Home
 » ISP News » 
Sponsored

Millions of Routers Supplied by Broadband ISPs Vulnerable to TR-069 Hackers

Monday, August 11th, 2014 (7:57 am) - Score 10,917

A team working for Check Point Software Technologies have warned that the TR-069 (CWMP) remote management protocol, which is commonly enabled in broadband routers supplied by ISPs and helps the provider to keep your device updated with the latest firmware or to perform various other tasks (e.g. diagnostics), is vulnerable to a variety of potential exploits.

Readers of ISPreview.co.uk will have noted a distinct rise in the number of security scares about home broadband routers over the past 12 months (e.g. here, here, here, here, here and here), with several focusing on devices sold or supplied by ISPs in the United Kingdom. But one of the areas that often causes the most concern is whether or not hackers could abuse the common TR-069 remote management protocol.

The TR-069 protocol is nothing new, with both big ISPs like BT, TalkTalk and even some smaller providers often using it to keep your hardware up-to-date or for diagnostic purposes. The protocol can also be used to manage more sophisticated services, such as VoIP. But so far, despite a few specific security scares for certain devices, TR-069 hasn’t caused too many problems.

Unfortunately that could be about to change after Check Point’s team uncovered a number of “critical zero-day vulnerabilities” that could have resulted in the “compromise of millions of homes and business worldwide” through flaws in several TR-069 server implementations. Hackers could use such flaws to steal personal data, infected your device with malware, disrupt your service and any number of other nefarious activities.

Shahar Tal, Team Leader at Check Point, said:

Check Point’s mission is to keep one step ahead of malicious attackers. The security flaws uncovered in TR-069 implementations could have resulted in catastrophic attacks against Internet Service Providers and their customers across the world. Our Malware and Vulnerability Research Group continues to focus on uncovering security flaws and developing the necessary real-time protections to secure the Internet.”

An “alarming number” of ISPs and their TR-069 servers (Auto Configuration Servers) are said to be “insecure” and thus vulnerable to remote takeover. The details of several flaws were revealed on Saturday to the annual DEF-CON conference in Las Vegas (USA) and some were quite surprising.

For example, the TR-069 specification calls for the use of HTTPS (i.e. SSL secure encryption) between the ISPs ACS server and the remote customer’s router, but some ISPs didn’t even bother to secure this and simply used HTTP. Meanwhile a few that did use HTTPS were also found to be open to certificate validation flaws, which could allow a man-in-the-middle style attack vector to spoof the ACS.

A number of ACS software solutions (e.g. GenieACS), which are used by ISPs to manage the communication with their TR-069 capable end-user routers, were also discovered as being open to several remote code execution and other vulnerabilities. In fact one solution was apparently so bad and widely used that Check Point chose not to name it until all of the holes had been plugged because hundreds of thousands of people around the world could be affected.

Sadly ISPs that enabled TR-069 often do so on devices by hiding or disabling access to the routers related management settings, which means that you couldn’t disable it even if you wanted to (unless you’re comfortable hacking the firmware and most people won’t be). At the same time disabling TR-069 on a pre-configured ISP router carries other risks since the provider might struggle to keep your hardware updated against separate security threats or to resolve separate network/hardware issues.

It’s hoped that Check Point’s report will act as a catalyst and encourage ISPs to ensure they’re using the best practice for TR-069 and have the most secure implementations possible. Just to put this in some perspective, the Broadband Forum recently celebrated ten years of TR-069 and a projected 250 million devices managed via the protocol.

Leave a Comment
4 Responses
  1. Avatar adslmax says:

    How many UK ISPs are vulnerable?

    1. Mark Jackson Mark Jackson says:

      Sadly no easy way to answer that unless the full details of this research are published, which can then be used to match against what we know about the various ISPs. I am looking into this ATM though but so far not much luck for obvious reasons.

  2. Avatar Darren says:

    I’m just going to disable TR-069 now, unlocked the modem years ago so will only take two seconds to log in and switch it off.

    If you check the usual broadband based forums you will know when a new firmware is being pushed out, then you just got to wait for someone to aquire and unlock it before flashing it on yourself.

    ISPs should be held to account by the government if these modems/routers supplied on mass are insecure, it’s a matter of national security.

  3. Avatar Hunterkiller says:

    Just a bunch of crap – there are many more security flaws in other management protocols – like telnet/SSH ports listening on WAN side with default admin passwords which should be taken care of that the TR069 are a small, little flaws. These protocols are much less secure because they are not standarized and you can get all passwords from there in plain text – TR069 at least has some write only fields preventing getting SIP passwords secure. The other thing is that you can usually get the config file and see passwords in there if they are not obfuscated. Run nmap and see how many routers have open management ports.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Onestream £22.49 (*29.99)
    Avg. Speed 45Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*36.52)
    Avg. Speed 36Mbps, Unlimited
    Gift: £55 Reward Card
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. FTTP (2821)
  2. BT (2793)
  3. FTTC (1794)
  4. Building Digital UK (1760)
  5. Politics (1689)
  6. Openreach (1642)
  7. Business (1456)
  8. FTTH (1341)
  9. Statistics (1253)
  10. Mobile Broadband (1253)
  11. 4G (1079)
  12. Fibre Optic (1072)
  13. Wireless Internet (1036)
  14. Ofcom Regulation (1028)
  15. Virgin Media (1020)
  16. EE (710)
  17. Vodafone (681)
  18. Sky Broadband (676)
  19. TalkTalk (674)
  20. 5G (536)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact