Slashdot Mirror
Security Issues For Many Alcatel DSL Modems
gle was one of many readers to write about an interesting security problem: "If you own an Alcatel DSL modem, you will be interrested to know that virtually anybody on the planet is probably able to reconfigure you modem, steal your passwords, sniff your data, install a custom firmware into it, or just break it for fun. Lack of proper authentification, and various back-doors have been pointed out amongst various design flaws. The man who discovered this is Tsutomu Shimomura, who got famous at getting Kevin Mitnick arrested. Alcatel claims 36% share of the DSL market, with more than 1.7 million units installed ..." So if you have DSL, you might want to check the label on the side of the modem about now.
I'm Renaud Deraison (no slashdot account, sorry) I did not discover anything. I just pointed out that Alcatel modems are passwordless by default. Shimomura extends that by saying that even if you set a password, it can be bypassed. But you have to be able to directly connect to the modem to exploit that, that is, you need to either be the ISP of your target, or have control on a host on the target's lan.
Good. Takedown is horribly innaccurate.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Go read the Security Advisory...
/.
;-)
I did, long before it made it to
This attack is available over IP. Don't need inside access. Don't need to crack any of your boxes inside. Just need the IP of your DSL modem and some spoofing.
Good luck trying that. Since you need to access the LAN via the VPN tunnel your UDP packets get blocked right there in the INPUT chain. Spoofing is also easily detected. Also if you read the advisory correctly you wouldn't even need the exact IP address of the modem. That is of course if your ECHO packets manage to get past the firewall, again, good luck trying...
While the security issues are grave, they are not as easily exploitable, and with proper care a non-issue. I noticed Alcatel's stupidity the first day I got my modem, open telnet to the settings menu. Wish I had made some real noise back then, I could have become a "l33t security expert"
-adnans
"In short: just say NO TO DRUGS, and maybe you won't end up like the Hurd people." --Linus Torvalds
This is mostly bullshit! First you'd have to gain access to the computer or network the Alcatel modem is on. And for that you'd have to gain root. The only outside attacks possible are out of your hands anyway (someone will need to tap your phoneline or break into your telco provider).
However, the default security setting of the Alcatel modem IS pathetic in the sense that it has an open frontdoor!
Some things you need to take care of:
The most disturbing flaw is the fact that IF someone gains access to your modem they can render it unusable, requiring hardware replacement
-adnans (blessed/cursed with one of these)
"In short: just say NO TO DRUGS, and maybe you won't end up like the Hurd people." --Linus Torvalds
I got a user's manual with my ADSL 1000, which includes, err, umm, a discussion of the Web interface to it; as I remember, it even mentioned the 10.0.0.138 IP address. Maybe Sasktel weren't as nice as Pac Bell in that regard (or maybe he didn't check out the box the modem came in).
The manual didn't discuss the Telnet UI, though.
...which I rather suspect they do using some non-IP protocol running, for example, atop ATM.
I assume you mean "ADSL" rather than "xDSL", as there are several technologies to which the term "xDSL" refers (HDSL, SDSL, and ADSL, for example), many of which appear to have in common only the fact that they send Digital signals over the Subscriber Line.
Could you please cite some references to support the assertion that "ADSL is an Alcatel technology", or explain what you mean by "ADSL is an Alcatel technology" if you don't mean to imply that Alcatel invented ADSL? I have seen, in several places (admittedly, the ones I found were all from companies in the USA, so perhaps they're all part of the plot to discredit Alcatel), claims that, in fact, ADSL was originally conceived by Bellcore, and, in this Texas Instruments application report (see section B.3. "History of ADSL standards"), a claim that "the DMT line-coding technique was developed around 1987 as a result of the research performed by Professor John M. Cioffi at Stanford University".
Perhaps Alcatel is the main manufacturer of ADSL equipment, and they may have contributed a lot to the development of ADSL technology, but I've yet to see any indication that they invented ADSL, or even DMT, so it does not appear to be an "Alcatel technology" in the sense that they are the originators of ADSL.
Indeed? Are you asserting that this is part of some plot by competitors to discredit Alcatel? If so, do you have any evidence to support that assertion? (There wasn't anything in the transfert article making any such claim.)
At least someone has to hack yer DSL modem - Cable modem is just a distributed E-net. Anyone on your node (ie your neighborhood) and see what anyone else is looking at just be asking to.
Hope yer not surfin' any pr0n you don't want they guy down the street knowin' about. Or doing anything sensitive from work at home...
=tkk
Bill Gates - Creationist?!?
All I can say is 'Ouch!'.
I'm damn glad I've got a cable modem, which doesn't seem to be doing all this crazy stuff.
I find it rather perturbing that anybody in their right mind these days could leave an unauthenticated TFTP server running, with permissions to overwrite a password.
Even if it is 'supposed' to be run from the LAN side of the device.
Backdooring is also very very evil. All it takes is for one black hat to acquire the cryptovariables and algorithm, then it's script kiddie heaven!
Alcatel, being one of the major telecoms providers, I'd have thought would be a little more careful about the production and security of their devices. It's not as if it'd break their bank hiring a few good security consultants to go over their device before selling it. Lawsuits that may ensue due to their negligence in correctly allowing security configuration of the device may seriously damage it though.
All this in mind, having a device with this lax security on it is a contravention of most ISPs TOS. I know I'd get thrown off in an instant if I had a machine this insecure on my cable!
Again, it looks like a victory for the beancounters (we can shave a few grand off the development costs by not hiring security consultants, and that'll make this department look nicer on the profit side. Who cares abbout the other departments who have to cope with the flak later).
I think I'l just say I've very disappointed with a company of this standing to have procedures this lax, and leave it at that.
Cheers,
Malk
--
one of the first things I did on my Cisco DSL router was to reset the exec and enable passwords.
This Alcatel really sucks if you can't even do that.
Oh, yeah; whereas Cisco never leaves wide-open back doors in their products.
-
The only way in seems to be IMHO by cracking the DSLAM (concentrator) or by pinching my copper wire from the wall and do some jolly nice tricks with it.
Well, *IF* you're not running a firewall, there's supposedly some reflection attacks they can do off you, but if you're not running a firewall you're in way worse shape than just this vulnerability.
-
I'm curious about that -- I have the older model (1000ADSL) in a similar configuration as you with a fixed IP. Can't get the thing to answer to telnet even if I take the firewall/router out of the way.
Is this only a problem in PPTP mode or something?
--
Business. Numbers. Money. People. Computer World.
I read the whole thing. One of the threads running through it was "How I seduced this woman away from her man."
Alcatel told zdnet the remote update is "a feature that is intended to allow communications service providers to remotely upgrade the software within their customers' modems."
Best Slashdot Co
I just used up all my moderator points, or I'd up this comment.
/. speak, they are a number of IP services, the "simple" services (echo, chargen, etc), an HTTP server, an FTP server, a telnet server, and a TFTP server. The modem has a simple internal file system, and if you know the names of the files, you can copy them or overwrite them with TFTP. If you connect with telnet (or FTP), it presents you with the MAC address of the modem, and asks for a password, which is a simple hash of the MAC address. Deraison either intercepted his provider connecting and reverse engineered the hash, or he had access to some engineering docs at an ISP, or played around and figured it out. Either way, an impressive hack, in the good sense of the word.
Renaud Deraison is known in french security circles for his nessus scanner, a program similar to nmap. He published his findings at the end of last year, but it wasn't widely trumpeted at the time. Shimomura is a publicity whore who copied Deraison's comments (probably used the fish, the grammar follows the same butchering) and claimed the discovery as his own. A few days ago, there was a press release going around touting Shimomura's discovery, not a CERT advisory, just a press release from the San Diego Super Computer Research Center.
The french paper Le Liberation ran a story filled with horror but little detail. Some of the claims are ridiculous, such as how someone who cracks the modem has unlimited access to every file on all the computers behind it, and how any machine on the internet can access the modems which sit on unaddressable IP addresses (the 10.x.x.x private IPs from RFC 1918)
Today Le Libe is running a follow up story where Alcatel denies the backdoors were placed intentionally, and claims there is a security program installed on the modems to prevent cracking by unauthorised persons.
I have a Speed Touch Home modem, and I've played with these backdoors. In
Since the modem uses "private" IP addresses, and access is limited to the local LAN or from the DSLAM, he didn't consider this to be a big problem. The modems typically sit on the DSLAMs private address range, and only connect the users computer to the BAS using PPoE or PPPoA, and can't really generate traffic to the internet. To gain access to the modems, you would either have to crack the DSLAM, crack the users computer, be on the same DSLAM (and thus same subnet) as the target, or intercept the copper wires and play DSLAM. Of these scenari, only cracking a computer on the LAN behind the modem would be possible from the internet at large, and if you can do that, why bother with a stupid little DSL modem?
I agree with Betcour (and a large crowd on fr.comp.securite) on this, Shimomura is tooting his own horn because his bank account is empty after Cybertraque flopped at the cinema. Did Takedown ever open in the U.S.? If it didn't, count your blessings, it was bad, not Ed Wood bad, just unredeemably bad.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Lack of proper authentification...
That's authentimacation , thank you very much.
Homer
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
According to the Webzine transfert.net, this is just a PR stunt from Shimomura. The thing was discovered in november 2000 by Renaud Deraison, who makes the Nessus security checking program. This is a very minor problem, as only someone able to spoof IP 10.0.0.138 can try to use the exploit. Deraison updated his Nessus program to check for the flaw but didn't make a securitu alert because he didn't think it was worth it.
Now Shimomura, 4 months later, decided he could make some quick bucks with the idea and told about it to a few people, then to the press and CERT. A normal security alert goes to the manufacturer first (to give him a chance to make a patch) and then to the CERT. Obviously Shimomura is a lamer trying to claim his someone else work and make some fame out of a minor event and the medias ignorance.
Last month or so, I telnetted into my Alcatel modem. (10.0.0.128, I think?) Anyways, I had read the PDF manual I had found.
:)" I say.
...
;)
So, poking around, I made a typo. No biggie, right?
I reset the modem. Uh-oh. No 'net. Damn, I hope I didn't break it. Look at the clock. It was 2:23AM. Okay, keep trying for a while.
Damn, still doesn't work. Call a fried. Nope, she can't connect either. UH-OH.
Call Sympatico(my provider). Having troubles? I ask. Yup, they are. Uh-oh. Well, could you tell me the *exact* time the trouble started? "Sorry sir, I don't know," the first-line techie responds. "Okay, mind if I speak to an engineer? Thanks
Anyways, to make a long story short, the problems started at around 2:19:23AM. Pretty much the exact time I made that typo. Coincidence? Possibly.
I probably shouldn't be posting this to Slashdot
(Oh, yeah, this is an Alcatel modem
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
...there aren't that many devices around shaped like a manta ray!
~~~~~ BigLig2? You mean there's another one of me?
I'm thinking it's so they can update it from their offices whenever they please, and the user doesn't have to do anything.
-- Dr. Eldarion --
http://www.alcatel.com/consumer/dsl/security.htm
--
...actually, I'm at work.
"This is not a company that appears to be bothered by ethical boundaries."
Attorney General Mike Hatch on Microsoft
Thanks to NorthPoint going down, my DSL modem is 100% secure...
...it's 100% useless, but totally secure.
Two weeks without Internet access and still surviving.
-_underSCORE
"This is not a company that appears to be bothered by ethical boundaries."
Attorney General Mike Hatch on Microsoft
Does anyone have a picture of the stupid thing? It would be really, REALLY nice to have a picture of either the specific model in question or a "Some may be slightly different" with a picture of one that's CLOSE to it.
Or comments on markings, or such. Mine is not from this company but I was curious what type/model was affected by the notice and found that there are no "With Alcatel name and model numbers xxx and xxx" I mean is it ALL their models? Is it one specific? Even the warning page doesn't give specifics.
DanH
Cav Pilot's Reference Page
Cav Pilot's Reference Page
UNIX - Not just for Vestal Virgins anymore
On a sidenote.. my ISP said people in the Netherlands are vulnerable because they use pptp (whatever that is) and their public IP is on the modem.
Monkey sense
At least the CERT Advisory managed to avoid the Mitnick angle....
--
I run a Cisco 675e for my DSL and the sad part about this, for every one of these Alcatel's that have a vulneriblity, there are probably 2 cisco's out there without an executive or enable password set. Maybe Alcatel is just keeping up with with the abilities of 90% of our DSL users, which is slim to none.
I sorta like
Better to sign up to something like CERT advisories than rely on random postings to Slashdot.
Really.
This was announced on their list about 14 hours ago.
Yours Sincerely, Michael.
When I first got the fool thing, I changed the IP address it responded to. At the moment, my particular modem has the address 10.1.2.1/24. Guess what? That particular subnet is not accessible through my ISP (net 10 is blocked) and I don't have any other system with that subnet defined.
When I want to play, I define a second net address on my Linux firewall to create an interface on that port, and manually update the router tables accordingly.
I wonder how many people have tried to find my Alcatel 1000?
In the UK, part of the TOS for BT's ADSL is that you're not allowed to modify the modem, as it blocks requests on port 80 to stop you hosting a website. I phoned them up to ask about this, and they threatened to fine me for "damage incurred", kick me of the service, etc.
And now it turns out that anyone can do it!
Is there anything which cannot be programmed?
According to this article (in French: use the fish), this is a bit over-hyped.
--
Trolling using another account since 2005.
I own such a modem and was alarmed yesterday, by our belgian ADSL user group. My Question:
Is my modem vulnerable when I use PPPoE? The way I see it, my modem is not reachable from the Outside World, because all IP trafic is encapsulated in PPP. Even if one was to root my machine, access to the Modem would be restricted until the PPPoE link goes down, in which case the attacker closes his only way in.
The only way in seems to be IMHO by cracking the DSLAM (concentrator) or by pinching my copper wire from the wall and do some jolly nice tricks with it.
My BEF 10,-
Dave
Cisco Broadband Operating System
As to TCP/IP attacks, it can be a real bitch to talk to a host outside your subnet but on the same LAN. Even setting an ARP entry, I couldn't get a response from my modem. I have to use a second machine with two shared ethernets, and set its DSL-side interface to the 10.0.0.x subnet. And I have to set it back to let that machine run normally. (I could put a third Ethernet card in, but it's not really worth the effort.) So I'm not too worried about spoofed UDP packets being bounced into it.
What did surprise me, though, was that the challenge/response code for my old 1000 was computable from the CGI script at http://security.sdsc.edu/self-help/alcatel/challen ge.cgi. So at least now I can telnet into the thing. But so can anyone else, if they can perform the necessary TCP/IP routing wizardry to get to it.
Unfortunately, there doesn't seem to be anything that I can do to it from telnet that I can't do with the web interface.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
suck even more
one of the first things I did on my Cisco DSL router was to reset the exec and enable passwords.
This Alcatel really sucks if you can't even do that.
A funny story-
Our company DSL connection went down suddenly Monday. Everything looked OK on the LAN side, but the ISP's attempts to look at connectivity was unsuccessful. I did not have access to the router - Covad changes the default password. We ended up having to file a trouble ticket and found out:
Every one of these routers (installed by covad) uses the same administration password.
Our IPs on the WAN side had been changed.
The covad tech said that someone who knew the password had telnetted into it, -or- someone from the ISP had mistakenly reconfigured the wrong router.
Especially the output of the nmap scan of the modem is interesting, since a huge number of security problems can be spotted, e.g.
open echo and chargen UDP ports (nice for a DOS attack)
very easy to do TCP sequence prediction (ideal for TCP spoofing to the device)
I'm glad I don't have such a modem at home!
IIRC, nice guys (white hats, say) are supposed to give an advance warning to the company (Alcatel, in this case), to give them some time to issue a patch, and so on...
Didn't see any mention of this..
If he had given notice to alcatel, and alcatel didn't answer, we would have seen "we reported the bug to alcatel and got no response" stuff..
I guess since it's not a US company, he didn't bother to give an early warning to the suckers.
How nice.
Besides, we can do a poll.
To exploit the ADSL modem *without* having to hack a box on the internal network, you need:
-either a box on the internal LAN with an ECHO service running. How many of u do have a box with ECHO enabled? No Windows users, for a start. No Apple users. Aaaahhh here we are... yes, there's ECHO enabled by default on some mainstream linux distro's (don't laugh, BSDists, ECHO and CHARGEN are enabled by default on some BSD's too.. ).. so i guess vulnerable pple are the lame *NIX users who didn't take the errr say 30 secs to disable all they don't need in /etc/inetd.conf ...
-either have a "DSLAM simulator" you ave to build yourself, and get to the copper to snap on. I guess if you can do this, you can already sniff the ATM frames passing by, or break in the target's house/office, and take the target box away.
(btw, for u cablemodem users... do you know you can be far more easily sniffed/man-in-the-middle'd than the average adsl user? shared media, guys, shared media..) ( some reference ... if the feds can do it.. :-)) )
i had a sig, once..
Qwest/US West DSL users (me included) may relax. They are not affected :)
Casual Games/Downloads
Summary: French hacker discovers problem, decides it's no big deal since the internal IP address cannot be accessed from outside service provider network. US/Japanese "celeb" hacker seizes opportunity to make a publicity splash and flouts security etiquette by going very public and exaggerating severity of problem. There are serious hackers discovering much more perilous security holes all the time which are quietly reported to manifacturers.
I think what people dont realize is this affects everyone. some kid who looses his irc channel #NetPimps.are.us on EFnet wants it back, but an ircop refuses to help, because he's net sexing his girlfriend. so this 9 yr old on ten gallons of jolt fires up nmap with os fingerprinting, and creates a script to test to see if he can comprise the router, set its own password, and fires up yet another script, to have all theese people with poarly secured routers start dossing the ircop, the ircops efnet server, and the other 9 yr olds who took his channel.
But oh no! "Its not me" isp uses the same backbone as theese routers, and gee, how bad would 5,000 dsl modems running ping -f -s 9999 slow down a network?
suddenly, your all affected by this poar security
i think people need to stop shruging things off like this and work together, if you want to flood something, whats better? 1 user or 100 users?
if you want something fixed, whats better? 1 user complaining? or 100 users complaining?
-- botsex is {grep;touch;strip;unzip;head;mount}
Alcatel is the company that recently exploited MLK to pitch their goods. It looks like Instant Karma has caught up with them. Read some more about the tasteless ads they produced: http://slate.msn.com/moneybox/entries/01-04-02_103 560.asp