On Tuesday the 17th of October 2017, the cyberstorm.mu team had a public podcast on Modem Insecurity in Mauritius. Fifteen minutes after the start of the broadcast, there were already about 30 views from the public. We had over Keshav Purdassea, a student in cybersecurity as a guest to ask questions. We also had people asking questions on the Facebook cyberstorm.mu public group.
Logan from cyberstorm.mu made a smart introduction during the podcast about its goal which is informing the public about the vulnerabilities found in Huawei Modem.
Codarren from cyberstorm.mu laid emphasis on several interesting points such as the state of Dnsmasq. He also gave some interesting hints to launch commands on the router which is not similar like a usual Linux Box. He explained how all processes are running as root including Dnsmasq. Codarren recently had a conversation with engineers from Huawei and it’s quite obvious that Dnsmasq is also doing DNS. It was recommended to run dnsmasq as a non-root user which is one of the best practice in any Linux Box. Someone can craft a DNS packet and run this on the modem with the intention to control it remotely. This security risk needs to be reviewed again.
In addition, I made a brief introduction to the preliminary precaution that can be taken to minimize impacts such as deactivating Telnet or even SSH on the router. We also noticed how it’s possible to download the configuration file and decrypt it. All passwords can be seen clearly on the configuration files. Here are the steps to be followed to decrypt it :
1. Use the following command to decrypt it :
[google_ad data_ad_slot=” data_ad_format=’rectangle’]
[root@localhost ~]# ./aescrypt2_huawei 1 hw_ctree.xml decode.xml
2. To re-encode use the following command:
[root@localhost ~]# ./aescrypt2_huawei 0 decode.xml hw_ctree.xml
3. At line 1022, You can find the web interface password
1022 <X_HW_WebUserInfoInstance InstanceID="2" UserName="telecomadmin" Password="402931e04c03e24d360477a9f90b9eb15777e154360f06228be15c37679016ef" UserLevel="0" Enable="1" ModifyPass wordFlag="0" PassMode="2"/>
We also had Yash who made a sensitive point regarding as to whether the patch was supposed to come from Mauritius Telecom or Huawei. After some research, we noticed that there was no patch from Huawei itself.
Other bloggers on the Podcast:
- Billal Abdel Hassan – Linux passionate – Modem insecurity
- Irshaad Abdool – Vulnerabilities on MT FTTH routers