Megacable: a bit of a warning (somewhat technical)

[Victor David]

Last month, I had the Megacable internet service installed. It works great, but it wasn't until tonight that I discovered that the modem that they put in the house has some SERIOUS vulnerabilities.

The worst is that by DEFAULT, this particular modem (a Huawei HG8245H) allows access to the admin portion of the device from anywhere on the internet. The credentials needed to login to the device are well known and can be found in a couple of seconds with Google.

This is not just an academic issue. I was looking into a different issue when I noticed in the modem's logs that the device had been accessed (an administrative user logged in) 10 times in the last 3 weeks or so, the most recent being yesterday. Almost all of the logins came from the Ukraine, and a couple from Bulgaria. Each access only lasted about 30-40 seconds (login to logout time) - and I wish I knew what that meant.

This ability to enable access from the outside can be turned off - which I did as soon as I saw what was happening - but out of the box, or if you reset the modem with the little hole where you need a paper clip, it goes back to having this "feature" enabled.

I'm not sure what they might have done. I'm hoping someone like Donald W. is reading this and give me an idea of what sort of trouble I might have gotten myself into. The 30-40 second in-and-out smells of bots, but still I'm not sure they could have accessed my PC, and if so, what they might have planted there. Yikes.

Megacable beats the pants off of Telmex, but if you're looking into their service, you might want to keep this warning in mind and disable the modem's outside access immediately.

http://websec.ca/advisories/view/Huawei-...ote-access

Victor David

[grumbalina]

All routers are accessible via their IP address, which is easily found using a web search or by typing "ipconfig" into a command prompt and looking for the default gateway, and usually the default admin password on older models is something like "password." However, each computer's connection to the internet is individually protected through your computer configuration, so someone gaining access to your router configuration might be able to steal your wifi signal if they're in range but they aren't going to be able to access your computer unless you're connected to a remote desktop, your computer is infected with a RAT (remote access trojan -- pray you don't have one of those because that enables someone to completely take over your computer from a remote location) or they're within the range of your wifi signal and you've got public sharing enabled. I think if you do a factory reset of your router and then reset all of your passwords, you should be fine. For peace of mind, you might want to install Malwarebytes and run a scan.

Here are some useful links:
check if your computer has been accessed - http://www.makeuseof.com/tag/has-someone...-to-check/
update router security - http://www.computerhope.com/issues/ch001289.htm

[Victor David]

You are referring to the router's inner-facing IP address when you mention ipconfig. That's a different story. Of course all routers are accessible by their IP addresses (plural), their inner-facing one and their outer-facing one. And yes, the manufacturer's default passwords are easily known.

However, it a massive security glitch to have the router's admin program available to the outer-facing interface, i.e. the internet. I tend to agree that they probably couldn't access my PC, but still I wonder why someone from the Ukraine wants to enter into my router's admin program.

This particular router has a mirror feature, where all traffic can be duplicated and sent to another destination. If an attacker were to enable that, they'd be able to catch a lot of what you were doing. Not good.

So, I'm just saying that if you get service from Megacable, it would be a good idea to disable the ability to access the admin program from the internet side. And yes, I did do a factory reset as you suggested - and then re-applied my custom settings - because I didn't know what might have been changed.

[grumbalina]

No, the default gateway that you can find by typing ipconfig into a command prompt is the address that you plug into a web browser to access your router's online configuration. I don't think what you're talking about is necessarily a security glitch because the IP addresses to access most routers are well known, and most of their default admin usernames and passwords are listed online. I know that my last router in the US, which I got through Time Warner, had the same sort of generic username and password and an easily searchable IP address. Honestly, I think the biggest danger with such a router is someone stealing your internet.

I don't think that someone monitoring your traffic would be able to actually do much with the information. I mean, they would have to have a keystroke logger or RAT installed on your machine to know what you were typing or have another device actually plugged into the router and your computer, so it's not like they could get any real information remotely besides the websites you visit, if even that. You can check out this article for more information on the type of data that can be obtained from routers and this article for great information on how to determine what's happening on your network.

Also, sometimes devices connected to your computer, like a printer, can have a static IP address that shows up on your router configuration. However, I just saw this article about hackers from the Ukraine running a program to hit every IP address with an exhaustive list of username/password combinations. I wouldn't worry too much because the hackers were accessing a server, which requires remote access, and not an individual computer.

[Victor David]

Interesting that you are so complacent about somebody being able to access and modify your router configuration from the other side of the world. Same with intercepting your traffic.... Okay.. I'm not comfortable with it. And while you might not think it's a security glitch, experts who publish this sort of thing (linked in my original post) disagree; they classify this one as Severity; Very High. Also, depending on what you do, monitoring your traffic can reveal a lot; some email servers don't require encrypted connections, same with some web services. The bad guys don't need a keylogger; unencrypted login info info gets sent in the packet traffic to the remote services, and one door frequently opens another.

[grumbalina]

Honestly, the more I think about it, the less worried I am. For someone to exploit this readily available information about your router, they'd actually have to be on your network intercepting your wireless signal. The default gateway is the same for everyone with a certain type of router, and it's not like there's some central website you can go to and access someone's specific router number to gain access. For example, I have a Telmex router and I'm sure that most people within my wifi range have Telmex routers, but I can't only access my own router with the default gateway, even though we all have same default gateway.

And the severe security glitch listed in the link you provided isn't that your router login information is listed online, it's that there's a default administrator that you can't delete or change the password for, which again, is only an issue if someone has direct access to your network. It's probably more of an issue when the router is used by multiple users.

More than likely, you have an app or a device installed that is pinging your router with various IP addresses. There are lots of stuff to be worried about online, but I think your router security concern isn't as severe as you thought, especially for individual users.

[DonaldW]

Very kind of you to share - thank you! You know this is coincidental but I discovered the same thing with the Telmex I was using in Gto just a couple of weeks ago.

Here is why this is a serious issue: By knowing or scanning the IP address of your router from anywhere in the world, your router panel log in screen can be accessed remotely. With no built in security features for these routers like the so-called "big boys" have, e.g. where repeated attempts at guessing passwords are not thwarted. e.g. by slowing down or stopping after multiple fails, this leaves your equipment open to be accessed from anywhere in the world. And with no major password guessing attempts even detectable by these low-end devices, this leaves them vulnerable to be hacked by the most elementary of automated password guessing tools, available online for anyone to download, incidentally.

The easiest hack to be used is one that is commonly installed on workstations via compromised websites, where the computer DNS servers are altered to point away from those at the ISP, to some rogue ones controlled by the hacker. By altering the named DNS servers in your router, the hacker can route every lookup of every URL by every machine in your home, changing that lookup service from the ISPs to a spiffed DNS server they own. The first thing they can do with this hack is receive a list of every URL you enter into your browser, plus any one you click on from another webpage.

OK, so they know everywhere you go now, so what's the big deal, some might ask. First thing they watch for is when you go to "yourBankName.com". They then construct a website that looks exactly like your bank page. Now they set up a redirect on their spoofing DNS server that re-directs you to their fake copy of your bank's web page when you go to "yourBankName.com". Now you key in your bank account credentials while looking at their spoofed exact copy of your bank screen, and in a couple of seconds, they have your bank log-in credentials.

Now surely I don't have to explain what can be done with those.

Good catch there David Victor, and certainly something that needs to be brought to the attention of these companies. This setup would never be allowed in the US and should be considered a severe security breech.

Incidentally to those worried now, using a secure VPN uses the secure DNS servers of the VPN company and not the local ISP (which we see now can be hacked by the most rank amateur and from anywhere in the world) so consider this using both cable and DSL connections in Mexico. This is one of the reasons they always recommend using a secure VPN when traveling, particularly when doing financial transactions online and even more strongly suggested from publicly available wi-fi connections.

DNS Server: On the Internet, every piece of data is routed to an IP address within the underlying architecture. From a human perspective, we deal in names instead of numbers. In other words, it's a lot easier for us to remember www.google.com than 63.96.4.55. but in reality it is only the first few milliseconds after you enter www.google.com into your browser that your computer goes to its named DNS server which is a database that gives your computer the number 63.96.4.55 for google.com, and the number is used from that point onward.

By hijacking a DNS server, a hacker can redirect your computer's internals to any new IP address they wish, frequently IP addressed controlled by them and thus how the reroute is accomplished from your bank to the image they present to capture your login credentials.

[Victor David]

Thank you Donald, from your previous posts I figured you were someone who understands the severity of this security problem. I hadn't thought about the DNS spoofing, but that might certainty be the point of attack after entering the router's configuration.

The whole idea is that someone does NOT "have to be on your network intercepting your wireless signal" in order to exploit this. Quite the contrary; by default this router allows itself to be administered from the internet side. Obviously, the person or persons who entered my router configuration program from the Ukraine and Bulgaria are not in wi-fi range.

To make things a little more interesting, I just tried a little experiment. I took my outer-facing IP address (belonging to Megacable) and incremented the last digit by 1. I plugged that into my browser and received the login screen to another customer's router. I incremented again and received another login screen from another customer's router. Etc. Since I know the login credentials - as we've discussed, they're not a secret - I could have logged in to somebody else's router and made mischief. I didn't because I'm on the side of good :) - but this is a serious problem. I don't know that Megacable wants to hear about it, but I just wanted to let people know. I think Megacable is - or will be - popular as an alternative to Telmex, but you should watch out for the default configuration of the routers that MC is handing out.