Buggy home routers expose O2 customers to hijacking

[Kerwin]

Just noticed this on TheRegister website


Buggy home routers expose O2 customers to hijacking ? The Register

Buggy home routers expose O2 customers to hijacking



O2 looking in to it

By Dan Goodin in San Francisco • Get more from this author

Posted in Security, 1st September 2009 21:47 GMT

If you get your internet service from O2, there's a good chance Paul Mutton can remotely log in to your router and make configuration changes that surreptitiously allow him to access computers on your network.

That's because the UK-based ISP offers its customers free customized routers that are vulnerable to CSRF, or cross-site request forgery, attacks. Simply put, the hole allows him to log into the device using a simple web browser and a specially manipulated URL. Once connected, he can perform many if not all of the same administrative tasks an owner physically accessing the device can.

"This flaw allows remote attackers to take almost full control of the router, including stealing the wireless encryption key (even if the most advanced WPA2 setting was enabled) and forwarding external ports to internal IP addresses," Mutton, a security researcher located near the UK's Bath, wrote here.

The port-forwarding bit makes it easy easy for an attacker to intrude into a user's home network by burrowing into a computer, set-top box, or other device that would otherwise be protected by router's firewall. Interlopers can probably do other things, including changing the domain name system server to one that silently redirects users to rogue websites that masquerade as a legitimate bank, e-commerce site or search engine.

The flaw resides in two custom-built devices O2 gets from router manufacturer Thomson. Both the TG585n, and the TG585, known respectively as the O2 Wireless Box III and the O2 Wireless Box II, suffer from the bug. Subscribers of other ISPs that use the device are also likely to be exposed to the same threat.

An O2 spokesman said: "We have been notified of a potential security issue with the O2 Wireless box routers. We take this issue very seriously and are investigating it with the router manufacturer, Thomson. We thank Mr Mutton for bringing it to our attention."

Mutton said that's a far cry from the statements O2 support people gave him over the past week when he tried to bring the vulnerability to their attention. According to the blow-by-blow he provided, they told him the devices were "secured to a standard that is acceptable for home use" and that the provider was "under no obligation to supply you with a different router."

Routers and other low-cost devices that come with web interfaces have long been known to be vulnerable to a wide variety of attacks. Routers seem to be the low-hanging fruit, with bugs having been found in gear made by Linksys and Netgear and devices provided by BT on multiple occasions. ®

[Saturday]

Thanks for bringing this to everyone's attention

My strong recommendation is that users of an O2 Box follow the advice I gave almost a year ago in the O2 Box guide you'll find in our tutorial section:

Quote:

Originally Posted by Saturday

Accessing the Box

The router admin pages can be accessed via http://192.168.1.254.

To quote O2, "when you first receive your O2 wireless box it is set to a default username and password to allow you quick and easy access without any need for additional usernames and passwords".

This means access to the Box is wide open so you are strongly recommended to set a password to restrict access.

To do this go to "User Management" and next to Administrator choose "Change my password". You'll now be presented with three blank fields. In the first "Old Password" leave it blank, in the other two type your new password. After confirming you'll then be asked to enter your username and password. These will now be Administrator (note the capital A) and the password you've previously entered.

Simply setting up password access to your router's admin interface will substantially reduce your vulnerability to this apparent exploit. Further measures can be taken but they are fairly technical and shouldn't be attempted unless you are confident with what needs to be done and the risks involved.

O2 are reportedly working with Thomson on a fix.

[Tony1044]

I couldn't see where it stated the malformed URL requires a password? But it was skim-reading so apologies if I missed it.

Again - a multifaceted approach is required for security.

Patch everything, run up to date antivirus and antispyware + firewalls on all connected machines.

One of the first things I do with a new router is change it's default IP range/username/password.

But again, I'm guessing this might not be enough to protect against this specific attack?

[Saturday]

As far as I can determine, if an Administrator password is set, any attempt to exploit this flaw will result in the router login box being displayed. Whereas, if left as O2 supply it, you're straight in.

The "discoverer" of the exploit says at the end of his write-up:

Quote:

O2 Broadband customers can mitigate the risk of attack by enabling authentication on their router's HTTP configuration interface

Of course, a more complete solution would be to also change the router IP address, remove the default support accounts and remove the default services that are open on the web facing interface of the router - but not that straightforward to do for non technical customers.

[Tony1044]

Just received an email from O2:

O2 Broadband service message

Dear Tony,

We’ve been told about a security problem that could affect your O2 Wireless Box.

The problem could let people change your router settings, which could change how it works.

What we'll do

We’ll set up a password automatically to protect the settings on your O2 Wireless Box. You don’t need to call us to do anything. You’ll only need it if you want to change the settings. (In most cases, you’ll probably never need it.)

The password will be the 11 digit alphanumeric serial number on the bottom of the O2 Wireless Box. The serial number has an “SN “in front of it e.g. “CP0739JTXV3” and a 2 digit code in brackets after it. Here’s how to change it(If you would like to)

Nothing else changes

We won’t change any other settings on your O2 Wireless Box. (The password you use to connect wirelessly to your O2 Wireless Box will stay the same.)

We apologise for the inconvenience, and we’ll do everything we can to keep the disruption to a minimum.

Kind regards,

O2 Broadband Team

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks O2...does that mean the passwords that I've set myself are going to get blitzed and that I'll have no remote access for the next fortnight whilst I'm in Belgium if I want to change anything....?

Oh well. At least they took the issue seriously and acted.

[jemmy]

got a similar email myself, infact I have the administrator password changed from day one but in last week twice the router would not let me log in at all and I had to do a factory reset and then reconfigure with a new password, I am getting worried about this now and planning to change to my own router.

[Tony1044]

Same. I changed the password, IP range and reset the admin and superuser accounts (plus added my own).

It'll be interesting to see if they've blown all my own settings away.

[Saturday]

If you remove O2's accounts then I wonder if it would still be possible for them to access the router? Shouldn't be.

[Tony1044]

I wouldn't be surprised if there was a 'back door' user that is programmed into the firmware.

[Tony1044]

Didn't you post a reply to this, Saturday? And if you did...where'd it go? Or is it just my browser playing silly beggars? Or my memory, for that matter? lol

Just for an update...seems they must keep something of a back door, because I didn't have the standard SU or Admin accounts (I used the clear users command in the CLI some time ago) and yet they've managed to do the update...and at the same time completely lock me out of the damn thing until such a time as I get back to the UK.

Wanted to add a FW rule but no Telnet access and no Web Interface access...thanks O2....lol