A bunch of home gateway vendors, presumably sourcing their firmware from the same place, can be hijacked using depressingly common hard-coded logins.
Experts from the Carnegie-Mellon CERT discovered that a number of home routers from various vendors comes with hard-coded credentials that could be used to hijack the devices.
On Tuesday, the CERT at the Software Engineering Institute at Carnegie Mellon University issued an advisory confirming the serious security issued in the home routers and invited organizations to write firewall rules that block telnet or SNMP on the device as a temporary measure to mitigate the threat.
“A remote attacker may utilize these credentials to gain administrator access to the device,” states the CERT advisory
The list of vendors includes ASUS and ZTE in Asia, and Digicom, Observa Telecom, and carrier Philippine Long Distance Telephone (PLDT). All the devices analyzed by the researchers have the “XXXXairocon” as default telnet password, where the “XXXX” is the MAC address of the home router. All the home routers except the PLDT devices have admin as default username, while the PLDT username is adminpldt.
“The vulnerability was previously disclosed in VU#228886 and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was previously disclosed on the Full Disclosure mailing list.”
According to the researchers the affected home routers are:
Unfortunately all the devices are still unpatched, waiting a firmware update the CERT recommends blocking telnet and SNMP ports.
“Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.” suggest the advisory.
(Security Affairs – home routers, CERT)