Your connection may be fast. So? Hackers won’t care.
At least 28 backdoor accounts and several other vulnerabilities have been discovered in the firmware of a popular FTTH ONT router, widely deployed across South America and Southeast Asia.
FTTH ONT stands for Fiber-to-the-Home Optical Network Terminal. These are special devices fitted at the end of optical fiber cables. Their role is to convert optical signals sent via fiber optics cables into classic Ethernet or wireless (WiFi) connections.
FTTH ONT routers are usually installed in apartment buildings or inside the homes or businesses that opt for gigabit-type subscriptions.
Security researcher Pierre Kim said he identified a wide range of security issues using Fiber Home HG6245D and Fiber Home RP2602, two models of FTTH ONT routers developed by Chinese manufacturer Fiber Home Networks.
The report describes both positive and negative issues with the two router models and their firmware. The positive issues, for instance, are that both devices do not expose their management panel via the external IPv4 interface, making attacks against its web panel impossible via the internet. Furthermore, the Telnet management feature, which is often abused by botnets, is also disabled by default.
However, Kim says Fiber Home engineers apparently didn’t enable the same protection for the routers’ IPv6 interface. Kim notes that the device firewall is only active on the IPv4 interface and not on IPv6, allowing threat actors direct access to all of the router’s internal services, as long as they know the IPv6 address to access the device.
Kim detailed a long list of back doors and vulnerabilities he discovered on the device, which he claims attackers could abuse to take over ISP infrastructure,includes;
- A backdoor mechanism allows an attacker to use the device’s MAC address to initiate a Telnet connection to the router by sending a specially crafted HTTPS request [https://[ip]/telnet?enable=0&key=calculated(BR0_MAC)].
- Passwords and authentication cookies for the admin panel are stored in clear text in HTTP logs.
- The management interface is secured through a hardcoded SSL certificate stored on the device that can be downloaded and used for MitM and other attacks.
- The web server (management panel) includes a list of 22 hardcoded credentials, which Kim believes were added and in use by different internet service providers.
- The firmware also includes hardcoded credentials for managing the device via the TR-069 protocol.
- There are also credentials in the web server binary that are encrypted. However, the XOR key to decrypt them is also in the binary, rendering their encryption useless. As Kim notes, this is the same XOR key used in the firmware of C-Data devices, also impacted by similar backdoor issues.
- A hardcoded root password for a Telnet server is also included. This server is disabled by default, though.
- The firmware also includes different sets of hardcoded credentials for a low-level Telnet account. Kim found four.
- A privilege escalation vulnerability in the Telnet daemon allows attackers to escalate their privileges to root level.
Kim said he found these issues in January 2020 and had notified the vendor. The researcher couldn’t determine if any bugs have been patched as he hasn’t tested newer versions of the firmware since then.
Furthermore, the researcher also warns that the same backdoor/vulnerability issues could also affect other Fiber Home models due to the fact that most vendors tend to reuse or slightly edit firmware between different production series.
Written By/ Unknown Author -Cyber Security Student at SLIIT-