Home
 » ISP News » 
Sponsored

Security Flaw Exposes Fibre Optic GPON Home Routers to Hackers UPDATE

Thursday, May 3rd, 2018 (9:33 am) - Score 4,345

Security researchers working for VPN Mentor have tested “many random” GPON ISP routers and discovered that all were vulnerable to two new exploits that could enable a hacker to hijack the device. Related routers are used by Gigabit “full fibre” (FTTH/P) broadband providers around the world.

At the time of writing full details of the two vulnerabilities – CVE-2018-10561 and CVE-2018-10562 – have not yet been published and so we don’t know exactly which manufacturers were subjected to the random testing. The group used Shodan to estimate that over a million Gigabit Passive Optical Networks (GPON) routers are currently affected, mostly in Mexico, Kazakhstan and Vietnam (mercifully only a very few were in the UK).

Essentially the first flaw exploits the authentication mechanism of the device (bypassing it), while the second is based around a command injection vulnerability that allows an attacker to execute commands on the device. Both can be combined to completely takeover a router, which then leaves the end-users network open to abuse, such as traffic hijacking and or the loss of personal data etc.

VPN Mentor Statement

During our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication.

The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.

While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter.

Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.

Apparently many of the vulnerable GPON routers are made by the South Korean firm Dasan Networks, which allegedly did not respond to the researchers (possibly due to a language barrier). The question now is whether or not such flaws will be patched by the responsible company(s). Router manufacturers often have fairly short life-cycles on their devices, which can result in a lack of support after only a fairly short period.

UPDATE 8th May 2018

We have the following statement from Dasan.

Statement from DZS regarding authentication bypass exploit

DASAN Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit.

DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability. No service impacts from this vulnerability have been reported to DZS to date. After an internal investigation, we have determined the potential impact is much more limited in scope than previously reported in the media. According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000. In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices.

Product History

The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS. While designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field.

Resolution

DZS has informed all the customers who purchased these models of the vulnerability. We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment.

The DZS Commitment

DZS’s mission is to ensure that all its solutions meet the highest security standards in the industry. We embrace this, and every opportunity, to review and continuously improve our security design and testing methodologies.

Leave a Comment
2 Responses
  1. Meadmodj says:

    Probably find this on most devices if you put in enough effort.

    For those that have confidential stuff at home it really should be encryted at rest (GDPR) but I recommend a second router/firewall for the wired PCs, storage etc. if that concerned. I keep streaming, Hive, Amazon Echo etc on my red side as it is these that may be exploited in future.

    WIFI is the easiest way in to a home network especially with leading ISP routers broadscasting to three houses away. If people are really really paranoid then don’t use GPON as only the up slot is discrete, download is broadcast.

    The best security as always is to keep any perpetrator guessing. You would have to be pretty important or unlucky to get hacked as a consumer. Businesses should apply the expected standards and use suitable kit.

  2. Wujek Pawel says:

    GPON terminals have been attacked (bricked) in 2017. Here is the text in Polish: http://www.telko.in/godzina-szosta-minut-dziesiec
    or
    https://niebezpiecznik.pl/post/backdoor-producenta-w-urzadzeniach-alcatel-lucent-spowodowal-olbrzymie-straty-u-wielu-operatorow-ktos-wykorzystal-go-do-zbrickowania-dziesiatek-tysiecy-urzadzen/

    Long story short. Alcatel Lucent terminals have been bricked on 17th of October 2017. The vector attack was poor admin password hard coded in the firmware. Alcatel-Lucent has refused fixing the issue because terminals have been out of service contract, they only proposed buying new ones without giving any warranty that they are bug/feature free.

    What is interesting here, that the hacker/group gave a statement:
    https://archive.fo/PQAnU

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £21.95 (*24.95)
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £22.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • TalkTalk £22.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Speed 50Mbps, Unlimited
    Gift: None
  • Shell Energy £22.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: 12 Months of Norton 360
Large Availability | View All
Cheapest Ultrafast ISPs
  • Community Fibre £20.00 (*29.50)
    Speed: 150Mbps, Unlimited
    Gift: Double Speed Boost
  • Virgin Media £25.00 (*51.00)
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00 (*28.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £29.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £29.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3296)
  2. BT (2957)
  3. Building Digital UK (1866)
  4. FTTC (1861)
  5. Politics (1850)
  6. Openreach (1772)
  7. Business (1614)
  8. Mobile Broadband (1397)
  9. Statistics (1366)
  10. FTTH (1361)
  11. 4G (1208)
  12. Fibre Optic (1137)
  13. Wireless Internet (1124)
  14. Virgin Media (1112)
  15. Ofcom Regulation (1108)
  16. Vodafone (797)
  17. EE (797)
  18. TalkTalk (740)
  19. Sky Broadband (720)
  20. 5G (691)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact