MGTS GPon subscribers threatened with hacking, new networks - new problems
An unprecedented in scale project of introducing Gpon technology from MGTS under the auspices of the fight against copper wires and affordable Internet access to the population is underway in the capital of our vast country. The number of MGTS subscribers in the city of Moscow exceeds 3.5 million, it is assumed that everyone will be covered.
The idea is wonderful - optics in each apartment, high-speed Internet, free connection and Wi-Fi router as a gift (though officially without the right to reconfigure it, but more on that later). The implementation of such a large-scale project (a similar device is installed in every apartment where there is at least a landline telephone from MGTS), as usual, could not do without planning holes, which can cost the end user expensive. Our company became interested in information security issues of such a large-scale project clients and conducted an express study, the results of which we offer the public to inform about existing threats and measures to combat them at home.
2. Life in the palm of your hand
The threats turned out to be not at all illusory and insignificant, but systemic and the risk potential is difficult to overestimate. I want to warn happy MGTS subscribers against the threat of their privacy, hidden not only in the ZTE ZXA10 F660 router, kindly forcibly given by the provider (however, the less vulnerable Huawei HG8245, also installed by the subscribers, is still not protected from the “default settings”), but and in the organization of connecting subscribers to new communication lines.
This is what the options for installing the operator’s equipment look like:
Less dangerous Huawei HG8245
Much more “leaky” ZTE ZXA10 F660
The problems here are of varying degrees of danger, some can be solved on their own, some can only be paid attention to. Let's list the main points that will help an attacker break into your home network (provided that you are still a MGTS subscriber using the Internet service):
- The password for WiFi is your phone number (during the study, there were lazy installers who left the MAC address of the router with a password without the first 4 characters).
This means that hacking Wi-Fi with a handshake brute force mask technique of 495? D? D? D? D? D? D? D? D does not require much time, we are talking about a matter of minutes and it doesn’t need to be at all near the hacked object . It is enough to intercept the moment of connecting the subscriber’s wireless device (smartphone, tablet, laptop) with the router, and the rest can already be done calmly on the home computer. This miscalculation of the operator at the level of the organization of connection is a gaping hole that opens the home networks of millions of subscribers to attack attackers. This problem can only be solved locally - by independently changing the password of the access point to a more secure one, however, the next vulnerability is much more serious, since the subscriber is simply not able to influence it independently.
- This is a vulnerability of WPS wireless configuration technology, which is enabled by default on ZTE ZXA 10 F660 routers. And if in the case of organizational miscalculation, which substituted the user network at the password level, an attacker cannot massively crack subscribers by doing each separately, then when exploiting the WPS vulnerability of a router of this model, network hacking can be put on stream. The technology works as follows - for a WPS connection, a PIN code consisting of 8 digits is used. Upon receipt of the correct PIN code, the router gives a real Wi-Fi password. Not only can this pin code be cracked using the well-known Reaver tool much more efficient and faster than a complex WPA2 password, but the main problem is that it is the same for all ZTE ZXA10 F660 routers! Moreover, it can be easily found in 10 minutes on the Internet. I repeat - knowing this pin code (which cannot be changed or turned off) within 3 seconds, a real Wi-Fi password of any complexity and type of encryption is obtained, or a direct connection to the subscriber’s network is made. Thus, the “happy” owners of this particular model of equipment (and the operator has only 2 of them, so there’s a 50/50 chance) even having set an impossible password for hacking into a wireless network will still be hacked in less than 5 seconds due to imperfect technology.
3. What is fraught for the owner of hacking WiFi?
We’ll omit platitudes like “free Internet”, now it’s not the 90s and people with gadgets usually have enough on the Internet. So what are the threats? We list the most obvious:
- Interception of subscriber traffic, theft of passwords from mail services, social networks, messaging programs and other confidential data
- Attack on the owner’s computers to gain access to user files, view webcams, install viruses and spyware (as a rule, home PCs are much more vulnerable to attacks from inside than corporate machines, here traditionally weak passwords and irregular updates and open resources )
- Wiretapping of telephone conversations. (Yes, with the transition to an insecure sip, this is easier than ever). Now, not only special services, but also a curious neighbor (or maybe not a neighbor) can record your conversations by the city number due to the fact that the new telephony technology works via the unsecured SIP protocol. For the operational interception and recording of conversations which have long existed in the public domain all the necessary tools.
- Phone number theft - by slightly changing the router software, an attacker can figure out the password for the SIP account and use it for calls on behalf of the hacked subscriber. This is not only the potential for direct loss to the owner of the number, but also the possibility of causing much more serious damage by using the number of an unsuspecting citizen for blackmail, terrorist contacts or in order to substitute the owner - for example, informing the police about the bomb planted from this number
- Creation of a large botnet (the number of MGTS subscribers in Moscow is 3 504 874) with the potential of each connection at 100 Mbit / s. Yes, this will require an army of lemmings, but as everyone knows, hordes of biological bots constantly inhabit various sorts of "tanks", who are regularly attracted by interested parties to various Internet campaigns, usually of a wrecking kind.
- Using a random (or non-random) network to anonymously upload prohibited materials to the Internet (Guess whose door is knocked on?).
4. Protection measures
What can be done, how to protect your privacy in such a situation? You can do a little yourself, but this is a must for anyone who does not want to become a victim of a poorly designed campaign operator.
We will need passwords from the router, which are easily googled on the Internet, write down:
- Access to the web interface of the ZTE ZXA10 F660 router - login: mgts , Password: mtsoao
- Telnet console access - login: root , password: root
- for Huawei HG8245:
default address is 192.168.100.1
login: telecomadmin , password: admintelecom
- Through the web interface, be sure to change the password for the access point and its name (the MAC address will still give out belonging to MGTS clients, but renaming the point will reduce the likelihood of matching a specific Wi-Fi signal to a particular apartment)
- Owners of the ZTE ZXA F660 should turn off Wi-Fi functionality with the button on the device. At the moment, this is the only way to protect against WPS-hacking.
Unfortunately, at best, just a percentage of 3.5 million users will take advantage of these measures, most will never know about this article and remain vulnerable to a real threat for a long time, until something or someone forces the operator to spend a bunch money and take centralized measures to correct the technical and organizational flaws of the project.
What conclusions can be drawn from the foregoing? The most disappointing - the largest-scale implementation project of GPON (I repeat - we are talking about 3.5 million subscribers!) Did not consult with information security specialists, or these consultations were completely ignored during the implementation itself. Phone passwords, non-disconnectable WPS with a single key, unprotected SIP telephony, passwords retrieved from the WEB interface are the result of a weak organizational component and complete disregard for elementary information security standards. I am sure MGTS is far from unique in such miscalculations, many smaller network service providers find themselves in the same situations in the field of protecting the data of their subscribers, but this time the scale of the problem exceeds all imaginable boundaries
6. The official reaction of MGTS OJSC
We, as respectable security researchers, are interested in the speedy resolution of the problems voiced above. Unfortunately, our concern was not echoed in the hearts of the press service of MGTS OJSC, which we tried to reach using all available channels. Only one response was received - via Facebook, a press-pug employee assured us that we could publish the material with a clear conscience, and then, answering questions from the press, they would assure everyone that the subscribers were safe and their data was confidential.