Wireless ISP Modems Plagued by Serious Vulnerabilities

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

Researchers have analyzed several wireless modems offered by Internet service providers (ISPs) worldwide to customers and discovered that they are plagued by many serious vulnerabilities.

Over the past year, security research company SEARCH-LAB has analyzed the modems offered to customers in Hungary by Liberty Global-owned telecommunications services provider UPC Broadband, including Ubee, Technicolor, Cisco, Hitron and Compal devices. Experts pointed out that these modems are used by ISPs from all over the world.

Researchers spent between three hours and two weeks manually analyzing Ubee EVW3226, Technicolor TC7200, Cisco EPC392, Hitron CGNV4 and Compal CH7465LG modems. A total of 58 serious vulnerabilities have been discovered in these products as a result of the investigation, including many weaknesses that allow attackers to gain administrator access to devices, make configuration changes, or execute arbitrary code.

The list of bugs includes insecure session management, authentication bypass, command injection, information disclosure, buffer overflow, CSRF and default password issues. Forty of the flaws have been found in Compal modems, on which researchers spent two weeks as part of a pilot project commissioned by Liberty Global.

Most of the targeted devices were only analyzed for three hours and just a handful of vulnerabilities have been found. However, SEARCH-LAB told SecurityWeek that a larger number of issues would have likely been identified if more time had been spent analyzing these modems.


One of the most serious problems discovered by researchers is related to the use of default Wi-Fi passphrases. Experts determined that the password could be brute-forced on Ubee, Technicolor and Cisco devices in just a few seconds as it was generated based on easily obtainable data, such as serial numbers and MAC addresses.

The vulnerabilities found by SEARCH-LAB have been reported to Liberty Global, which notified the device manufacturers. Some of the problems have been addressed, while others, such as the default passwords, are more difficult to resolve, especially since the information is in many cases printed on the devices.

SEARCH-LAB is currently conducting a wardriving experiment in Hungary to determine how many users still rely on default passwords even after repeated warnings from the ISP.

“A proof-of-concept application was also developed to demonstrate that the home Wi-Fi networks that are operated by these devices are easily attackable from the street by wardriving,” SEARCH-LAB researcher Gergely Eberhardt told SecurityWeek.

“What made the situation even worse; we discovered that after taking over the control on the attacked Wi-Fi devices and were able to execute our own code on them, we gained access not just to the local home networks, but though the internal network of the ISP we gained access to other home routers too,” Eberhardt explained.


Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this