Telstra's bush broadband boxes bugged, bashed, botted

Big T slings patch at man-in-the-middle diddle.

Update Telstra has patched a vulnerability that could have seen regional Australians suffer interception of their internet connections through a remotely-exploitable vulnerability in a series of wireless terminals the nation's dominant telco deploys under its universal service obligation.

Melbourne security researcher Tim Noise (@dnoiz1) says he reported the flaws to Telstra late last year after an initial report in 2013 landed on deaf ears. Noise understands a patch has since been developed.

A Telstra spokesperson says the flaws were quietly fixed in 2014.

The fixed wireless Calyptech terminals are distributed across remote areas linked to small solar panel stations where fixed line access cannot be delivered to homes.

Noise demonstrated at the Ruxmon security meetup in Melbourne last Friday how the devices could be popped over the internet if an attacker had a Telstra SIM.

"If we were internet bad men we could easily use advanced payloads and UDP broadcast this attack across the wireless 3G network to attack all the units at the same time," Noise says.

"You can dial 1900 numbers for profit, setup botnets, and other bad things."

A Calyptech station.

A Calyptech station.

"If you were a customer, or client-sided (attacked) one customer who lived in the bush, from there you can connect to that one (Calyptech) box and from there connect to all of the boxes."

At Ruxmon, Noise walked security folk through his reverse-engineering process and detailed the various hardware and services in use and the attempts to secure the devices.

He points to some poor programming choices that allowed his exploit to run. He says the device's removal media makes gaining root easy, adding that the password is also printed on the circuit board.

The Linux-based devices offer telephony and broadband services, 3G and LTE backhaul, and are deployed in clusters.

Noise began examining the devices in an effort to remotely reboot them to save technicians having to travel out to remote areas when faults occurred.

He understands a "few thousand" devices are in use. ®

Broader topics

Other stories you might like

  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022