Backdoor Access Found in CDATA’s Chinese FTTH Broadband Kit
Chinese firm CDATA, which makes networking kit for FTTH and Hybrid Fibre Coax based broadband ISPs (often sold re-branded as OptiLink, V-SOL CN, BLIY etc.), is facing a serious problem after security researchers found 7 vulnerabilities in OLT kit including backdoor accounts that grant access to a hidden Telnet admin.
The researchers – Pierre Kim and Alexandre Torres (via Zdnet) – examined a number of Optical Line Terminal (OLT) devices from CDATA’s range of Gigabit Passive Optical Networks (GPON) kit. The vulnerabilities they discovered affect a wide range of the firm’s devices and latest firmware, including modern 10Gbps capable kit like the FD1608GS, FD1608SN, FD1616GS and FD1616SN among many others.
A total of seven very serious vulnerabilities were discovered in these devices, which included everything from a weak encryption algorithm to insecure management interfaces and credentials leaking. But by far one of the worst is the allegedly “intentionally placed” (by the vendor) existence of backdoor access with telnet. As security goes, you really can’t get much worse than this in such a key piece of hardware.
The Seven Vulnerabilities
* Backdoor Access with telnet
* Credentials infoleak and credentials in clear-text (telnet)
* Escape shell with root privileges
* Pre-Auth Remote DoS
* Credentials infoleak and credentials in clear-text (HTTP)
* Weak encryption algorithm
* Insecure management interfaces
The researchers found that a telnet server was running on the appliance, which is reachable from both the WAN interface and the FTTH LAN interface (from the ONTs). But they also discovered a bunch of (undocumented) credentials (i.e. logins and passwords) that give backdoor admin access.
The undocumented credentials seem to vary, depending upon the firmware version, but they appear to include some surprisingly simple ones (e.g. login: debug – password: debug124, login: guest – password: [empty], login: suma123 – password: panger123 etc.). The passwords are so basic that even a regular brute force attack, in our view, could probably uncover them without much effort.
Ordinarily the expectations of responsible disclose would demand that the company be informed and given time to fix the flaws before they are exposed to the public. But in this case the researchers opted for full disclosure without taking that step “as we believe some backdoors are intentionally placed by the vendor.” Yikes.
Off the top of our heads we don’t know of any UK broadband ISPs that are using CDATA’s OLTs in their networks, but that doesn’t mean to say that somebody somewhere isn’t doing so as very few operators talk openly about their suppliers. Nevertheless, it just goes to show that the current excessive focus on firms like Huawei (and ZTE before them) may come at the cost of overlooking much weaker links in the chain at other, smaller, vendors.
The vulnerabilities themselves were validated against FD1104B and FD1108SN OLTs in a lab environment with the latest firmware versions (V1.2.2 and 2.4.05_000, 2.4.04_001 and 2.4.03_000), although static analysis shows that these same issues also “appear to affect all available OLT models as the codebase is similar.” See the list below for more kit examples.
– – 72408A
– – 9008A
– – 9016A
– – 92408A
– – 92416A
– – 9288
– – 97016
– – 97024P
– – 97028P
– – 97042P
– – 97084P
– – 97168P
– – FD1002S
– – FD1104
– – FD1104B
– – FD1104S
– – FD1104SN
– – FD1108S
– – FD1204S-R2
– – FD1204SN
– – FD1204SN-R2
– – FD1208S-R2
– – FD1216S-R1
– – FD1608GS
– – FD1608SN
– – FD1616GS
– – FD1616SN
– – FD8000
We have asked CDATA for a comment and await their response.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Virgin Media Start UK Rollout of Remote Phy to Improve Network
ISP Aquiss UK Reduces Ultrafast FTTP Home Broadband Price »
Latest UK ISP News
- FTTP (5581)
- BT (3530)
- Politics (2553)
- Openreach (2311)
- Business (2284)
- Building Digital UK (2253)
- FTTC (2050)
- Mobile Broadband (1991)
- Statistics (1799)
- 4G (1681)
- Virgin Media (1639)
- Ofcom Regulation (1472)
- Fibre Optic (1406)
- Wireless Internet (1400)
- FTTH (1382)
I have some Chinese CCTV camera’s, my router details all the internal IP’s on the network and their sessions and what external IP address’s they are with. These camera’s try to connect with IP’s either in China or Microsoft’s cloud. Set a firewall rule and they can no longer connect. Chinese phones are notorious for apps that collect data. Be warned.
Please look up correct apostrophe usage.
A lot of these cameras use a P2P cloud so you can access the device from anywhere without a static IP/port forwarding via the corresponding app.
It’s very handy but I don’t totally trust it and have it on an virtual/isolated network.
@Dr Punctuation Plz look up correct politenes’s usage.
@John H
Whilst setting up a separate VLAN(S) for insecure items is a possibility LAN side; you are a bit stuffed if the WAN is open for ‘inspection’
What is outlined here is horrendous, 101 level ‘mistakes’, but it does not surprise me in the slightest.
A lot of vendors have not real idea or care about how good security is.
In software development you start from the security framework…you don’t bolt security on afterwards. The trouble is that the devs don’t like working with security ON as it slows things down and makes debugging harder so the security tends to be ‘temporarily’ bypassed. You have to watch what is going on like a hawk and if you do not; you can kiss goodbye any real security.
It always amazes me that there is not a requirement for 3rd party security certification of all components. There are plenty of competent pen testers out there who can run quite deep testing quite easily and cheaply. Maybe a new kitemark is required….?
“as we believe some backdoors are intentionally placed by the vendor.” Yikes.
Understatement!
Not very surprising I have to say considering recent events. But it does highlight how widespread this mis-trust is towards Chinese manufactures, the government, presuming their involvement, doing all they can to spy and collect data on the rest of the world. Unfortunately far too much money is involved between the west and China for any serious repercussions to be made.
The USA/NSA have been doing this for years, revealed through leaked documents. The NSA’s “Tailored Access Operations” intercepts “servers, routers and other network gear” and installs modified firmware: https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/?comments=1
Be weird if China didn’t, what with the US having a 70 year track record of sending armies overseas for the purposes of economic imperialism. The aggressors must always be the victim, though, how else can you have a willing population.
Apparently in 2014 they asked Huawei to add backdoors and they refused, might explain the recent animosity towards them.
These backdoors are not exactly hidden. Looks more like incompetence.
Perhaps the proper ones are hidden?
They look like debugging ones left in by the developers. It’s a common problem and effect Cisco, Juniper and many others kit too.
Could easily be hidden in plain sight too.
Wow. Love the China intel ops posting here. Hi Me MSS or are you PLA?!?
Jai hoo China, they want to hack and monitor every network and sabotage where ever and when ever in the world. All those low cost Epon and Gpon deployed by local ISP and franchise of BSNL and MTNL are vunerable…
Baby, Me hack you long time
If this is a reference to Full Metal Jacket, that film was based in Vietnam.
Nice thinly veiled racism though.
You hack me long time and suck my info .I not love you long time
If this is a reference to Full Metal Jacket, that film was based in Vietnam.
Nice thinly veiled racism though.
Which is why we should design and manufacture all out own infrastructure here in the UK. If we need chip fabrication factories then build them with government money. Get the country back to work with well paid jobs.
If the final product costs more then its worth it many times over if it stops us relying on foreign equipment laden with backdoors like this example.
You want me to pay more for telecomms directly and join in the funding of the billions if not tens of billions it would require in research, development and infrastructure to build our own end to end design, prototyping and fabrication of components?
This ignoring that if it started tomorrow it would take years, if not decades, to catch up with existing technology at the bleeding edge of the private sector.
Get real. We have security auditing for a reason. We can source from multiple vendors, and do, and it is certainly possible to prevent equipment from being accessible outside a provider’s own network.
The management interfaces of these OLTs shouldn’t even have routes out to the Internet. If they do it should be through firewalls severely limiting what they may contact.
This strikes me as incredible incompetence leaving such obvious backdoors. Either their being left in after debugging or being so obvious was absurdly stupid.
Telnet. You could packet sniff what’s going on and see it in plain text. As could intrusion detection and prevention kit.
This would put us decades behind and have us spend billions for the privilege initially then billions more on an ongoing basis having to import raw materials and produce things far more expensively than we could purchase finished goods.
Probably be a bunch of other consequences from nations whose products we abruptly stop buying, and what’s the plan with regards to other equipment? Do we outright ban it?
We banning mobile phones not designed and built here too?
Oh, it’s just Telnet again. Cisco has had similar problems just to name one other vendor.
Maybe the company deliberately left it in, but why wouldn’t they change the username and password to long random strings that only they knew?
It’s easier to assume incompetence than malice, though making the Telnet WAN accessible does make it slightly more suspicious.
Given how quickly the R&D cycle has to run with all these competitors, I wouldn’t be surprised if some manager said “is it finished?” and the engineers said “well, basically, but we need to finish up a few things” and they were told to just ship the firmware already.
Now, perhaps some higher-ups decided to leave it in once they found out it was there. But I would be surprised if they even knew. This kinda stuff makes for good news cycles but random debug things get left in all the time from vendors of any country.
I would be interested in knowing what specifically the researchers found this time that made them decide it was intentional. Was it merely the country of origin, or was it some extra detail that wasn’t reported in this article?
Like, it still doesn’t exactly bode well for them that their internal auditing left these Telnet ports open, since nothing should be using Telnet anymore in lieu of SSH. And it would still make me second-guess using anything by them. But I’m just not sure I’m willing to go the extra step of saying it was intentional yet.
I’m glad to see someone else here mention telnet’s presence on other vendor kit and stating SSH as an alternative.
For the most part though I’ve seen telnet present on every vendor kit I’ve logged into from A10, Cisco, Nokia, F5, ZyXel and hundreds of others.
Telnet is not a backdoor it is just very old and not secure and the first action I must do (post unbox) is to connect and disable telnet.
If these vendors dropped telnet it would make things better but purchasers also need to ensure telnet is actively disabled. and this is the issue.
These OLTs are very very popular in Brazil among small ISPs, one can easily buy these OLT on MercadoLivre, which is the brazilian Ebay.
Unless these security flaws are built into hardware (and the past Intel cache lookaside problems are such an example) then it is the firmware/software that needs to be addressed. Since our security experts have the knowledge about (some of) the flaws then there ought to be enough information to write new, ‘GCHQ approved’, code for each generic equipment type. In effect reverse engineering the code.
But I doubt if we have enough domestic, security cleared, expertise to do this since we have mostly become appliance operators not knowing or caring what is ‘under the hood’.
Speaking as s retired B2B network engineer for a well known ISP this is a non story. Most networking kit has simple telnet access from the Factory including the make which Openreach use.
They are layer2 network termination equipment and are installed on closed RFC1918 IP space networks and are invisible to the internet. The default passwords are/should be changed on installation by the carrier. The customers layer3 device is attached to an appropriate Ethernet port.
All these devices really are, are glorified Ethernet switches, with extra networking/testing facilities.
The end user could try to break in but it would be completely obvious and cause alarms on the monitoring software that ISPs use. They are not likely to DDOS themselves.
While what the report says is correct it needs context and as it comes from an American website I suspect the fashion for China bashing it at work here.
F5 did the same last week, full remote execution vulnerability on BigIP which is installed in tons of telcos/isps/websites.
Of course you don’t point your management interfaces at the interwebs, and you change the passwords and you keep up to date on patches. But this sort of thing happens all the time with tons of different kit vendors.
Here is CDATA’s comment if you search for it
Here is CDATA’s comment if you search for it:
https://cdatatec.com/technical-statement-2/
So all this was a big nothingburger.
Thanks for inventing story around the facts.