A bunch of home gateway vendors, presumably sourcing their firmware from the same place, can be hijacked using depressingly common hard-coded logins.
Experts from the Carnegie-Mellon CERT discovered that a number of home routers from various vendors comes with hard-coded credentials that could be used to hijack the devices.
On Tuesday, the CERT at the Software Engineering Institute at Carnegie Mellon University issued an advisory confirming the serious security issued in the home routers and invited organizations to write firewall rules that block telnet or SNMP on the device as a temporary measure to mitigate the threat.
“A remote attacker may utilize these credentials to gain administrator access to the device,” states the CERT advisory
The list of vendors includes ASUS and ZTE in Asia, and Digicom, Observa Telecom, and carrier Philippine Long Distance Telephone (PLDT). All the devices analyzed by the researchers have the “XXXXairocon” as default telnet password, where the “XXXX” is the MAC address of the home router. All the home routers except the PLDT devices have admin as default username, while the PLDT username is adminpldt.
“The vulnerability was previously disclosed in VU#228886 and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was previously disclosed on the Full Disclosure mailing list.”
According to the researchers the affected home routers are:
Unfortunately all the devices are still unpatched, waiting a firmware update the CERT recommends blocking telnet and SNMP ports.
“Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.” suggest the advisory.
(Security Affairs – home routers, CERT)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.