Eir, Ireland's largest ISP, has tens of thousands of customers with insecure ADSL2+ modems that appear to be vulnerable to remote takeover.
Earlier this month, a security researcher writing under the name "kenzo" has posted a proof-of-concept exploit that demonstrates how an attacker might take control of an Eir D1000 modem.
The ZyXEL-built Eir D1000 [PDF] comes with an open TCP port, 7547, which is used by the CPE WAN Management Protocol to manage the modems on Eir's network. According to kenzo, the modem includes a TR-064 server for LAN-based configuration, to allow ISPs to set up software on the device. It's not supposed to be accessible from the internet, but apparently it is.
TR-064 commands can be used, among other things, to fetch Wi-Fi security keys and to set up an NTP server that disables the modem firewall, thereby opening the administration interface on port 80.
"By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall," kenzo's post says. "This allows access to the web administration interface from the Internet-facing side of the modem. The default login password for the D1000 is the Wi-Fi password. This is easily obtained with another TR-064 command."
A compromised modem could be used to attack other devices on the network or as part of a botnet.
Last week, posting under the Twitter handle "Bobby 'Tables", Darren Martyn, a security researcher with Insecurety.net and former LulzSec hacker, appeared to confirm the vulnerability.
A search [login required] using the Shodan vulnerability search engine suggests there are presently 63,828 vulnerable devices in Ireland, 62,251 of which are associated with Eir. This is down from about 100,000 previously, according to kenzo.
The Register sent inquiries to Eir but has not heard back.
According to kenzo, two other Eir modems are vulnerable to the "Misfortune Cookie" vulnerability (CVE-2014-9222), ZyXEL models P-660HN-T1A_IPv6 and P-660HW-T1.
kenzo observes that back when Eir went by Eircom, the company used Netopia modems that blocked port 7547 except for IP addresses assigned to its own management servers. Had the company done so for its D1000, the vulnerabilities would not have been exploitable. ®