I’ve just read an interesting article entitled “who makes the IoT things under attack“, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.
That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.
I’ve started by scanning the TP-Link router in the local network:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
sudo nmap -sS 192.168.0.1 Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT Nmap scan report for 192.168.0.1 (192.168.0.1) Host is up (0.00034s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 1900/tcp open upnp 49152/tcp open unknown MAC Address: 94:0C:6D:XX:XX:XX (Tp-link Technologies) Nmap done: 1 IP address (1 host up) scanned in 14.15 seconds |
UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.
Now I did the same on the ZTE modem in the local network first:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
sudo nmap -sS 192.168.1.1 Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT Nmap scan report for 192.168.1.1 (192.168.1.1) Host is up (0.00086s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds |
The telnet port is opened that’s not good… But it would be much worse if it was also open with the public IP:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
sudo nmap -sS MODEM-PUBLIC-IP Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:11 ICT Nmap scan report for MODEM-PUBLIC-IP Host is up (0.00088s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 22.71 seconds |
Oh boy…. That’s not good at all. Can I access it from the outside?
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
telnet MODEM-PUBLIC-IP Trying MODEM-PUBLIC-IP... Connected to MODEM-PUBLIC-IP. Escape character is '^]'. F600W Login: admin Password: Password is incorrect Password: Password is incorrect Password: Password is incorrect Reached the maximum number of login, Admin authority locked 3 mins. Connection closed by foreign host. |
No, because I don’t know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!
|
1 2 3 4 5 6 7 8 9 10 11 12 |
telnet MODEM-PUBLIC-IP Trying MODEM-PUBLIC-IP... Connected to MODEM-PUBLIC-IP. Escape character is '^]'. F600W Login: root Password: BusyBox v1.01 (2015.01.15-08:36+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # |
That’s huge as it means millions of modem routers can be accessed around the world with minimal knowledge, I would not even consider this a hack… Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username/password. This little trick should also work on other ZTE modems/routers, and since the HTTP server is also running by default, you don’t even need to check the model number as the server field indicates it’s a ZTE device…
|
1 2 3 4 5 6 7 8 |
curl -I MODEM-PUBLIC-IP HTTP/1.1 200 OK Server: Mini web server 1.0 ZTE corp 2005. Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Cache-Control: no-cache,no-store Content-Length: 5277 |
I don’t know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:
|
1 2 3 4 5 6 7 8 9 10 |
# mount ubi:rootfs_ubifs on / type ubifs (ro,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) /dev/mtdblock7 on /data type jffs2 (rw,relatime) /dev/mtdblock4 on /tagparam type jffs2 (rw,relatime) tmpfs on /var type tmpfs (rw,relatime,size=15360k) /dev/mtdblock5 on /userconfig type jffs2 (rw,relatime) none on /mnt type ramfs (rw,noatime,nodiratime) |
Normally, this is no problem as you can remount the root partition in read/write mode:
|
1 2 |
# mount -o remount,rw / Can't find / in /etc/fstab |
But it’s not working in this case… I’m not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:
busybox
BusyBox v1.01 (2015.01.15-08:36+0000) multi-call binaryCurrently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,
df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,
ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,
lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,
reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,
tftp, top, traceroute, umount, wget
A temporary solution is to kill telnet:
|
1 2 3 4 5 6 7 8 9 10 11 |
ps ax | grep telnet 826 root 692 S <0> telnetd 828 root 692 S <0> telnetd 829 root 692 S <0> telnetd 830 root 692 S <0> telnetd 831 root 692 S <0> telnetd 832 root 692 S <0> telnetd 833 root 692 S <0> telnetd 1068 root 472 R <0> grep telnet kill 826 |
But obviously, telnet will run again, at next boot time…
Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they’ll be able to change the password, or disable them remotely in due time…
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
… this is a MASSIVE issue that cannot be overstated. The amount of vulnerable connected devices is staggering.
..and ISP is punished by originating DDOS from it.
but punishment should also be also monetary.
As a general rule I never, ever trust a device I don’t have complete control over… including integrated routers from ISPs. Almost all of them have a “bridge” mode where the firewall/router is turned off and they just shuffle packets between the cable/dsl/fiber and the Ethernet port. You can then put a firewall you control behind it and not have traffic double NAT’ed. Most often the ISP’s won’t tell you about bridge mode or how to enable it but a fair amount of digging will turn it up. This doesn’t solve the problem of the cable modem being turned into… Read more »
I get different port states if I scan my pubblic IP
from LAN or from an online service, ie.
from LAN:
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
8200/tcp open trivnet1
20005/tcp open btx
from outside:
80/tcp filtered http
80/udp open|filtered http
…
8200/tcp filtered trivnet1
…
20005/tcp filtered btx
scary results anyway, since I still can’t determine what trivnet and btx are…
If you search on zoomeye.org for ‘port:23 country:TH’ there are just 200.000 listed 😉
@tkaiser
Interesting website :0 . I don’t think the list is exhaustive, as my IP address is not listed.
@Jean-Luc Aufranc (CNXSoft)
Including F600W to the search shows about 5000 modems in South East Asia and China: https://www.zoomeye.org/search?t=host&q=port%3A23+F600W
@Jean-Luc Aufranc (CNXSoft)
Well, I really hope that it’s not exhaustive but you could double check on Shodan and Censys. At least it should be obvious that finding vulnerable devices is as easy as taking them over especially if you can already rely on a botnet doing the job.
Given the actual trend to connect each and every IoT crap to various clouds from where access to other IoT devices assigned to the same account is possible this will get even more funny in the (not so distant) future.
@tkaiser
Yes, that’s scary.
China seems to be telnetd heaven, and one of the most common device is QSEE DVR, a CCTV camera system… Lots of fun to be had there…
I also take the extra step of filtering outbound traffic for IoT devices, a lot of them do things they’re not telling you about or ignore directives you give them. For example, we have a Foscam webcam in our toddlers room. It was ignoring the assigned DNS server (regardless of manual or DHCP IP settings) and contacting it’s own. It was also trying to register with their dynamic DNS service even when you told it not to. It can get to be a pain to manage, especially for IoT devices that do need to access the internet (e.g. we have… Read more »
from what i understand, the main problem isn’t the iot devices themselves (don’t get me wrong, they’re still a problem as long as you’re concerned about security/privacy/etc…)
the main problem comes from all those ISPs who can’t even configure a firewall correctly!
and this problem exists since a very long time :
as an example, you’d be surprised to know how many network printers are accessible from everywhere
@Jean-Luc Aufranc (CNXSoft)
telnetd is sooo boring since it allows only virtual access to a device. Better search for dumb people using ‘smart locks’, get into their IFTTT or SmartThings or whatever cloud account and have physical access to their home.
And this is why I asked my service provider to put my cable modem/router combo into bridge mode so I can use my own router…
@thesandbender
I would use a Foscam IP camera (or any other commercially available device with a network connection and cloud or P2P ambitions) only after replacing the firmware. If that’s not possible I would throw it away. Very nice read:
“It opens up all Foscam users not only to attacks on their cameras themselves (which may be very sensitive), but an exploit of the camera also enables further intrusions into the home network”
The era of home automation… also called the “golden age of surveillance”
It remembers me the security hole in the Belgacom Box 2: http://www.zoobab.com/bbox2 Login/Password was the same for all the boxes open in telnet on the private interfaces (LAN and WLAN), and at the days, the default settings of the main provider were an open SSID. So you could become root on the router from the street if the SSID was open. Some student named “Vendetta” made a tour of Brussels, stole all the PPP crendentials that were stored on some config file on the box, and threatened Belgacom to publish more credentials if they were not changing their data quota… Read more »
@thesandbender
Actually most of the people who visit my page about the Belgacom Box 2:
http://www.zoobab.com/bbox2
Search on how to put in in bridge mode.
I worked in a company where the Belgacom engineers were putting the “entreprise” version of it on bridged mode, because the router was falling apart when there were too many NAT sessions, so they were installing the router in bridged mode, with another router next to it 🙂
As I can see in your busybox output, you have wget available, so it would be easy to load some static binary from /tmp/.
Can you do a cat /proc/cpuinfo?
@zoobab # cat /proc/cpuinfo system type : 968380FGGU processor : 0 cpu model : Broadcom BMIPS4350 V8.0 BogoMIPS : 397.31 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no ASEs implemented : shadow register sets : 1 kscratch registers : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available processor : 1 cpu model : Broadcom BMIPS4350 V8.0 BogoMIPS : 409.60 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no ASEs implemented :… Read more »
@nobe
ISPs’ problems? How and why?
Why would my ISP decide what ports I need to access from the outside? Maybe I need a telnet connection to one of my legacy servers (TIP: telnet was used before SSH to remote-admin servers).
Secondly, maybe I have secured it and want to access my network printer directly. Again, why should my ISP decide?
No, it’s not an ISP issue. It’s a user’s issue (lack of awareness) + manufacturer’s lack of interest. They both need to be responsible with what they do online (as with what they do offline)
The sad part about this is while everybody discusses the ins and outs, somebody will see this as a business opportunity to sell a service or product to stop it. Aimed at uneducated folk like me.
@Jean-Luc Aufranc (CNXSoft)
According to this page:
https://wiki.openwrt.org/doc/hardware/soc/soc.broadcom.bcm63xx
BCM63168 == BMIPS4350 V8.0
1ghz with USB3.
Will ask around to xcompile some full busybox for it…
@zoobab
This is the same SOC as the BBOX3: http://www.zoobab.com/bbox3-sagemcom
Search for “bcm63168”.
Last time I looked at it, is was pretty easy to create a new profile in openwrt because the arch was already existing.
@zoobab
Some traces of this SOC here: https://github.com/CreatorDev/openwrt/blob/master-pistachio/target/linux/brcm63xx/patches-4.4/339-MIPS-BCM63XX-add-support-for-BCM63268.patch
This Zoomeye search works better:
“port:23 country:TH F600W”
@Theguyuk
To stop what?
DDoSing has been problematically for years; and there are businesses that already sell this.
Firewalling has been implemented since early days of servers/networking; and there are businesses that already sell this.
There is nothing new about this. It’s just how networks&devices work since TCP/IP and UDP have been implemented (25+ years).
So… what’s new?
@The Dex In away that highlights my point. Technical able people already know this but lots of non technical users don’t have a clue. They just assume, expect everything is safe. Lots of people still don’t have a firewall or run virus software. They just use the software and hardware and never consider risks. They drive sales just by consuming. You can consider we have never been here before with so much connected devices. Slightly off topic but the Hola VPN app story shows how easy to exploit peoples devices can be. Then you have Rooting, Jail breaking devices and… Read more »
I’m confused, how this problem could be solved without flashing OpenWrt ? I’ve seen many Tenda routers affected with similar problem, and they don’t support OpenWrt.
@Arnab
The routers are still running Linux, so you could change the password, or better change the config files to disable telnetd.
My only problem is that I don’t seem to find a way to switch the rootfs to read/write mode.
There are routers supplied by broadband companies that will not accept any other software, EE and SKY for instance. I have several old SKY modems that you cannot change firmware and a EE modem with same problem. So how would home users secure them.
@Jean-Luc Aufranc (CNXSoft)
Busybox 1.01 (from 2005, so they used a 10 years old version…) mount wants two parameters, even on a remount, or it looks in fstab.
try : mount -o remount,rw,relatime ubi:rootfs_ubifs /
@Theguyuk
I do agree with you!
So, from your point-of-view, how would you proceed? Or what would you want to be done? One thing I do not “universally” agree: driving sales. There are companies that are inflicting serious costs out of this.
Take the Mirai botnet (although is not the only one – there are several variants “lurking” around, dedicated to ARM-based/embedded devices): this can hit SMEs and leave them in total digital-blindness. And same goes to bigger ones too.
@Jean-Luc Aufranc (CNXSoft)
We’re open to investigate and propose a solution, if there is one available (and I do think that at least one should be available).
Since we don’t have direct access to the devices you are using we can’t say that it’s gonna work 100%, but we can try. 🙂
@hwti I managed to re-mount it in read/write mode using: # mount -o remount,rw /dev/mtdblock3 / 1 # mount -o remount,rw /dev/mtdblock3 / It did work: / # mount ubi:rootfs_ubifs on / type ubifs (rw,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) /dev/mtdblock7 on /data type jffs2 (rw,relatime) /dev/mtdblock4 on /tagparam type jffs2 (rw,relatime) tmpfs on /var type tmpfs (rw,relatime,size=15360k) /dev/mtdblock5 on /userconfig type jffs2 (rw,relatime) none on /mnt type ramfs (rw,noatime,nodiratime) 12345678910 / # mountubi:rootfs_ubifs on / type ubifs (rw,relatime)proc on /proc type proc (rw,relatime)sysfs on /sys type… Read more »
@Jean-Luc Aufranc (CNXSoft)
OK.. I know why /etc/ is not accessible… /dev/mtdblock3 is not the right partition… Somehow that bricked my modem router… I’ll have to buy a new one, as I don’t expect the firmware (and instructions) to be available…
@The Dex
That is a hard question to answer. Out of the box, secure by design for manufactures of modems is part of the answer but that would need to be a requird industry standard.
For older modems whats possible? Can you make a cheap inline filter, something to block attacks on hardware you cannot change or flash. A hardware gate keeper, is that even possible?
@theguyuk Usually there is the possibility to modify the firmware and “patch” the backdoor – for example, close the telnet service/change the interface where it is listening or change the default passwords (depends on some factors, of course). If the router provides firewalling, maybe there is a possibility to default enable firewalling of those services or port forwarding them to a sinkhole. Fact is that most of these devices use OpenSource solutions; and the sources should be available, as per license requirements. But, besides some serious manufacturers that take note of this, many don’t. But, again, they can be legally… Read more »
@Jean-Luc Aufranc (CNXSoft)
Any serial console on the board? Usually there is one…
@zoobab
I did try to open it but I would have had to force it a bit… So I waited, and got a new modem router replacement for free since we applied less than a year ago. The telnet port is still open in the new unit (same root password), but I’m not going to mess with it…
Speeding camera without passwords -> http://readwrite.com/2016/10/07/unsecured-speeding-cameras-vulnerable-smart-city-hackers-cl4/
The tricky part might be to find their IP addresses. But maybe a bot can do that…
Not too tricky finally -> https://www.zoomeye.org/search?t=host&q=Redflex+Traffic+Systems
Most are based in the US, and connection is refused from overseas.
That’s the most easy part and it’s already mentioned how they did that: Using Shodan you can search for any type of (vulnerable) device. And this is not the only specialiced search engine for the Internet of Sh*t (critical infrastructure connected to the net with default passwords or no authentication at all). Censys is a known alternative and zoomeye.org gets more and more popular even if westerners have their trouble with the Chinese UI.
According to The Register, the reason the US Internet was shutdown yesterday was precisely because of devices with default username/password.
@Jean-Luc Aufranc (CNXSoft)
But even if such devices or Linux distros targeting IoT devices would force their users to change the passwords due to the code base containing flaws that are easily exploitable it might not change that much. Way too much enabled services, outdated code, unpatched kernels (with root exploits available like Dirty COW) lead to a large attack surface
BTW: regarding Dirty COW at least Armbian users are save after doing an ‘apt-get upgrade’: http://docs.armbian.com/Release_Changelog/
@Jean-Luc Aufranc (CNXSoft)
Somebody has created a Bot called BrickerBot that will automatically brick devices using default username/password. http://www.zdnet.com/article/homeland-security-warns-of-brickerbot-malware-that-destroys-unsecured-internet-connected-devices/
Once companies will start getting enough returns, maybe they’ll do something about it.
More routers weaknesses, this time exploited by the NSA’s Cherry Blossom project:
https://wikileaks.org/vault7/#Cherry%20Blossom
At least DLink, Belkin & Linksys routers are affected based on Wikileaks tweet.