MGTS GPon subscribers under threat of hacking, new networks - new problems

1. Introduction

In the capital of our vast Motherland, there is an unprecedented scale project for the introduction of Gpon technology from MGTS under the auspices of the fight against copper wires and for affordable Internetization of the population. The number of MGTS subscribers in the city of Moscow exceeds 3.5 million people, it is assumed that everyone will be covered.
The idea is wonderful - optics in every apartment, high-speed Internet, free connection and a Wi-Fi router as a gift (albeit officially without the right to reconfigure it, but more on that later). The implementation of such a large-scale project (such a device is placed in each apartment, where there is at least a landline telephone from MGTS), as usual, has not been without planning holes that can be costly for the end user. Our company became interested in the issues of information security of clients of such a large-scale project and conducted an express study, the results of which we propose to the public to inform about threats and measures to combat them at home.

2. Life in the palm of your hand

')
Threats turned out to be not at all illusory and insignificant, and systemic and the risk potential can not be overestimated. I want to warn the happy MGTS subscribers from the threat of their privacy, concealed not only in the ZTE ZXA10 F660 router, kindly forcibly donated by the provider (however, the less vulnerable Huawei HG8245, also installed by subscribers, is still not protected from the “default settings”), but and in the organization itself connecting subscribers to new communication lines.
Here are the options installed by the operator of the equipment:

Less dangerous Huawei HG8245



Much more " full of holes " ZTE ZXA10 F660



There are problems of several different degrees of danger, some can be solved on our own, some can only be paid attention to. Let's list the main points that will help an attacker to hack your home network (assuming that you are still an MGTS subscriber for the Internet service):

• The WiFi password is your phone number (during the survey, lazy installers met who left the MAC address of the router with the password without the first 4 characters).
  This means that hacking Wi-Fi using the handheld brute-force technique using a 495? D? D? D? D? D? D? D mask does not take much time, it’s about minutes and you don’t have to be near the hacking facility all the time. . It is enough to intercept the moment when the subscriber’s wireless device (smartphone, tablet, laptop) is connected to the router, and the rest can already be safely done on a home computer. This miscalculation of the operator at the level of connection organization is a gaping hole, opening up the home networks of millions of subscribers for attack by intruders. This problem can be solved only locally - by changing the access point's password to a more secure one yourself, however, the next vulnerability is much more serious, as the subscriber cannot easily influence it independently.
• We are talking about the vulnerability of WPS wireless configuration technology, which is enabled by default on ZTE ZXA 10 F660 routers. And if in the case of an organizational miscalculation that has substituted the user’s networks at the password level, an attacker cannot massively hack subscribers, being engaged in each separately, then during the exploitation of the WPS vulnerability of the router of this model, the hacking of networks can be put on stream. The technology works as follows - for a WPS connection, a pin code consisting of 8 digits is used. When receiving the correct pincode, the router gives the real Wi-Fi password. Not only can this pin-code be cracked using the well-known Reaver tool, which is much more efficient and faster than a complex WPA2 password, but the main problem is that it is the same for all ZTE ZXA10 F660 routers! Moreover, it can be easily found in 10 minutes on the Internet. I repeat - knowing this pin-code (which cannot be neither changed nor turned off) for 3 seconds, you get a real Wi-Fi password of any complexity and type of encryption, or you are directly connected to the subscriber’s network. Thus, the “happy” owners of this particular model of equipment (and their operator has only 2, so the 50/50 chance) even setting an impossible password for cracking the wireless network anyway due to the imperfection of the technology will be cracked in less than 5 seconds.

3. What is fraught for the owner of hacking WiFi?

Omitting platitudes like “free internet”, this is not the 90s, and people with gadgets usually have enough on the Internet. So what are the threats? We list the most obvious:

• Interception of subscriber traffic, theft of passwords from postal services, social networks, messaging programs and other sensitive data
• The attack on the point owner’s computers in order to access user files, view webcams, install viruses and spyware (home computers are usually much more vulnerable to attacks from within than corporate machines, here are traditionally weak passwords and irregular updates and open resources )
• Wiretapping telephone conversations. (Yes, with the transition to an unprotected sip it has become easier than ever). Now, not only special services, but also a curious neighbor (and maybe not a neighbor) can record your conversations with a city number because the new telephony technology works over an unprotected SIP protocol. For the operative interception and recording of conversations of which all the necessary tools have long been in the public domain.
• Phone number theft - by slightly changing the router's software, an attacker can figure out the password for the SIP account and use it to make calls on behalf of the hacked subscriber. This is not only the potential for direct loss to the owner of the room, but also the possibility of causing much more serious damage by using the number of an unsuspecting citizen for blackmail, terrorist contacts, or to substitute the owner - for example, by reporting this number to the police about the bomb.
• Creation of a large botnet (the number of MGTS subscribers in Moscow - 3 504 874) with the potential of each connection at 100 Mbps. Yes, this will require an army of lemming, but as everyone is well aware, hordes of biological bots constantly live on various “vats”, which are regularly attracted by interested people to a variety of online promotions, usually of sabotage.
• Using a random (or non-random) network to anonymously upload prohibited materials to the Internet (Guess who will knock on the door?).

4. Protection Measures

What can be done, how to protect your privacy in this situation? You can do yourself a little, but these are mandatory actions for anyone who does not want to fall prey to a poorly thought-out operator campaign.
We will need passwords from the router, which are easy to browse on the Internet, write down:

• Access to the web interface of the router ZTE ZXA10 F660 - login: mgts , Password: mtsoao
• Telnet console access - login: root , password: root
• For Huawei HG8245:
  the default address is 192.168.100.1
  login: telecomadmin , password: admintelecom
• Via the web interface, we will change the password to the access point and its name (the MAC address will still give you MGTS clients, but renaming the point will reduce the likelihood of matching a specific Wi-Fi signal to a specific apartment)
• ZTE ZXA F660 owners should disable Wi-Fi functionality with a button on the device. At the moment, this is the only way to protect against WPS-hacking.

Unfortunately, at best, these percentages of 3.5 million users will take advantage of these measures, most will never know about this article and will remain vulnerable in the face of a real threat for a long time, until something or someone makes the operator spend a bunch money and take centralized measures to correct technical and organizational project deficiencies.

5. Conclusion

What conclusions can be drawn from the foregoing? The most disappointing - the largest project of implementing GPON (I repeat - it’s about 3.5 million subscribers!) Did without consulting with information security experts, or these consultations were completely ignored during the implementation itself. Passwords-phones, non-disableable WPS with a single key, unprotected SIP telephony, passwords retrieved from the WEB interface are the result of a weak organizational component and a complete disregard for elementary information security standards. I am sure that MGTS is far from unique in such miscalculations, many smaller network service operators are in the same situation in the field of data protection of their subscribers, but the scale of the problem this time exceeds all conceivable boundaries.

6. Official reaction of OJSC MGTS

We, as respectable security researchers, are interested in the earliest possible solution of the problems voiced above. Unfortunately, our concern did not find a response in the hearts of the press service of MGTS, to which we tried to use all available channels. Only one response was received - through Facebook, the press officer assured us that we can publish the available material with a clear conscience, and then answering press questions, they assure everyone that the subscribers are safe and their data are confidential.