Security Issues For Many Alcatel DSL Modems

gle was one of many readers to write about an interesting security problem: "If you own an Alcatel DSL modem, you will be interrested to know that virtually anybody on the planet is probably able to reconfigure you modem, steal your passwords, sniff your data, install a custom firmware into it, or just break it for fun. Lack of proper authentification, and various back-doors have been pointed out amongst various design flaws. The man who discovered this is Tsutomu Shimomura, who got famous at getting Kevin Mitnick arrested. Alcatel claims 36% share of the DSL market, with more than 1.7 million units installed ..." So if you have DSL, you might want to check the label on the side of the modem about now.

Re:Pure Bullshit

[anticypher]

I just used up all my moderator points, or I'd up this comment.

Renaud Deraison is known in french security circles for his nessus scanner, a program similar to nmap. He published his findings at the end of last year, but it wasn't widely trumpeted at the time. Shimomura is a publicity whore who copied Deraison's comments (probably used the fish, the grammar follows the same butchering) and claimed the discovery as his own. A few days ago, there was a press release going around touting Shimomura's discovery, not a CERT advisory, just a press release from the San Diego Super Computer Research Center.

The french paper Le Liberation ran a story filled with horror but little detail. Some of the claims are ridiculous, such as how someone who cracks the modem has unlimited access to every file on all the computers behind it, and how any machine on the internet can access the modems which sit on unaddressable IP addresses (the 10.x.x.x private IPs from RFC 1918)

Today Le Libe is running a follow up story where Alcatel denies the backdoors were placed intentionally, and claims there is a security program installed on the modems to prevent cracking by unauthorised persons.

I have a Speed Touch Home modem, and I've played with these backdoors. In /. speak, they are a number of IP services, the "simple" services (echo, chargen, etc), an HTTP server, an FTP server, a telnet server, and a TFTP server. The modem has a simple internal file system, and if you know the names of the files, you can copy them or overwrite them with TFTP. If you connect with telnet (or FTP), it presents you with the MAC address of the modem, and asks for a password, which is a simple hash of the MAC address. Deraison either intercepted his provider connecting and reverse engineered the hash, or he had access to some engineering docs at an ISP, or played around and figured it out. Either way, an impressive hack, in the good sense of the word.

Since the modem uses "private" IP addresses, and access is limited to the local LAN or from the DSLAM, he didn't consider this to be a big problem. The modems typically sit on the DSLAMs private address range, and only connect the users computer to the BAS using PPoE or PPPoA, and can't really generate traffic to the internet. To gain access to the modems, you would either have to crack the DSLAM, crack the users computer, be on the same DSLAM (and thus same subnet) as the target, or intercept the copper wires and play DSLAM. Of these scenari, only cracking a computer on the LAN behind the modem would be possible from the internet at large, and if you can do that, why bother with a stupid little DSL modem?

I agree with Betcour (and a large crowd on fr.comp.securite) on this, Shimomura is tooting his own horn because his bank account is empty after Cybertraque flopped at the cinema. Did Takedown ever open in the U.S.? If it didn't, count your blessings, it was bad, not Ed Wood bad, just unredeemably bad.

the AC

Pure Bullshit

[Betcour]

According to the Webzine transfert.net, this is just a PR stunt from Shimomura. The thing was discovered in november 2000 by Renaud Deraison, who makes the Nessus security checking program. This is a very minor problem, as only someone able to spoof IP 10.0.0.138 can try to use the exploit. Deraison updated his Nessus program to check for the flaw but didn't make a securitu alert because he didn't think it was worth it.

Now Shimomura, 4 months later, decided he could make some quick bucks with the idea and told about it to a few people, then to the press and CERT. A normal security alert goes to the manufacturer first (to give him a chance to make a patch) and then to the CERT. Obviously Shimomura is a lamer trying to claim his someone else work and make some fame out of a minor event and the medias ignorance.

I'm safe...

[_underSCORE]

Thanks to NorthPoint going down, my DSL modem is 100% secure...

...it's 100% useless, but totally secure.

Two weeks without Internet access and still surviving.

-_underSCORE