Routers, IP Cameras/Phones & IoT Devices can be Security Risks even with the Latest Firmware, and a Strong Admin Password

I’ve just read an interesting article entitled “who makes the IoT things under attack“, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.

That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.

zte-zxhn-f600wI’ve started by scanning the TP-Link router in the local network:


UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.

Now I did the same on the ZTE modem in the local network first:


The telnet port is opened that’s not good… But it would be much worse if  it was also open with the public IP:


Oh boy…. That’s not good at all. Can I access it from the outside?


No, because I don’t know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!


That’s huge as it means millions of modem routers can be accessed around the world with minimal knowledge, I would not even consider this a hack… Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username/password. This little trick should also work on other ZTE modems/routers, and since the HTTP server is also running by default, you don’t even need to check the model number as the server field indicates it’s a ZTE device…


I don’t know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:


Normally, this is no problem as you can remount the root partition in read/write mode:


But it’s not working in this case… I’m not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:

busybox
BusyBox v1.01 (2015.01.15-08:36+0000) multi-call binary

Currently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,
df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,
ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,
lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,
reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,
tftp, top, traceroute, umount, wget

A temporary solution is to kill telnet:


But obviously, telnet will run again, at next boot time…

Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they’ll be able to change the password, or disable them remotely in due time…

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard

45 Replies to “Routers, IP Cameras/Phones & IoT Devices can be Security Risks even with the Latest Firmware, and a Strong Admin Password”

  1. As a general rule I never, ever trust a device I don’t have complete control over… including integrated routers from ISPs. Almost all of them have a “bridge” mode where the firewall/router is turned off and they just shuffle packets between the cable/dsl/fiber and the Ethernet port. You can then put a firewall you control behind it and not have traffic double NAT’ed. Most often the ISP’s won’t tell you about bridge mode or how to enable it but a fair amount of digging will turn it up. This doesn’t solve the problem of the cable modem being turned into a DDoS zombie but it at least makes your network a bit safer.The one thing I have noticed happening more often now is ISPs doing NAT’ing at their perimeter firewall, so you get a NAT’d IP no matter what you do. Most ISPs doing this are selling it as a security feature (which I kind of buy for less technically inclined people) and will usually give you a routable IP if you call up and ask.

  2. I get different port states if I scan my pubblic IP
    from LAN or from an online service, ie.
    from LAN:
    Not shown: 997 closed ports
    PORT STATE SERVICE
    80/tcp open http
    8200/tcp open trivnet1
    20005/tcp open btx

    from outside:
    80/tcp filtered http

    80/udp open|filtered http

    8200/tcp filtered trivnet1

    20005/tcp filtered btx

    scary results anyway, since I still can’t determine what trivnet and btx are…

  3. @cnxsoft
    Well, I really hope that it’s not exhaustive but you could double check on Shodan and Censys. At least it should be obvious that finding vulnerable devices is as easy as taking them over especially if you can already rely on a botnet doing the job.

    Given the actual trend to connect each and every IoT crap to various clouds from where access to other IoT devices assigned to the same account is possible this will get even more funny in the (not so distant) future.

  4. I also take the extra step of filtering outbound traffic for IoT devices, a lot of them do things they’re not telling you about or ignore directives you give them. For example, we have a Foscam webcam in our toddlers room. It was ignoring the assigned DNS server (regardless of manual or DHCP IP settings) and contacting it’s own. It was also trying to register with their dynamic DNS service even when you told it not to. It can get to be a pain to manage, especially for IoT devices that do need to access the internet (e.g. we have a home automation setup) but you don’t really have a choice if you want any semblance of security.

  5. from what i understand, the main problem isn’t the iot devices themselves (don’t get me wrong, they’re still a problem as long as you’re concerned about security/privacy/etc…)
    the main problem comes from all those ISPs who can’t even configure a firewall correctly!

    and this problem exists since a very long time :
    as an example, you’d be surprised to know how many network printers are accessible from everywhere

  6. @cnxsoft
    telnetd is sooo boring since it allows only virtual access to a device. Better search for dumb people using ‘smart locks’, get into their IFTTT or SmartThings or whatever cloud account and have physical access to their home.

  7. And this is why I asked my service provider to put my cable modem/router combo into bridge mode so I can use my own router…

  8. It remembers me the security hole in the Belgacom Box 2:

    http://www.zoobab.com/bbox2

    Login/Password was the same for all the boxes open in telnet on the private interfaces (LAN and WLAN), and at the days, the default settings of the main provider were an open SSID.

    So you could become root on the router from the street if the SSID was open.

    Some student named “Vendetta” made a tour of Brussels, stole all the PPP crendentials that were stored on some config file on the box, and threatened Belgacom to publish more credentials if they were not changing their data quota policy.

  9. @thesandbender
    Actually most of the people who visit my page about the Belgacom Box 2:

    http://www.zoobab.com/bbox2

    Search on how to put in in bridge mode.

    I worked in a company where the Belgacom engineers were putting the “entreprise” version of it on bridged mode, because the router was falling apart when there were too many NAT sessions, so they were installing the router in bridged mode, with another router next to it 🙂

  10. As I can see in your busybox output, you have wget available, so it would be easy to load some static binary from /tmp/.

    Can you do a cat /proc/cpuinfo?

  11. @zoobab

  12. @nobe
    ISPs’ problems? How and why?

    Why would my ISP decide what ports I need to access from the outside? Maybe I need a telnet connection to one of my legacy servers (TIP: telnet was used before SSH to remote-admin servers).
    Secondly, maybe I have secured it and want to access my network printer directly. Again, why should my ISP decide?

    No, it’s not an ISP issue. It’s a user’s issue (lack of awareness) + manufacturer’s lack of interest. They both need to be responsible with what they do online (as with what they do offline)

  13. The sad part about this is while everybody discusses the ins and outs, somebody will see this as a business opportunity to sell a service or product to stop it. Aimed at uneducated folk like me.

  14. @Theguyuk
    To stop what?

    DDoSing has been problematically for years; and there are businesses that already sell this.
    Firewalling has been implemented since early days of servers/networking; and there are businesses that already sell this.

    There is nothing new about this. It’s just how networks&devices work since TCP/IP and UDP have been implemented (25+ years).

    So… what’s new?

  15. @The Dex
    In away that highlights my point. Technical able people already know this but lots of non technical users don’t have a clue. They just assume, expect everything is safe. Lots of people still don’t have a firewall or run virus software. They just use the software and hardware and never consider risks. They drive sales just by consuming.

    You can consider we have never been here before with so much connected devices.

    Slightly off topic but the Hola VPN app story shows how easy to exploit peoples devices can be. Then you have Rooting, Jail breaking devices and Kodi addons with their security risk. Many here are technical aware but a lot of readers also just come for CNX-Softwares product reviews before buying. They find the security issues to technical as its not their field, job or interest.

  16. I’m confused, how this problem could be solved without flashing OpenWrt ? I’ve seen many Tenda routers affected with similar problem, and they don’t support OpenWrt.

  17. @Arnab
    The routers are still running Linux, so you could change the password, or better change the config files to disable telnetd.
    My only problem is that I don’t seem to find a way to switch the rootfs to read/write mode.

  18. There are routers supplied by broadband companies that will not accept any other software, EE and SKY for instance. I have several old SKY modems that you cannot change firmware and a EE modem with same problem. So how would home users secure them.

  19. @cnxsoft
    Busybox 1.01 (from 2005, so they used a 10 years old version…) mount wants two parameters, even on a remount, or it looks in fstab.
    try : mount -o remount,rw,relatime ubi:rootfs_ubifs /

  20. @Theguyuk
    I do agree with you!

    So, from your point-of-view, how would you proceed? Or what would you want to be done? One thing I do not “universally” agree: driving sales. There are companies that are inflicting serious costs out of this.

    Take the Mirai botnet (although is not the only one – there are several variants “lurking” around, dedicated to ARM-based/embedded devices): this can hit SMEs and leave them in total digital-blindness. And same goes to bigger ones too.

  21. @cnxsoft
    We’re open to investigate and propose a solution, if there is one available (and I do think that at least one should be available).

    Since we don’t have direct access to the devices you are using we can’t say that it’s gonna work 100%, but we can try. 🙂

  22. @hwti
    I managed to re-mount it in read/write mode using:

    It did work:

    But for some reasons changing the password did not work:

    And interestingly, trying to access /etc/ directory will always hang the telnet session…

  23. @cnxsoft
    OK.. I know why /etc/ is not accessible… /dev/mtdblock3 is not the right partition… Somehow that bricked my modem router… I’ll have to buy a new one, as I don’t expect the firmware (and instructions) to be available…

  24. @The Dex

    That is a hard question to answer. Out of the box, secure by design for manufactures of modems is part of the answer but that would need to be a requird industry standard.

    For older modems whats possible? Can you make a cheap inline filter, something to block attacks on hardware you cannot change or flash. A hardware gate keeper, is that even possible?

  25. @theguyuk
    Usually there is the possibility to modify the firmware and “patch” the backdoor – for example, close the telnet service/change the interface where it is listening or change the default passwords (depends on some factors, of course).
    If the router provides firewalling, maybe there is a possibility to default enable firewalling of those services or port forwarding them to a sinkhole.

    Fact is that most of these devices use OpenSource solutions; and the sources should be available, as per license requirements. But, besides some serious manufacturers that take note of this, many don’t. But, again, they can be legally obliged.

    Oh well…

  26. @zoobab
    I did try to open it but I would have had to force it a bit… So I waited, and got a new modem router replacement for free since we applied less than a year ago. The telnet port is still open in the new unit (same root password), but I’m not going to mess with it…

  27. cnxsoft :
    The tricky part might be to find their IP addresses

    That’s the most easy part and it’s already mentioned how they did that: Using Shodan you can search for any type of (vulnerable) device. And this is not the only specialiced search engine for the Internet of Sh*t (critical infrastructure connected to the net with default passwords or no authentication at all). Censys is a known alternative and zoomeye.org gets more and more popular even if westerners have their trouble with the Chinese UI.

  28. @cnxsoft
    But even if such devices or Linux distros targeting IoT devices would force their users to change the passwords due to the code base containing flaws that are easily exploitable it might not change that much. Way too much enabled services, outdated code, unpatched kernels (with root exploits available like Dirty COW) lead to a large attack surface

    BTW: regarding Dirty COW at least Armbian users are save after doing an ‘apt-get upgrade’: http://docs.armbian.com/Release_Changelog/

Leave a Reply

Your email address will not be published. Required fields are marked *

Boardcon Rockchip and Allwinner SoM and SBC products
Boardcon Rockchip and Allwinner SoM and SBC products