap CISCO cert) but rather CBOS, which I think stands for Consumer Broadband Operating System.

    As far as securing your 675, change the default passwords, and then you can have 20 rules for packet filtering.
  • suck even more

    one of the first things I did on my Cisco DSL router was to reset the exec and enable passwords.

    This Alcatel really sucks if you can't even do that.

  • I have a 1000ADSL using PPPoE, and I can telnet to the modem directly, and enter "EXPERT" mode, with or without PPPoE running. I do run a dedicated (RH Linux) firewall box, and being paranoid as I am, everything is pretty much blocked out. Since it runs into a separate interface (a second NIC connects to a hub and the other PCs), there's not much risk of being attacked.

    I don't think that the modem's internal 'echo' server would be sufficient for attack (as someone above has mentioned), as the modem isn't going to spoof an internal IP as a LAN-connected box would... If this were the case, you wouldn't need a Unix box (or *any* box for that matter) on the LAN side in order to attack the modem.

    I do think this has been blown a bit out of proportion, however. In order for someone to be able to attack, one of the following has to happen:

    - A hacker would have to have physical access to the DSLAM or the copper loop. If they wanted you that badly, obviously you have something valuable and would hopefully have taken other precautions... Noone would go through that much trouble for a simple DOS attack on a home user's internet access.

    - For the other method to work, you'd have to be running a Unix system connected to the modem. I would imagine that anyone running a Unix system would probably have disabled echo, and/or have a good firewall set up -- and if not, they probably have no business running a Unix system anyway (and probably have many other, more exploitable holes)...

    I do agree that the flaws in this device are bad, but I still feel that standard Windoze users wouldn't be affected unless someone wanted in that badly (in which case they could probably find much easier ways to get into the Windoze box). Those of us running a Unix-like system have already taken precautions, because we do not trust anyone, especially a closed device connected to the internet... Things like this simply justify our paranoia ;)

    - J-Man
  • This also happens when @Home's DHCP server databases get corrupt. For a period of two weeks I could not connect because my cable modem's MAC (or whatever they use) was not in their database.
  • At http://www.alcatel.com/consumer/dsl/security.htm, alcatel basically said that the remote firmware upload is disabled by default.
  • MEDIA ADVISORY UPDATE ON ALCATEL SPEED TOUCH MODEM Paris, April 13, 2001 - Alcatel (Paris: CGEP.PA and NYSE: ALA) is aware of the reported security vulnerabilities to the Speed Touch Home ADSL modem and Alcatel 1000 ADSL network termination device and is working with the Computer Emergency Response Team (CERT) at Carnegie Mellon University to ensure the concerns raised in its advisory are satisfactorily addressed. Alcatel is not aware of any instance where a Speed Touch modem user has been compromised due to the reported vulnerabilities. It is Alcatel's policy to provide its customers with the most advanced and secure products. Therefore, Alcatel has done extensive testing of its ADSL modem equipment based on the recently made security advisories by CERT (http://www.cert.org) and the San Diego Supercomputer Center (SDSC). The security issues raised are actually well known general vulnerability problems when connected to the Internet, regardless of the type of software upgradeable access equipment being used (cable or DSL modems). According to recent tests, the primary vulnerability referred to in the advisories do not apply to the vast majority of mainstream operating systems used by residential and small business subscribers, such as Windows 95, 98, 98se, ME, and typical installations of NT4.0 Workstation, 2000 Professional and the latest commercial releases of Linux. Without a firewall any PC in any configuration (home PC or in a local area network) is open to attacks by hackers. Therefore, Alcatel highly recommends the use of firewalls as a general practice, especially for those with "always on" cable or DSL connections. To increase the security of its products, Alcatel previously implemented additional security measures to avoid direct interference with its modems by remote users. This Firmware Protection is available in Alcatel Speed Touch Home and PRO modems. Alcatel ships the modems from its factories with the Firmware Protection enabled. For more information please go to http://www.alcatel.com/consumer/dsl/security.htm
  • All Covad DSL customers in the Midwest area use a common password for their Efficient SpeedStream routers.
    A funny story-

    Our company DSL connection went down suddenly Monday. Everything looked OK on the LAN side, but the ISP's attempts to look at connectivity was unsuccessful. I did not have access to the router - Covad changes the default password. We ended up having to file a trouble ticket and found out:

    Every one of these routers (installed by covad) uses the same administration password.

    Our IPs on the WAN side had been changed.

    The covad tech said that someone who knew the password had telnetted into it, -or- someone from the ISP had mistakenly reconfigured the wrong router.

  • I have been following Slashdot for a few months now and one thing that baffles me is how is it that the same kind of articles attract so many posts. Aren't people exhausted on commenting on the same thing over and over again?
  • This really sucks for Northpoint subscribers. First their service gets cut off [dslreports.com], then earthlink [earthlink.com] signs them up, now they find script kiddies playing on their boxen. What's next?
  • Especially the output of the nmap scan [sdsc.edu] of the modem is interesting, since a huge number of security problems can be spotted, e.g.

    open echo and chargen UDP ports (nice for a DOS attack)

    very easy to do TCP sequence prediction (ideal for TCP spoofing to the device)

    I'm glad I don't have such a modem at home!

  • The guy didn't warn anybody?

    IIRC, nice guys (white hats, say) are supposed to give an advance warning to the company (Alcatel, in this case), to give them some time to issue a patch, and so on...

    Didn't see any mention of this..

    If he had given notice to alcatel, and alcatel didn't answer, we would have seen "we reported the bug to alcatel and got no response" stuff..

    I guess since it's not a US company, he didn't bother to give an early warning to the suckers.

    How nice.

    Besides, we can do a poll.

    To exploit the ADSL modem *without* having to hack a box on the internal network, you need:

    -either a box on the internal LAN with an ECHO service running. How many of u do have a box with ECHO enabled? No Windows users, for a start. No Apple users. Aaaahhh here we are... yes, there's ECHO enabled by default on some mainstream linux distro's (don't laugh, BSDists, ECHO and CHARGEN are enabled by default on some BSD's too.. ).. so i guess vulnerable pple are the lame *NIX users who didn't take the errr say 30 secs to disable all they don't need in /etc/inetd.conf ...

    -either have a "DSLAM simulator" you ave to build yourself, and get to the copper to snap on. I guess if you can do this, you can already sniff the ATM frames passing by, or break in the target's house/office, and take the target box away.

    (btw, for u cablemodem users... do you know you can be far more easily sniffed/man-in-the-middle'd than the average adsl user? shared media, guys, shared media..) ( some reference [slashdot.org] ... if the feds can do it.. :-)) )

  • yes they do have type model ... it is in one of the sub - pages
    http://security.sdsc.edu/self-help/alcatel/alcat el -bugs

    The described flaws were demonstrated in all known firmware versions
    of the Speed Touch Home, including:

    KHDSAA.108 Jul 6 14:03:12 GMT 1999
    KHDSAA.132 Nov 19 13:52:05 GMT 1999
    KHDSBA.133 Mar 16 17:52:08 GMT 2000
    KHDSAA.134 Apr 24 12:48:43 GMT 2000

    -CrackElf
  • Qwest/US West DSL users (me included) may relax. They are not affected :)
  • Summary: French hacker discovers problem, decides it's no big deal since the internal IP address cannot be accessed from outside service provider network. US/Japanese "celeb" hacker seizes opportunity to make a publicity splash and flouts security etiquette by going very public and exaggerating severity of problem. There are serious hackers discovering much more perilous security holes all the time which are quietly reported to manifacturers.
  • by jjshoe ( 410772 ) on Wednesday April 11, 2001 @05:33AM (#299432) Homepage
    What suprises me from all theese results is the "Not me!" "Im not affected" "Those bastards!"

    I think what people dont realize is this affects everyone. some kid who looses his irc channel #NetPimps.are.us on EFnet wants it back, but an ircop refuses to help, because he's net sexing his girlfriend. so this 9 yr old on ten gallons of jolt fires up nmap with os fingerprinting, and creates a script to test to see if he can comprise the router, set its own password, and fires up yet another script, to have all theese people with poarly secured routers start dossing the ircop, the ircops efnet server, and the other 9 yr olds who took his channel.

    But oh no! "Its not me" isp uses the same backbone as theese routers, and gee, how bad would 5,000 dsl modems running ping -f -s 9999 slow down a network?

    suddenly, your all affected by this poar security

    i think people need to stop shruging things off like this and work together, if you want to flood something, whats better? 1 user or 100 users?

    if you want something fixed, whats better? 1 user complaining? or 100 users complaining?

  • by echidna75 ( 442460 ) on Wednesday April 11, 2001 @05:04AM (#299435)
    Alcatel is the company that recently exploited MLK to pitch their goods. It looks like Instant Karma has caught up with them. Read some more about the tasteless ads they produced: http://slate.msn.com/moneybox/entries/01-04-02_103 560.asp

Perfection is acheived only on the point of collapse. - C. N. Parkinson

Working...