Slashdot Mirror
Security Issues For Many Alcatel DSL Modems
gle was one of many readers to write about an interesting security problem: "If you own an Alcatel DSL modem, you will be interrested to know that virtually anybody on the planet is probably able to reconfigure you modem, steal your passwords, sniff your data, install a custom firmware into it, or just break it for fun. Lack of proper authentification, and various back-doors have been pointed out amongst various design flaws. The man who discovered this is Tsutomu Shimomura, who got famous at getting Kevin Mitnick arrested. Alcatel claims 36% share of the DSL market, with more than 1.7 million units installed ..." So if you have DSL, you might want to check the label on the side of the modem about now.
On that note, what ways are there to secure a Cisco 675? I've been searching the net for a way to disable telnet on the external interface without locking myself out on the inside as well. Is there any reason to be this cautious, or am I just paranoid?
.forsight
I'm Renaud Deraison (no slashdot account, sorry) I did not discover anything. I just pointed out that Alcatel modems are passwordless by default. Shimomura extends that by saying that even if you set a password, it can be bypassed. But you have to be able to directly connect to the modem to exploit that, that is, you need to either be the ISP of your target, or have control on a host on the target's lan.
Good. Takedown is horribly innaccurate.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
If you have a speedstream 5260 it looks like the innards are from Alcatel. More info here.
That's the model Sympatico just gave me last week.
Fuck.
G
I worshiped Avon when I was 12. Still have my square logic cubes sitting next to my monitor - it's amazing how effective they can be for problem solving.
Don Negro
Don Negro
Perl 6 will give you the big knob. -- Larry Wall
Yep.
Don Negro
Don Negro
Perl 6 will give you the big knob. -- Larry Wall
"All your modems are belong to us" . . .
[duck]
hawk
hawk, shuddering at the notion that someone might take this seriously
Go read the Security Advisory...
/.
;-)
I did, long before it made it to
This attack is available over IP. Don't need inside access. Don't need to crack any of your boxes inside. Just need the IP of your DSL modem and some spoofing.
Good luck trying that. Since you need to access the LAN via the VPN tunnel your UDP packets get blocked right there in the INPUT chain. Spoofing is also easily detected. Also if you read the advisory correctly you wouldn't even need the exact IP address of the modem. That is of course if your ECHO packets manage to get past the firewall, again, good luck trying...
While the security issues are grave, they are not as easily exploitable, and with proper care a non-issue. I noticed Alcatel's stupidity the first day I got my modem, open telnet to the settings menu. Wish I had made some real noise back then, I could have become a "l33t security expert"
-adnans
"In short: just say NO TO DRUGS, and maybe you won't end up like the Hurd people." --Linus Torvalds
This is mostly bullshit! First you'd have to gain access to the computer or network the Alcatel modem is on. And for that you'd have to gain root. The only outside attacks possible are out of your hands anyway (someone will need to tap your phoneline or break into your telco provider).
However, the default security setting of the Alcatel modem IS pathetic in the sense that it has an open frontdoor!
Some things you need to take care of:
The most disturbing flaw is the fact that IF someone gains access to your modem they can render it unusable, requiring hardware replacement
-adnans (blessed/cursed with one of these)
"In short: just say NO TO DRUGS, and maybe you won't end up like the Hurd people." --Linus Torvalds
We're all very happy for you. Smoke a phatty for me.
I work for BT Openworld, and I have alerted some of the technical types about the possibility of a problem.
I got a user's manual with my ADSL 1000, which includes, err, umm, a discussion of the Web interface to it; as I remember, it even mentioned the 10.0.0.138 IP address. Maybe Sasktel weren't as nice as Pac Bell in that regard (or maybe he didn't check out the box the modem came in).
The manual didn't discuss the Telnet UI, though.
...which I rather suspect they do using some non-IP protocol running, for example, atop ATM.
I assume you mean "ADSL" rather than "xDSL", as there are several technologies to which the term "xDSL" refers (HDSL, SDSL, and ADSL, for example), many of which appear to have in common only the fact that they send Digital signals over the Subscriber Line.
Could you please cite some references to support the assertion that "ADSL is an Alcatel technology", or explain what you mean by "ADSL is an Alcatel technology" if you don't mean to imply that Alcatel invented ADSL? I have seen, in several places (admittedly, the ones I found were all from companies in the USA, so perhaps they're all part of the plot to discredit Alcatel), claims that, in fact, ADSL was originally conceived by Bellcore, and, in this Texas Instruments application report (see section B.3. "History of ADSL standards"), a claim that "the DMT line-coding technique was developed around 1987 as a result of the research performed by Professor John M. Cioffi at Stanford University".
Perhaps Alcatel is the main manufacturer of ADSL equipment, and they may have contributed a lot to the development of ADSL technology, but I've yet to see any indication that they invented ADSL, or even DMT, so it does not appear to be an "Alcatel technology" in the sense that they are the originators of ADSL.
Indeed? Are you asserting that this is part of some plot by competitors to discredit Alcatel? If so, do you have any evidence to support that assertion? (There wasn't anything in the transfert article making any such claim.)
At least someone has to hack yer DSL modem - Cable modem is just a distributed E-net. Anyone on your node (ie your neighborhood) and see what anyone else is looking at just be asking to.
Hope yer not surfin' any pr0n you don't want they guy down the street knowin' about. Or doing anything sensitive from work at home...
=tkk
Bill Gates - Creationist?!?
All I can say is 'Ouch!'.
I'm damn glad I've got a cable modem, which doesn't seem to be doing all this crazy stuff.
I find it rather perturbing that anybody in their right mind these days could leave an unauthenticated TFTP server running, with permissions to overwrite a password.
Even if it is 'supposed' to be run from the LAN side of the device.
Backdooring is also very very evil. All it takes is for one black hat to acquire the cryptovariables and algorithm, then it's script kiddie heaven!
Alcatel, being one of the major telecoms providers, I'd have thought would be a little more careful about the production and security of their devices. It's not as if it'd break their bank hiring a few good security consultants to go over their device before selling it. Lawsuits that may ensue due to their negligence in correctly allowing security configuration of the device may seriously damage it though.
All this in mind, having a device with this lax security on it is a contravention of most ISPs TOS. I know I'd get thrown off in an instant if I had a machine this insecure on my cable!
Again, it looks like a victory for the beancounters (we can shave a few grand off the development costs by not hiring security consultants, and that'll make this department look nicer on the profit side. Who cares abbout the other departments who have to cope with the flak later).
I think I'l just say I've very disappointed with a company of this standing to have procedures this lax, and leave it at that.
Cheers,
Malk
--
IntlHarvester wrote:
;) and managed to keep mine running as a bridge so far (easier to deal with under Linux - no messing with the extra overhead PPPoE adds on).
Is this only a problem in PPTP mode or something?
IANABT (I Am Not A Broadband Technician), but I'd guess that it's mostly an issue for folks running PPPoE and such where the Alcatel unit itself has an IP address. I've lucked out with my DSL provider (HellSouth - er, BellSouth to those not familiar with 'em
"Fear is the rootkit of democracy.." Blarkon
one of the first things I did on my Cisco DSL router was to reset the exec and enable passwords.
This Alcatel really sucks if you can't even do that.
Oh, yeah; whereas Cisco never leaves wide-open back doors in their products.
-
The only way in seems to be IMHO by cracking the DSLAM (concentrator) or by pinching my copper wire from the wall and do some jolly nice tricks with it.
Well, *IF* you're not running a firewall, there's supposedly some reflection attacks they can do off you, but if you're not running a firewall you're in way worse shape than just this vulnerability.
-
About all the people who say they love that they have cable, me too! :)
/. talk about how they took over the router :)
It's also interesting to seem some of the more capable
---
--
Insert Witty Sig Here
I'm curious about that -- I have the older model (1000ADSL) in a similar configuration as you with a fixed IP. Can't get the thing to answer to telnet even if I take the firewall/router out of the way.
Is this only a problem in PPTP mode or something?
--
Business. Numbers. Money. People. Computer World.
Umm, most anyone in the loop for DSL and Cablemodem security (and hacking) knew of this for a long time. Heck, the old RCA cablemodems had a backdoor that would allow the changing of the MAC address.
this is old news, and was not "discovered" by mr "kevin catcher"... leaked maybe...
Do not look at laser with remaining good eye.
acutally, this isn't quite true per my last understanding...
:)
unless i've missed a great deal of information, the motorola cybersurfers that time warner hands out have domaining that disallows you (without some type of administrative control over the cable modem) to receive frames destined for any other serial number of modem. basically their encapsulation is loosely encrypted (i doubt it's actually secure).
the reason i mention this is that you said "anyone" which i don't believe is accurate... someone SKILLED, yes, ANYONE, no.
i.e. their promiscuous mode doesn't appear to be able to be enabled without some "inside knowledge".
is my information aged?
(i only see broadcasts to *ALL* MAC addresses (i.e. destination MAC of FF:FF:FF:FF:FF:FF, and to my specific MAC address of my firewall's external ethernet interface)
cheers.
Peter
hear hear.
bellsouth is satan. i hate them with a passion that burns hotter than the sun. may their assets turn to dust and their board of directors be banished back to the pit from whence they came...
honestly, i'm not joking... a bunch of filty fucks, all of them.
my $0.25
-k
I read the whole thing. One of the threads running through it was "How I seduced this woman away from her man."
As this is the modem that BT insist you use for the residential service.
Strange how this was noticed not long after Alcatel released proprietary drivers for Linux...
A few notes on your mini-screed:
Either it is no big deal and no security furor need transpire, OR he should have gone to Alcatel. You can't argue both, OK?
As it turns out, he DID contact Alcatel, and they rebuffed him, even denying (among other things) that the expert mode code existed in the product. That was obviously false, as a technical manual (previously available from Alcatel's Russian site) mentioned it, and it is present in plaintext when the code was disassembled.
"..decided he could make some quick bucks" How is he making quick bucks from this? If anything, it is a major-ass headache to have your phone ringing off the hook 24/7 and explaining things over and over to journalists. He is not going to start consulting more often or write a book, "DSL Takedown" about it (I fervently hope).
This story looks like:
Alcatel == French
Alcatel != USA
So lets bash french products!
Like if Cisco products dont have the same features of the Remote Control Class.
There *is* a block preventing firmware updates on the external port. It is possible to disable this block but, obviously, only from the LAN port.
The entire 'vulnerability' is based on the rather farout presumption, that there is an ECHO server on the local LAN that the wannabe haxor can 'just' compromise and use to attack the ADSL modem.
/pah
Alcatel told zdnet the remote update is "a feature that is intended to allow communications service providers to remotely upgrade the software within their customers' modems."
Best Slashdot Co
I just used up all my moderator points, or I'd up this comment.
/. speak, they are a number of IP services, the "simple" services (echo, chargen, etc), an HTTP server, an FTP server, a telnet server, and a TFTP server. The modem has a simple internal file system, and if you know the names of the files, you can copy them or overwrite them with TFTP. If you connect with telnet (or FTP), it presents you with the MAC address of the modem, and asks for a password, which is a simple hash of the MAC address. Deraison either intercepted his provider connecting and reverse engineered the hash, or he had access to some engineering docs at an ISP, or played around and figured it out. Either way, an impressive hack, in the good sense of the word.
Renaud Deraison is known in french security circles for his nessus scanner, a program similar to nmap. He published his findings at the end of last year, but it wasn't widely trumpeted at the time. Shimomura is a publicity whore who copied Deraison's comments (probably used the fish, the grammar follows the same butchering) and claimed the discovery as his own. A few days ago, there was a press release going around touting Shimomura's discovery, not a CERT advisory, just a press release from the San Diego Super Computer Research Center.
The french paper Le Liberation ran a story filled with horror but little detail. Some of the claims are ridiculous, such as how someone who cracks the modem has unlimited access to every file on all the computers behind it, and how any machine on the internet can access the modems which sit on unaddressable IP addresses (the 10.x.x.x private IPs from RFC 1918)
Today Le Libe is running a follow up story where Alcatel denies the backdoors were placed intentionally, and claims there is a security program installed on the modems to prevent cracking by unauthorised persons.
I have a Speed Touch Home modem, and I've played with these backdoors. In
Since the modem uses "private" IP addresses, and access is limited to the local LAN or from the DSLAM, he didn't consider this to be a big problem. The modems typically sit on the DSLAMs private address range, and only connect the users computer to the BAS using PPoE or PPPoA, and can't really generate traffic to the internet. To gain access to the modems, you would either have to crack the DSLAM, crack the users computer, be on the same DSLAM (and thus same subnet) as the target, or intercept the copper wires and play DSLAM. Of these scenari, only cracking a computer on the LAN behind the modem would be possible from the internet at large, and if you can do that, why bother with a stupid little DSL modem?
I agree with Betcour (and a large crowd on fr.comp.securite) on this, Shimomura is tooting his own horn because his bank account is empty after Cybertraque flopped at the cinema. Did Takedown ever open in the U.S.? If it didn't, count your blessings, it was bad, not Ed Wood bad, just unredeemably bad.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Lack of proper authentification...
That's authentimacation , thank you very much.
Homer
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
According to the Webzine transfert.net, this is just a PR stunt from Shimomura. The thing was discovered in november 2000 by Renaud Deraison, who makes the Nessus security checking program. This is a very minor problem, as only someone able to spoof IP 10.0.0.138 can try to use the exploit. Deraison updated his Nessus program to check for the flaw but didn't make a securitu alert because he didn't think it was worth it.
Now Shimomura, 4 months later, decided he could make some quick bucks with the idea and told about it to a few people, then to the press and CERT. A normal security alert goes to the manufacturer first (to give him a chance to make a patch) and then to the CERT. Obviously Shimomura is a lamer trying to claim his someone else work and make some fame out of a minor event and the medias ignorance.
2001-04-10 11:17:17 Alcatel SpeedTouch ADSL modems have backdoor (articles,Privacy) (rejected)
Last month or so, I telnetted into my Alcatel modem. (10.0.0.128, I think?) Anyways, I had read the PDF manual I had found.
:)" I say.
...
;)
So, poking around, I made a typo. No biggie, right?
I reset the modem. Uh-oh. No 'net. Damn, I hope I didn't break it. Look at the clock. It was 2:23AM. Okay, keep trying for a while.
Damn, still doesn't work. Call a fried. Nope, she can't connect either. UH-OH.
Call Sympatico(my provider). Having troubles? I ask. Yup, they are. Uh-oh. Well, could you tell me the *exact* time the trouble started? "Sorry sir, I don't know," the first-line techie responds. "Okay, mind if I speak to an engineer? Thanks
Anyways, to make a long story short, the problems started at around 2:19:23AM. Pretty much the exact time I made that typo. Coincidence? Possibly.
I probably shouldn't be posting this to Slashdot
(Oh, yeah, this is an Alcatel modem
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
Now, France Telecom (the only ADSL operator for home and SOHO) is deploying PPPoE on new POPs, so people (like me) get ECI modems instead of Alcatel.
Hub
...there aren't that many devices around shaped like a manta ray!
~~~~~ BigLig2? You mean there's another one of me?
ORCKIT DSL modem, telnet 10.0.0.138 , default password - "password"
:-)
Oh, how lame
Is there any info on Newbridge MainStreet Xpress ADSL modems? I was told by the tech who installed my modem to leave it on so that they could do firmware updates. This whole article does not give me a warm fuzzy. What is the joe average user supposed to do?
github.com/chrispollitt
I'm glad I got cable
I've been MUCH more satisfied with my cable modem than my friends with their DSL. This just adds another reason to the list.
-- Dr. Eldarion --
I'm thinking it's so they can update it from their offices whenever they please, and the user doesn't have to do anything.
-- Dr. Eldarion --
This is not a signature.
http://www.alcatel.com/consumer/dsl/security.htm
--
He prolly has a dialup 56K or less
;)
;p
That aint internet access whatever it is
Hell I have a 1.1mbit SDSL at home and I am constnatly bitching about our ISDN at work.
Jeremy
Yeah, it's good to check at CERT. And, from what I see here, CERT didn't really retract too much (there's a long list of problems they mention)
...actually, I'm at work.
"This is not a company that appears to be bothered by ethical boundaries."
Attorney General Mike Hatch on Microsoft
Thanks to NorthPoint going down, my DSL modem is 100% secure...
...it's 100% useless, but totally secure.
Two weeks without Internet access and still surviving.
-_underSCORE
"This is not a company that appears to be bothered by ethical boundaries."
Attorney General Mike Hatch on Microsoft
Does anyone have a picture of the stupid thing? It would be really, REALLY nice to have a picture of either the specific model in question or a "Some may be slightly different" with a picture of one that's CLOSE to it.
Or comments on markings, or such. Mine is not from this company but I was curious what type/model was affected by the notice and found that there are no "With Alcatel name and model numbers xxx and xxx" I mean is it ALL their models? Is it one specific? Even the warning page doesn't give specifics.
DanH
Cav Pilot's Reference Page
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
AFAIK, a USB device doesn't have a 10.x.x.x address at all; and as has been pointed out, 10.x.x.x is private from the net.
Someone clarify this to save many
#include <stddiscl.h>
Author, Shell Scripting : Expert Re
I tried the nmap thing but got this:
bash-2.05# nmap -sS -sU -O -v 10.0.0.138
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host (10.0.0.138) appears to be down, skipping it.
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds
Does this mean my modem isn't vulnerable or is the IP different? Comments would be appreciated.
Monkey sense
A recent receipt of mine shows:
22.015Gal DSL @$1.499 Total: $33.00
My car runs just fine with it and I think it is safe!
Oh man, I'm glad I stopped when I did!!
--
At least the CERT Advisory managed to avoid the Mitnick angle....
--
.......unless there using an Alcatel boxen apparently. :)
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
This is absolutelly nothing new. As the engineer who controls all xDSL modems/routers for a large player in the industry, security for xDSL CPE is horrid. You will find major security issues with all CPE.
I must agree I do love my 675 :)
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
I got mine like 2 years ago and usworst sent it with a management cable. mine is just in bridge mode with a Linux based firewall right behind it.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
I run a Cisco 675e for my DSL and the sad part about this, for every one of these Alcatel's that have a vulneriblity, there are probably 2 cisco's out there without an executive or enable password set. Maybe Alcatel is just keeping up with with the abilities of 90% of our DSL users, which is slim to none.
I sorta like
Seemed like a while to me....
But then again, I had a very boring day yesterday....
Yours Sincerely, Michael.
Better to sign up to something like CERT advisories than rely on random postings to Slashdot.
Really.
This was announced on their list about 14 hours ago.
Yours Sincerely, Michael.
what were they thinking?
/m
When I first got the fool thing, I changed the IP address it responded to. At the moment, my particular modem has the address 10.1.2.1/24. Guess what? That particular subnet is not accessible through my ISP (net 10 is blocked) and I don't have any other system with that subnet defined.
When I want to play, I define a second net address on my Linux firewall to create an interface on that port, and manually update the router tables accordingly.
I wonder how many people have tried to find my Alcatel 1000?
Anybody got any information on possible security issues with other cable modems from other manufacturers?
At the moment, I'm glad I've got Motorola...
In the UK, part of the TOS for BT's ADSL is that you're not allowed to modify the modem, as it blocks requests on port 80 to stop you hosting a website. I phoned them up to ask about this, and they threatened to fine me for "damage incurred", kick me of the service, etc.
And now it turns out that anyone can do it!
Is there anything which cannot be programmed?
My Alacatel 1000 has been chugging along for almost a year with zero hiccups until last week, when my connection just went dead. I checked all the usual suspects, i.e. router/hub/firewall, power and cable connections, and even made sure I paid the bill - but nothing. Figuring it was my fault I finally reformatted the HD, figuring I would connect afterword to download drivers. Southwestern Bell tech support tried to help, but they came up with nothing except giving me an "escalation" with a case ID # and a call three days later. I just got off the phone with the escalated guy and it turns out that my problem was that someone on the network side probably rebooted one of the servers and forgot to include this model modem in its settings, because it's older. Now this is how geeky I am: the first page I tried when I knew it was fixed was Slashdot and much to my horror this was the second article I read. I thought I was totally screwed and some little prick in fact hacked my modem - either way I want to know exactly how to fix these settings so I can worry less.
According to this article (in French: use the fish), this is a bit over-hyped.
--
Trolling using another account since 2005.
I own such a modem and was alarmed yesterday, by our belgian ADSL user group. My Question:
Is my modem vulnerable when I use PPPoE? The way I see it, my modem is not reachable from the Outside World, because all IP trafic is encapsulated in PPP. Even if one was to root my machine, access to the Modem would be restricted until the PPPoE link goes down, in which case the attacker closes his only way in.
The only way in seems to be IMHO by cracking the DSLAM (concentrator) or by pinching my copper wire from the wall and do some jolly nice tricks with it.
My BEF 10,-
Dave
Cisco Broadband Operating System
Alcatel Speed Touch Home Bridge hooked to Cheap Linksys firewall/router hooked to Cisco 1900 series switch. Not all of the Speed Touch equipment is the same. If you are using a cross over cable to connect to the shitty thing then you need to firewall your machine not the router.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
That was strangely poetic, for a lamer.
As to TCP/IP attacks, it can be a real bitch to talk to a host outside your subnet but on the same LAN. Even setting an ARP entry, I couldn't get a response from my modem. I have to use a second machine with two shared ethernets, and set its DSL-side interface to the 10.0.0.x subnet. And I have to set it back to let that machine run normally. (I could put a third Ethernet card in, but it's not really worth the effort.) So I'm not too worried about spoofed UDP packets being bounced into it.
What did surprise me, though, was that the challenge/response code for my old 1000 was computable from the CGI script at http://security.sdsc.edu/self-help/alcatel/challen ge.cgi. So at least now I can telnet into the thing. But so can anyone else, if they can perform the necessary TCP/IP routing wizardry to get to it.
Unfortunately, there doesn't seem to be anything that I can do to it from telnet that I can't do with the web interface.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
I haven't made any packet rules yet, what are yours like? Though I'll still keep my zonealarm running on my windows boxen.
And did you find a management cable? I had to track one down through ebay.
The 674 doesn't use IOS (sigh, goodbye cheap CISCO cert) but rather CBOS, which I think stands for Consumer Broadband Operating System.
As far as securing your 675, change the default passwords, and then you can have 20 rules for packet filtering.
suck even more
one of the first things I did on my Cisco DSL router was to reset the exec and enable passwords.
This Alcatel really sucks if you can't even do that.
At http://www.alcatel.com/consumer/dsl/security.htm, alcatel basically said that the remote firmware upload is disabled by default.
Yopu for you?
MEDIA ADVISORY UPDATE ON ALCATEL SPEED TOUCH MODEM Paris, April 13, 2001 - Alcatel (Paris: CGEP.PA and NYSE: ALA) is aware of the reported security vulnerabilities to the Speed Touch Home ADSL modem and Alcatel 1000 ADSL network termination device and is working with the Computer Emergency Response Team (CERT) at Carnegie Mellon University to ensure the concerns raised in its advisory are satisfactorily addressed. Alcatel is not aware of any instance where a Speed Touch modem user has been compromised due to the reported vulnerabilities. It is Alcatel's policy to provide its customers with the most advanced and secure products. Therefore, Alcatel has done extensive testing of its ADSL modem equipment based on the recently made security advisories by CERT (http://www.cert.org) and the San Diego Supercomputer Center (SDSC). The security issues raised are actually well known general vulnerability problems when connected to the Internet, regardless of the type of software upgradeable access equipment being used (cable or DSL modems). According to recent tests, the primary vulnerability referred to in the advisories do not apply to the vast majority of mainstream operating systems used by residential and small business subscribers, such as Windows 95, 98, 98se, ME, and typical installations of NT4.0 Workstation, 2000 Professional and the latest commercial releases of Linux. Without a firewall any PC in any configuration (home PC or in a local area network) is open to attacks by hackers. Therefore, Alcatel highly recommends the use of firewalls as a general practice, especially for those with "always on" cable or DSL connections. To increase the security of its products, Alcatel previously implemented additional security measures to avoid direct interference with its modems by remote users. This Firmware Protection is available in Alcatel Speed Touch Home and PRO modems. Alcatel ships the modems from its factories with the Firmware Protection enabled. For more information please go to http://www.alcatel.com/consumer/dsl/security.htm
A funny story-
Our company DSL connection went down suddenly Monday. Everything looked OK on the LAN side, but the ISP's attempts to look at connectivity was unsuccessful. I did not have access to the router - Covad changes the default password. We ended up having to file a trouble ticket and found out:
Every one of these routers (installed by covad) uses the same administration password.
Our IPs on the WAN side had been changed.
The covad tech said that someone who knew the password had telnetted into it, -or- someone from the ISP had mistakenly reconfigured the wrong router.
I have been following Slashdot for a few months now and one thing that baffles me is how is it that the same kind of articles attract so many posts. Aren't people exhausted on commenting on the same thing over and over again?
There's always sufficient, but not always at the right place nor for the right folks.
This really sucks for Northpoint subscribers. First their service gets cut off, then earthlink signs them up, now they find script kiddies playing on their boxen. What's next?
There is no spork.
-----------------------------------------
I used to have a sig, but I set it free and it never came back.
Especially the output of the nmap scan of the modem is interesting, since a huge number of security problems can be spotted, e.g.
open echo and chargen UDP ports (nice for a DOS attack)
very easy to do TCP sequence prediction (ideal for TCP spoofing to the device)
I'm glad I don't have such a modem at home!
Okay, gimme some IPs and cut me in on the lawsuit winnings. :)
Mitnick's pals at 2600 produced Freedom Downtime. It's playing at film festivals now...
I used to listen to Emmanual Goldstein's radio show Off the Hook on WBAI in NYC when I lived there. Anyone with a RealAudio player can catch it Tuesday nights at 8pm EST5EDT (Wed morning @ 00:00 UTC). People should give it a listen. These guys are not the deamons the media makes them into. Eric/Emmanual's courage to speak the truth: that being curious about technology is not a crime, and generally speaking out against tyrrany has been a personal inspiration to me in my life...
IIRC, nice guys (white hats, say) are supposed to give an advance warning to the company (Alcatel, in this case), to give them some time to issue a patch, and so on...
Didn't see any mention of this..
If he had given notice to alcatel, and alcatel didn't answer, we would have seen "we reported the bug to alcatel and got no response" stuff..
I guess since it's not a US company, he didn't bother to give an early warning to the suckers.
How nice.
Besides, we can do a poll.
To exploit the ADSL modem *without* having to hack a box on the internal network, you need:
-either a box on the internal LAN with an ECHO service running. How many of u do have a box with ECHO enabled? No Windows users, for a start. No Apple users. Aaaahhh here we are... yes, there's ECHO enabled by default on some mainstream linux distro's (don't laugh, BSDists, ECHO and CHARGEN are enabled by default on some BSD's too.. ).. so i guess vulnerable pple are the lame *NIX users who didn't take the errr say 30 secs to disable all they don't need in /etc/inetd.conf ...
-either have a "DSLAM simulator" you ave to build yourself, and get to the copper to snap on. I guess if you can do this, you can already sniff the ATM frames passing by, or break in the target's house/office, and take the target box away.
(btw, for u cablemodem users... do you know you can be far more easily sniffed/man-in-the-middle'd than the average adsl user? shared media, guys, shared media..) ( some reference ... if the feds can do it.. :-)) )
i had a sig, once..
Qwest/US West DSL users (me included) may relax. They are not affected :)
Casual Games/Downloads
Seriously, though, if you're running a Cisco 675 with an earlier version of the CBOS than 2.3.5, you might want to consider updating, unless you want to be an unwitting accomplice to a DoS attack, or worse. I presume that the Alcatel compromise could lead to similar vulnerabilities.
If ya can't beat 'em, clone 'em.
Users should not have to know about this stuff. Not knowing what a subnet mask does not make me a bad human being.
Summary: French hacker discovers problem, decides it's no big deal since the internal IP address cannot be accessed from outside service provider network. US/Japanese "celeb" hacker seizes opportunity to make a publicity splash and flouts security etiquette by going very public and exaggerating severity of problem. There are serious hackers discovering much more perilous security holes all the time which are quietly reported to manifacturers.
I think what people dont realize is this affects everyone. some kid who looses his irc channel #NetPimps.are.us on EFnet wants it back, but an ircop refuses to help, because he's net sexing his girlfriend. so this 9 yr old on ten gallons of jolt fires up nmap with os fingerprinting, and creates a script to test to see if he can comprise the router, set its own password, and fires up yet another script, to have all theese people with poarly secured routers start dossing the ircop, the ircops efnet server, and the other 9 yr olds who took his channel.
But oh no! "Its not me" isp uses the same backbone as theese routers, and gee, how bad would 5,000 dsl modems running ping -f -s 9999 slow down a network?
suddenly, your all affected by this poar security
i think people need to stop shruging things off like this and work together, if you want to flood something, whats better? 1 user or 100 users?
if you want something fixed, whats better? 1 user complaining? or 100 users complaining?
-- botsex is {grep;touch;strip;unzip;head;mount}
i actually read about that a few weeks ago... heh.
http://www.phatmax.net
the pr0n-o-matic
http://www.phatmax.net
the pr0n-o-matic
Alcatel is the company that recently exploited MLK to pitch their goods. It looks like Instant Karma has caught up with them. Read some more about the tasteless ads they produced: http://slate.msn.com/moneybox/entries/01-04-02_103 560.asp
man a little excessive dont you think, you most likely bitched util yoiu got in the first place, they could give you one al mighty efficient 3060 or 4060 that I work w/ daily, the people that have one of those would be glad to trade w/ you
I must agree w/ yout opinon of BS and there execs, they have no clue about what they are doing
By default for my DSL provider, the speed touch home is set to bridging mode and each client sends a dhcp request and recieves a ip. The dsl bridge is only recognized by it's mac address (like any bridge). Can you tell me how your gonna attack this setup. the only remote way is if you somehow haxor the dsl equipment outside my modem which has special software to reconfigure this bridge by mac address only. Just my humble opinion. Maybe my experience is different than US dsl providers, ( i'm in canada). Is there any reason you would want to allow your dsl "modem" to use internal ips and be accessable from the inside???
Alcatel, as a leader in the DSL market (xDSL is an Alcatel technology) has feared many companies on the American market. This story is only an attempt to break the image of company in USA. In fact all that thing was cleverly prepared : the "hacker" that discovered it made a public advertisement whereas, for security, usually people who found security holes are asked to contact the company first in order to avoid crackers take advantage of the information. Moreover he contacted some friends and the media even before the post on the Internet. You may find some information (in French) here about this sad story of a "hacker" who knows better economic interest thant computers (the hole had already been pointed out month before by a real hacker from France): http://www.transfert.net/fr/cyber_societe/article. cfm?idx_rub=87&idx_art=5090
Bye,
gcg