Update Telstra has patched a vulnerability that could have seen regional Australians suffer interception of their internet connections through a remotely-exploitable vulnerability in a series of wireless terminals the nation's dominant telco deploys under its universal service obligation.
Melbourne security researcher Tim Noise (@dnoiz1) says he reported the flaws to Telstra late last year after an initial report in 2013 landed on deaf ears. Noise understands a patch has since been developed.
A Telstra spokesperson says the flaws were quietly fixed in 2014.
The fixed wireless Calyptech terminals are distributed across remote areas linked to small solar panel stations where fixed line access cannot be delivered to homes.
Noise demonstrated at the Ruxmon security meetup in Melbourne last Friday how the devices could be popped over the internet if an attacker had a Telstra SIM.
"If we were internet bad men we could easily use advanced payloads and UDP broadcast this attack across the wireless 3G network to attack all the units at the same time," Noise says.
"You can dial 1900 numbers for profit, setup botnets, and other bad things."
A Calyptech station.
"If you were a customer, or client-sided (attacked) one customer who lived in the bush, from there you can connect to that one (Calyptech) box and from there connect to all of the boxes."
At Ruxmon, Noise walked security folk through his reverse-engineering process and detailed the various hardware and services in use and the attempts to secure the devices.
He points to some poor programming choices that allowed his exploit to run. He says the device's removal media makes gaining root easy, adding that the password is also printed on the circuit board.
The Linux-based devices offer telephony and broadband services, 3G and LTE backhaul, and are deployed in clusters.
Noise began examining the devices in an effort to remotely reboot them to save technicians having to travel out to remote areas when faults occurred.
He understands a "few thousand" devices are in use. ®