Boffin's easy remote hijack hack pops scores of router locks

Singaporean telco's customer premises equipment is a gateway to security hell


Thousands of routers mandated for use by a major Singaporean telco and operated by 'top enterprises" around the world are open to a remote zero day exploit that allows routers to be completely hijacked and is indefensible by most users.

Vantage Point Security senior security consultant Lyon Yang does not wish to disclose the name of the affected internet provider but says the ZHONE routers are required for subscribers to be able to connect to the service.

“When the ISP ships the router, it comes with a shitload of vulnerabilities,” Yang told Vulture South ahead of a talk at the Hack in the Box conference this week.

"I quickly found a large number of routers on Shodan from users in different countries --- some of the top enterprises use it."

"The remote hijack vulnerability is really easy to pull off."

The hack is one of seven vulnerabilities, all patched last week.

The telco concerned is, after some typical security communication failures, developing patches. Whether users have the skill to pull off the upgrade remains to be seen.

Yang says the most complex vulnerabilities of the set are two stack overflows. A remote hijack hole via the router's ping functionality is partially fixed but still exploitable as of the time of writing.

He says the ISP does not provide users with the router credentials normally required for users to access admin panels and update firmware, but it is stored in cleartext within a backup configuration file which users can access.

Attackers can overwrite that file to set their own arbitrary passwords, however.

Feature: Broadband routers: SOHOpeless and vendors don't care

Users can set the modem in bridge mode and set their own routers behind it, but they must still use the vulnerable product.

Yang says he appears to be the first researcher to examine the security of the ZHONE routers and adds that the state of SOHO security more broadly is lousy.

The penetration tester is planning on examining the "overlooked" area of internet-of-things security as Singapore undergoes its massive smart city project. ®

Similar topics


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022