Security researchers working for VPN Mentor have tested “many random” GPON ISP routers and discovered that all were vulnerable to two new exploits that could enable a hacker to hijack the device. Related routers are used by Gigabit “full fibre” (FTTH/P) broadband providers around the world.
At the time of writing full details of the two vulnerabilities – CVE-2018-10561 and CVE-2018-10562 – have not yet been published and so we don’t know exactly which manufacturers were subjected to the random testing. The group used Shodan to estimate that over a million Gigabit Passive Optical Networks (GPON) routers are currently affected, mostly in Mexico, Kazakhstan and Vietnam (mercifully only a very few were in the UK).
Essentially the first flaw exploits the authentication mechanism of the device (bypassing it), while the second is based around a command injection vulnerability that allows an attacker to execute commands on the device. Both can be combined to completely takeover a router, which then leaves the end-users network open to abuse, such as traffic hijacking and or the loss of personal data etc.
During our analysis of GPON firmwares, we found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could, when combined allow complete control on the device and therefore the network. The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication.
The flaw can be found with the HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.
While looking through the device functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands. It didn’t take much to figure out that the commands can be injected by the host parameter.
Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.
Apparently many of the vulnerable GPON routers are made by the South Korean firm Dasan Networks, which allegedly did not respond to the researchers (possibly due to a language barrier). The question now is whether or not such flaws will be patched by the responsible company(s). Router manufacturers often have fairly short life-cycles on their devices, which can result in a lack of support after only a fairly short period.
We have the following statement from Dasan.
Statement from DZS regarding authentication bypass exploit
DASAN Zhone Solutions, Inc. has investigated recent media reports that certain DZS GPON Network Interface Devices (NIDs), more commonly known as routers, could be vulnerable to an authentication bypass exploit.
DZS has determined that the ZNID-GPON-25xx series and certain H640series GPON ONTs, when operating on specific software releases, are affected by this vulnerability. No service impacts from this vulnerability have been reported to DZS to date. After an internal investigation, we have determined the potential impact is much more limited in scope than previously reported in the media. According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000. In addition, given the relative maturity of the products in their lifecycle, we think the impact is limited to even fewer devices.
The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS. While designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field.
DZS has informed all the customers who purchased these models of the vulnerability. We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment.
DZS’s mission is to ensure that all its solutions meet the highest security standards in the industry. We embrace this, and every opportunity, to review and continuously improve our security design and testing methodologies.
Probably find this on most devices if you put in enough effort.
For those that have confidential stuff at home it really should be encryted at rest (GDPR) but I recommend a second router/firewall for the wired PCs, storage etc. if that concerned. I keep streaming, Hive, Amazon Echo etc on my red side as it is these that may be exploited in future.
WIFI is the easiest way in to a home network especially with leading ISP routers broadscasting to three houses away. If people are really really paranoid then don’t use GPON as only the up slot is discrete, download is broadcast.
The best security as always is to keep any perpetrator guessing. You would have to be pretty important or unlucky to get hacked as a consumer. Businesses should apply the expected standards and use suitable kit.
GPON terminals have been attacked (bricked) in 2017. Here is the text in Polish: http://www.telko.in/godzina-szosta-minut-dziesiec or https://niebezpiecznik.pl/post/backdoor-producenta-w-urzadzeniach-alcatel-lucent-spowodowal-olbrzymie-straty-u-wielu-operatorow-ktos-wykorzystal-go-do-zbrickowania-dziesiatek-tysiecy-urzadzen/
Long story short. Alcatel Lucent terminals have been bricked on 17th of October 2017. The vector attack was poor admin password hard coded in the firmware. Alcatel-Lucent has refused fixing the issue because terminals have been out of service contract, they only proposed buying new ones without giving any warranty that they are bug/feature free.
What is interesting here, that the hacker/group gave a statement: https://archive.fo/PQAnU