NewsBite

Advertisement

This was published 10 years ago

Default password leaves tens of thousands of Optus cable subscribers at risk

By Ben Grubb
Updated

When Alex* found a security flaw in his Optus cable modem that allowed anyone with some basic technical knowledge to receive and make calls using his phone number and to see who he called and when, his jaw dropped.

Not only did the flaw allow for his call records to be accessed and home phone to be hijacked, it also gave outsiders the potential to mess with his Wi-Fi, reset his modem and compromise his entire home computer network.

Optus has fixed a flaw that left cable subscribers vulnerable to hacking.

Optus has fixed a flaw that left cable subscribers vulnerable to hacking.

The flaw? The maligned default "admin" password.

Optus had left a back door wide open for others to remotely access Alex's Netgear CG3000v2 modem. It didn't change the manufacturer's password to something more secure on the modem, which is also used by tens of thousands of other Optus customers with the same default password which can't be changed by users.

The details as they appeared when logged in via SSH or Telnet. Identifiable information redacted.

The details as they appeared when logged in via SSH or Telnet. Identifiable information redacted.

Optus' own documentation warns customers against using default and dumb passwords.

It appears the flaw was left in place deliberately by Optus to administer cable modems remotely, and was overlooked by helpdesk staff when assisting subscribers. It allowed those on the Optus network, or hackers with access to a computer on the network, to access the modems remotely.

"I was actually quite shocked and I guess a little concerned because I had access to this information and I didn't know what to do with it," Alex, from Sydney, said.

"I actually contemplated picking up the phone and speaking to Optus and then I kept on thinking to myself that there's probably going to be some adverse repercussions for doing that."

Advertisement
Gateway to your home: a flaw in Optus cable modems allowed those with technical knowledge to gain access to it remotely.

Gateway to your home: a flaw in Optus cable modems allowed those with technical knowledge to gain access to it remotely.Credit: Netgear

Instead, he anonymously posted about it on Optus' community forum on March 7. When no one responded, Alex contacted Fairfax Media.

"A large organisation that offers services Australia-wide should not have this vulnerability," he said.

"Someone could write a program that could just sit there and scan and collect all of this information and build a database.

"What's stopping anyone else from doing that? Nothing. This is a real security issue."

With access to the information stored on the modem, a hacker could hijack an Optus customer's phone number and see their call history, turn off or change Wi-Fi settings, lock users out, and install malicious software on personal computers to steal data.

Australian security expert Troy Hunt said there was potential for hackers to do what "they liked" with the modem and the access.

Netgear said the remote access was left on to allow Optus staff to log in to modems remotely "for diagnosing network problems to improve customer experience".

Remote management tool

The remote management tool, known as Secure Shell, or SSH, was the tool left with the default password in place. Such a tool is not typically needed by home internet users. It is used by those with technical knowledge to make quick changes to modems without requiring interaction with users. Another remote access tool, Telnet, was also left with the same default password.

Optus said the remote access was only used in rare cases by its staff for urgent deployment of updates to individual subscriber's modems on a case-by-case basis. It deployed a fix for the flaw on Thursday. Fairfax Media gave Optus time to secure the modems before publishing.

Why no one thought to change the default password to something more secure remains unclear, particularly given that a number of Optus staff would have had to type "admin" into a command-line when administering subscribers' modems. A security review is now underway, Optus said, adding that the Privacy Commissioner would be notified.

How it was fixed

The company's fix was to use another administrative tool to update each modem's configuration and change user name and password combinations to something more complex. It knocked customers offline for about three minutes on Thursday and forced each modem to restart to enable the updated configuration.

Optus said it did not detect any peaks in SSH or Telnet traffic that would indicate the flaw had been used widely by hackers before it was fixed, but didn't rule it out.

"Optus takes privacy and security very seriously, and at this stage we have found no evidence that this vulnerability has been breached," an Optus spokesman said.

"We will be undertaking a thorough review of our processes to ensure that this type of issue does not reoccur."

Hunt said the flaw was serious and suspected Optus would likely never know for sure whether it had been used by hackers.

He recommended Optus do a full audit of all its IT systems.

"If there is something so fundamental as a default password on a large number of devices that's been rolled out to so many locations ... what other things have slipped under the radar given that there's clearly a lack of quality control going on there?" he said.

"Often it's one of those things where there's smoke there's fire."

Netgear said it did not introduce the configuration problem and added that the CG3000v2 modem was only supplied to Optus, not other telcos.

"A potential configuration vulnerability is serious but can be patched very quickly, this is not due to a bug in the product itself," a Netgear spokesman said.

*Alex is a pseudonym. He chose not to be identified for fear of legal action.

Most Viewed in Technology

Loading

Original URL: https://www.watoday.com.au/it-pro/security-it/default-password-leaves-tens-of-thousands-of-optus-cable-subscribers-at-risk-20140403-zqprz.html