UPC network problems -------------------- Platforms / Firmware confirmed affected: - UPC Hungary network Problems -------- Network and device configuration problems Administration password is sent to the device in plain in the configuration file Administration password, which is used also for the telnet service, is sent in plain in the configuration file downloaded by the device via TFTP from the location specified by the DHCP response. The TFTP server is accessible only from the internal UPCas network. Administration password is the same for ALL devices Every kind of device uses the same administration password, which provides administrative and telnet access in most of the cases form the internal UPCas network. The actual access method and possibilities are depends on the device type. Telnet service is enabled on Ubee devices by default Telnet service is enabled on Ubee devices at interfaces accessible from LAN. Since, the password is the same and sent in plaintext, any user from the LAN can connect to the router with root privileges. Users can not disable telnet service and it is accessible even if the device is in bridge mode. Other CPE devices can be accessed in the internal UPCas network >From within the router, the 10.x.x.x range is accessible and the router can access other UPC costumersa devices. Using the administration password, which is the same in every device, the attacker can take over control of masses of devices. Timeline -------- - 2015.06.24: Presenting the Ubee router problems to the CTO of UPC Magyarorszag - 2015.07.16: UPC contacted Ubee and required some more proof about some specific problems - 2015.07.16: Proofs, that the default passphrase calculation of the Ubee router was broken, were sent to UPC - 2015.07.20: UPC requested the POC code - 2015.07.21: POC code was sent to UPC - 2015.07.30: We sent some new issues affecting the Ubee router and other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC - Between 2015.07.31 and 08.12 there were several e-mail and phone communications between technical persons from Liberty Global to clarify the findings - 2015.08.19: UPC sent out advisory emails to its end users to change the default WiFi passphrase - 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases. - 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters - 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases. Credits ------- This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) References ---------- [1] http://www.search-lab.hu/advisories/secadv-20150720