Analysis of WiFi-enabled ISP modems

SEARCH-LAB Security Evaluation Analysis and Research Laboratory executed security evaluations of several Wi-Fi enabled ISP modems operated among others within UPC and Liberty Global networks:

  • Ubee EVW3226, 1.0.20
  • Technicolor TC7200, STD6.02.11
  • Cisco EPC3925, ESIP-12-v302r125573-131230c_upc
  • Hitron CGNV4,
  • Compal CH7465LG-LC, CH7465LG-NCIP-

The analysis discovered 58 serious vulnerabilities in these devices, where most of the flaws were exploitable remotely, or provided administrator level access or allowed arbitrary modifications or code execution.

Among those, we presented efficient default passphrase cracking for the Ubee, Technicolor and Cisco Wi-Fi routers with no or minimal brute force guessing. A proof-of-concept application was also developed to demonstrate that the home Wi-Fi networks that are operated by these devices are easily attackable from the street by wardriving.

What made the situation even worse; we discovered that after taking over the control on the attacked Wi-Fi devices and were able to execute our own code on them, we gained access not just to the local home networks, but though the internal network of the ISP we gained access to other home routers too. At this point we stopped real life experiments due to our ethical hacking policy, but we have to assume that using the discovered remotely exploitable vulnerabilities a malicious attacker would have been able to penetrate into other routers easily and therefore take over the control on most or even all of the modems operated by UPC and Liberty Global.

We continuously reported our findings to UPC Hungary and to Liberty Global representatives. They corrected some, but not all of the discovered problems. Especially the solution of the default passphrase guessing proved to be hard as the passphrases are printed and stamped to the bottom of the devices, so they cannot be replaced by a firmware update.

Right now we are conducting a real life wardriving experiment to measure the rate of those end users who still use default passphrases. Measurement results are expected within days.

You can find SEARCH-LAB’s related advisories at: