I’ve just read an interesting article entitled “who makes the IoT things under attack“, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.
That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.
I’ve started by scanning the TP-Link router in the local network:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
sudo nmap -sS 192.168.0.1 Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT Nmap scan report for 192.168.0.1 (192.168.0.1) Host is up (0.00034s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 1900/tcp open upnp 49152/tcp open unknown MAC Address: 94:0C:6D:XX:XX:XX (Tp-link Technologies) Nmap done: 1 IP address (1 host up) scanned in 14.15 seconds |
UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.
Now I did the same on the ZTE modem in the local network first:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
sudo nmap -sS 192.168.1.1 Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT Nmap scan report for 192.168.1.1 (192.168.1.1) Host is up (0.00086s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds |
The telnet port is opened that’s not good… But it would be much worse if it was also open with the public IP:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
sudo nmap -sS MODEM-PUBLIC-IP Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:11 ICT Nmap scan report for MODEM-PUBLIC-IP Host is up (0.00088s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 22.71 seconds |
Oh boy…. That’s not good at all. Can I access it from the outside?
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
telnet MODEM-PUBLIC-IP Trying MODEM-PUBLIC-IP... Connected to MODEM-PUBLIC-IP. Escape character is '^]'. F600W Login: admin Password: Password is incorrect Password: Password is incorrect Password: Password is incorrect Reached the maximum number of login, Admin authority locked 3 mins. Connection closed by foreign host. |
No, because I don’t know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!
|
1 2 3 4 5 6 7 8 9 10 11 12 |
telnet MODEM-PUBLIC-IP Trying MODEM-PUBLIC-IP... Connected to MODEM-PUBLIC-IP. Escape character is '^]'. F600W Login: root Password: BusyBox v1.01 (2015.01.15-08:36+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # |
That’s huge as it means millions of modem routers can be accessed around the world with minimal knowledge, I would not even consider this a hack… Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username/password. This little trick should also work on other ZTE modems/routers, and since the HTTP server is also running by default, you don’t even need to check the model number as the server field indicates it’s a ZTE device…
|
1 2 3 4 5 6 7 8 |
curl -I MODEM-PUBLIC-IP HTTP/1.1 200 OK Server: Mini web server 1.0 ZTE corp 2005. Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Cache-Control: no-cache,no-store Content-Length: 5277 |
I don’t know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:
|
1 2 3 4 5 6 7 8 9 10 |
# mount ubi:rootfs_ubifs on / type ubifs (ro,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) /dev/mtdblock7 on /data type jffs2 (rw,relatime) /dev/mtdblock4 on /tagparam type jffs2 (rw,relatime) tmpfs on /var type tmpfs (rw,relatime,size=15360k) /dev/mtdblock5 on /userconfig type jffs2 (rw,relatime) none on /mnt type ramfs (rw,noatime,nodiratime) |
Normally, this is no problem as you can remount the root partition in read/write mode:
|
1 2 |
# mount -o remount,rw / Can't find / in /etc/fstab |
But it’s not working in this case… I’m not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:
busybox
BusyBox v1.01 (2015.01.15-08:36+0000) multi-call binaryCurrently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,
df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,
ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,
lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,
reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,
tftp, top, traceroute, umount, wget
A temporary solution is to kill telnet:
|
1 2 3 4 5 6 7 8 9 10 11 |
ps ax | grep telnet 826 root 692 S <0> telnetd 828 root 692 S <0> telnetd 829 root 692 S <0> telnetd 830 root 692 S <0> telnetd 831 root 692 S <0> telnetd 832 root 692 S <0> telnetd 833 root 692 S <0> telnetd 1068 root 472 R <0> grep telnet kill 826 |
But obviously, telnet will run again, at next boot time…
Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they’ll be able to change the password, or disable them remotely in due time…
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
