I'm on vacation. In Denmark. I'm really not supposed to blog while on vacation, at least I said something like that to my wife before we left home. (Yes, I do reveal publicly that I'm not at home. It doesn't mean there's nobody there to watch it for me.)
But bad security needs attention, hence this little blog post.
I don't mind helping people every now and then. No need to give out locations or names in this blog post, the affected parties here has already received my personal opinion and advice. (No, i do not expect them to change anything based on what i write on my blog.....)
Anyway; somebody asked for my help on setting up a new laptop. They said they didn't have a WLAN. I didn't need many seconds to find otherwise; a Scientific Atlanta 2320 cable box. Really not impressive, but that's the default from their ISP. The box was found at http://192.168.100.1/ (with the Windows XP box having a public IP address assigned to it, and a 255.255.240.0 subnet mask... All computers connecting to the box/LAN using Ethernet or WLAN gets a public IP)
Googling for default password made my day: admin/W2402 and VOILA: access granted.
Question to ISP #1: why - oh WHY - do you give out boxes that assigns public IPs directly by default to poorly configured and secured end-users without a friggin' clue on security?
My opinion: NAT boxes by default please, then the advanced users can screw up their security afterwards if they want to.
Question to ISP #2: When i asked your tech support about the default admin/pass, they replied that "most people doesn't know that stuff anyway, it's just the advanced guys like you and our tech staff who knows these things". So the question is: what is the required amount of working brain matter to work as tech support staff at your company?
My opinion: NEVER EVER USE DEFAULT PASSWORDS ANYWHERE!
Anyway; let's take a look at the config of the box:
Firmware from 2007. Well, doesn't have to be bad, but tech support told me that the box is not to be accessed or configured by the end-user at any time. If that means the ISP is responsible for the maintenance of the box, I really can't see much traces of "maintenance" here.... Moving on among the available tabs, here's logging:
Logging is not enabled. WOW. Even crazier: the end-user cannot enable it either, at least not through the web interface. Now a quick look at the setup -> security settings:
WEP. 128-bit. Wow. But hey, WPA with TKIP was available, so i took myself the liberty of changing from WEP to WPA with TKIP and with a serious passphrase, and changing the ISP default - and unlogical - SSID. And the air turned seriously hot in the house...
See; it's a cable box. These people has cable tv and internet broadband access from the same provider. The man of the house was really proud of his HDTV decoder box, now he could see HD channels as well. Only one channel included in his package, but what the heck, HE HAD HDTV! A quick look at the HDTV decoder config revealed that the HDMI output was set to 576I by default, so watching his HD channel on his 40" FullHD LCD tv wasn't that impressive to the trained eye. :-) (I fixed that, explained it to his wife, and she told her husband to come in and LISTEN to me carefully) Oh, and i changed the default audio output from stereo to 5.1 as well, so that he no longer had to use "virtual surround" settings on his 5.1 system to get surround sound as well. AND told him to get an optical cable to connect his decoder to his 5.1 system. Doh.
Forgive me for the diversion, just a little fun to report from real life. I'm no longer surprised at all to see such things, on the contrary. On to the security stuff again.
The HDTV decoder had a nice and FAST program guide, along with features for movie rentals and other stuff. Sweet. It also had 2 USB ports on the back, one of them occupied by a WLAN adapter. Suddenly i understood why the program guide didn't work anymore. ARGH. Called tech support, no expectations whatsoever. I was right in my assumptions:
The HDTV box got its channels from cable, program guide and interactive/pay features over IP (didn't dare to ask about SSL....)
They told me end-users were not allowed to access the box.
They didn't see any risk with default admin/pass.
They said a cold boot would reset all settings (I proved them wrong).
They said the WLAN adapter was hard-coded with SSID (provided by them) and WEP-128 HEX key (provided by them). If this were to be changed, the user would have to order a new hard-coded adapter from them.
The SSID, encryption type and WEP-128 HEX value was stored in their database, available for tech support, along with other customer data.
Seems like the ISP has a nice way of forcing the end-user to stay with them for updates, so to speak. Unfortunately, the ISP really sets the end-user at risk here as I see it, disabling the end-user from controlling important parts of his/hers own security in their own home. And this cable/ISP has customers all across Denmark. Woohoo.
So.... Based on your own interest and knowledge about security, you've guessed by know that I do have more questions as well as suggestions for this cable TV / ISP. Maybe their current offerings uses NAT, WPA2 and end-user accessibility to security features, but in this case at least they didn't. No wonder there are so many computers still easily targeted by worms on the Internet. No wonder we're running out of IPv4 addresses. No wonder some topics doesn't get old for #Blackhat and #Defcon :-)
I'll be back home in a couple of days, expect more posts from me then, including the "I got pwnd" tribute to a friend of mine after (almost) successfully getting my password. Get ready to do some video/picture/sound analysis everyone. :-)
Oh, and let me add that I installed Secunias excellent PSI on the XP box. The results were exactly as expected...
ReplyDeleteVery nice find Per! But regarding this comment “And this cable/ISP has customers all across Denmark. Woohoo”. How many boxes did you discover in your holiday neighborhood Per? You are not telling the complete story her I think. We want all the facts! Jan H. :D
ReplyDeleteI didn't go outside the box in any way, but given the subnet mask and all I've got to say I'm curious to what a simple portscan of the subnet would have revealed.
ReplyDeleteIt's a big ISP, but no names, sorry.