
home \| contact

Weaknesses in Alcatel DSL Modems

Grandstanding ego Tsutomu Shimomura and fellow researcher Tom Perrine published security vulnerability findings (http://www.cert.org/advisories/CA- 2001-08.html) regarding two models of Alcatel ADSL ethernet bridges. These vulnerabilities were verified with the Alcatel Speed Touch Home ADSL Modem and the Alcatel 1000 ADSL Network Termination Device although other Alcatel devices are suspected to be affected. The three major areas explored by the researchers at the San Diego Supercomputer Center (SDSC) are authentication weaknesses, TFTP exposures, and lack of verification of firmware. A CERT advisory (http://www.cert.org/advisories/CA-2001-08.html) was issued that also contains responses from Alcatel representatives. It is questionable how much risk the discoveries expose.

Weaknesses

Authentication

The first configuration weakness exposed was the default null password with shipped Alcatel ADSL modems. The researchers fail to offer any alternatives to shipping with a null password. A default password shipped in the modems would only deter the most incompetent attackers.

The second weakness is the exposure of the password through the file system. This weakness is a coupling of weak storage of the authentication information with the TFTP exposures also explored. An attacker with access via the later TFTP attacks would be able to retrieve or replace a configured password.

The final authentication weakness explored is perhaps the most insidious. The examined Alcatel devices, and potentially other models, expose an "expert" mode for access to the device. The user EXPERT is presented with an alternative log in sequence when accessing the Alcatel device. The device challenges the user with a string. The user then issues a calculated response. This challenge-response sequence is based on the MAC address of the device and an unknown algorithm. According to the researchers, there is no configurable way of eliminating this back door.

TFTP

By far the most interesting information from the research comes from exploration of the exposure of TFTP by the Alcatel devices. The first vulnerability is that these devices run TFTP. This is an unauthenticated protocol and it is the transport for loading new firmware and configuration to the devices. The only protection offered by the device is that TFTP must originate from the LAN side.

Exploits of the TFTP exposure

The researchers do offer some interesting information regarding the exploitation of the exposed TFTP service. Their first strategy is use of a "bounce" technique off of a service such as UDP based echo. If an attacker sources UDP echo packets from the Alcatel device's IP address and TFTP port, an accomplice machine on the backside LAN would echo packets back to the ADSL modem if the accomplice were running the UDP echo service. Using this technique, an outside attacker could successfully TFTP files to the modem from outside the LAN. This could overwrite configuration information or load new firmware.

An additional weakness of the Alcatel modems was their response to the broadcast address on the LAN side. Attackers would not need to know the address of the target device since they will respond to TFTP requests to the 255.255.255.255 broadcast address.

The researchers also pointed out that the affected modems did not allow source routed packets by default. However, an attacker could use other techniques such as this "bounce" mechanism to rewrite configuration to allow source routed packets.

Finally, TFTP and SNMP do listen on the raw WAN side of the bridges at the DSLAM level. The researchers go on to hypothesize on theoretical portable DSLAM's that attackers could vampire into the lines outside a target's home. At this point, they are free to change configuration, upload firmware, or manipulate SNMP values.

Firmware

The last area of exploration of the Alcatel ADSL modems was the lack of verification when loading new firmware. This obviously goes well with the explored TFTP exploits as attackers could load malicious firmware into devices undetected. The researchers then suggest authenticity and integrity checking on firmware loads. The practicality of such techniques is questionable.

Conclusion

The initial impulse upon seeing this research is to be quite concerned for all of the "always on" DSL customers utilizing this popular brand of bridge. Upon further inspection, it is questionable how much risk is elevated by the discovery of these weaknesses. These consumer grade devices suffer from the same weaknesses by way of convenience that plague all consumer-targeted equipment. It could be argued that the machines behind these bridges serve as juicier targets by attackers. Obviously, a few of the points found in the research paint a picture of a patently irresponsible Alcatel

Home	Services	Partners	About Us	Contact Us
Š2001-2003 by Itillious, Inc. All Rights Reserved. Privacy Policy