Search-Lab Kft.

Analysis of WiFi-enabled ISP modems

Overview

SEARCH-LAB Ltd evaluated five home gateway models, all of them are used by many internet service providers worldwide, but the actual devices have been operated by one of the Hungarian Cable TV operators, UPC Magyarország(https://www.upc.hu/). The analysis was executed on commercially available devices and publicly accessible firmware images, obtained from the ISP’s network automatic firmware update mechanism.

We started our analysis with the Ubee EVW3226 modem in June 2015, and after finding several serious issues we contacted UPC Hungary, and its mother company Liberty Global, Inc. (http://www.libertyglobal.com/). After reporting our initial findings, we tested other widely used WiFi routers from Technicolor and Cisco, where we found some more important security flaws that we also reported to Liberty. The evaluation was then extended to include another device made by Hitron, resulting with almost the same level of security problems.

Presenting this level of vulnerability to the representatives of UPC Magyarorszag and Liberty Global we received two samples from the Compal CH7465LG-LC (Mercury) modems, being one of the most frequently used cable modems in Hungary by UPC. Liberty Global asked SEARCH-LAB to execute the security evaluation of these devices as a pilot project without financial compensation. So as a result SEARCH-LAB can now publish the findings and the Evaluation Report of this research.

So, in November 2015 SEARCH-LAB Ltd. performed a 2-week security evaluation of the Compal CH7465LG-LC in a black-box manner. To illustrate the difference between a quick vulnerability assessment and a systematic evaluation, the pilot project was carried out in two phases: first in a quick 3-hours initial hacking session, and then in a complete systematic 2-weeks long security evaluation and its documentation. Within three hours SEARCH-LAB was able to present to Liberty Global a remotely exploitable code execution vulnerability on the device. The overall evaluation resulted around 35 security flaws.

Since more than half year passed since reporting SEARCH-LAB decided to publish the findings of the above security evaluations.

Devices evaluated

During our analysis, we evaluated the following models:

•           Ubee EVW3226, 1.0.20
•           Technicolor TC7200, STD6.02.11
•           Cisco EPC3925, ESIP-12-v302r125573-131230c_upc
•           Hitron CGNV4, 4.3.9.9-SIP-UPC
•           Compal CH7465LG-LC, CH7465LG-NCIP-4.50.18.13-NOSH

Summary of results

The evaluation results can be summarized in the following:

We found the following types of vulnerabilities in the models evaluated.

•           M: At least one vulnerability was found
•           ü: Correct protection measure was applied
•           –: During the limited time of the evaluation we did not find this type of vulnerability, but we did not have chance to fully verify whether it was correctly protected or not

WiFi default passphrases

During the evaluations we found that 3 from 5 devices used default SSIDs and passphrases for the user’s WiFi network which were generated from publicly known identifiers. We had not verified this problem in the Hitron device, and we had validated that this type of vulnerability was not present in the Compal modem. In the following table, we summarize our default SSID and passphrase calculation results:

Timeline

•           2015.06.24: Presenting the Ubee router problems to the CTO of UPC Magyarorszag
•           2015.07.16: UPC contacted Ubee and required some more proof about some specific problems
•           2015.07.16: Proofs, that the default passphrase calculation of the Ubee router was broken, were sent to UPC
•           2015.07.20: UPC requested the POC code
•           2015.07.21: POC code was sent to UPC
•           2015.07.30: We sent some new issues affecting the Ubee router and other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC
•           Between 2015.07.31 and 08.12 there were several e-mail and phone communications between technical persons from Liberty Global to clarify the findings
•           2015.08.19: UPC sent out advisory emails to its end users to change the default WiFi passphrase
•           2015.09.16: Ubee Interactive also asked some questions about the vulnerabilities
•           2015.09.24: We sent detailed answers to Ubee Interactive
•           2015.10.16: Vulnerabilities found in the Hitron CGNV4 were reported to UPC Magyarorszag and Liberty Global
•           2015.10.21: SEARCH-LAB received two sample boxes from the Compal Mercury devices
•           2015.10.21: Within three hours we reported a remotely exploitable vulnerability on the device
•           2015.10.21: Liberty Global asked for a commercial proposal on executing an overall security evaluation of the Compal device.
•           2015.10.24: A proposal was sent to Liberty Global.
•           2015.11.09: Liberty Global asked to execute the evaluation as a pilot project without financial compensation.
•           2015.12.07: End Use Certificate for Dual-Use Items was asked from Liberty Global as the developer of the device is located in China.
•           2016.01.07: The 99-page-long Evaluation Report on Compal Mercury modem was sent to Liberty Global with the restriction that they are not allowed to forward it outside of the European Union until a signed End Use Certificate is received.
•           2016.01.07: First reaction to the report said: “Bloody hell, that is not a small document ;)”
•           2016.01.11: Liberty Global sent the signed End Use Certificate for Dual-Use Items to SEARCH-LAB
•           2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases.
•           2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters
•           2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases.

Further publications

Together with this overview, SEARCH-LAB also published the following materials detailing our results:

Share

Tweet