Backdoors to the Home

Fresh from the Zyxel hardcoding fiasco, here’s another report regarding hardcoded vulnerabilities involving network devices where over 20 backdoor accounts have been found in in FiberHome FTTH ONT (Fiber-to-the-Home Optical Network Terminal) routers deployed to homes in South America and Southeast Asia.

A security researcher named Pierre Kim published a report detailing the vulnerabilities of two router models FiberHome HG6245D and FiberHome RP2602, probably rebranded or distributed under different names by the regions’ respective telcos. The researcher also says that there are possibly others due to telco rebranding.

Fortunately, their IPv4 control panels are protected by the device firewall but not IPv6 which the Fiberhome engineers apparently failed to activate. Hence, threat actors can easily access these once discovered. These backdoors are often placed by vendors in case the devices need remote support while some may be unintentional. The report lists these backdoors and vulnerabilities as follows:

• Admin panel’s passwords and cookies are stored as unencrypted text in HTTP logs
• A hardcoded SSL certificate which is stored on the device is used to secure the management interface
• The device’s MAC address can be used by an attacker to run a telnet connection to the device through a specially crafted HTTPS URL
• That MAC address is leaked by the device when the device is accessed through a browser with Javascript disabled.
• The management panel itself has 22 hardcoded credentials which may have been added for the benefit of various ISPs
• The firmware has several hardcoded credentials for use in Telnet and device management through protocol TR-069
• There are encrypted credentials, but the decryption key is also stored within the binary

Mr. Kim has already alerted the vendor but it’s unclear if they have been patched. If not, threat actors can easily access computers that connect to these routers or use the routers to create botnets.