Wednesday, April 8, 2009

Reduce Attack Surface on Speedtouch devices

In this blog post I am going to discuss how to reduce the attack surface of SpeedTouch modem/routers. In this tutorial I will be working with the Thomson SpeedTouch 5x6, however this should apply to all Alcatel/Thompson speedtouch modems. I was working on a Alcatel speedtouch the other day, its firmware was released in 1999, and it looked almost identical.

Just to put it out there, from experience I believe SpeedTouch ADSL products are some of the best on the market for the price you pay. They are rock solid – I have never had a speedtouch modem/router crash on me and require a power cycle and every time I have diagnosed internet connectivity issues, the issue has been narrowed down to something other than the modem itself.

Let’s begin... by default the IP address for all speedtouch products is 10.0.0.138, however on your network you have properly changed it. In my scenario I have my speedtouch bridged into a linux router, but I have still given it a LAN IP address so I can access it. My router has an IP of 10.0.0.1 and my speedtouch is on 10.0.0.2 (a separate segment to my core network). Telnet your device, the default credentials are admin/admin for username and password. Note: I have seen some speedtouches out there that use admin/password as the default credentials.



When you login you should be presented with a screen like this, however you will properly have a different speedtouch model and be running different firmware.

If you hit ? and hit enter, it will display you all the menus you can enter.



Nagivate to service --> system. Once in this menu type list to display all the current services you have installed in your running firmware and which ones are enabled.



As you see there are many services running by default, many which you do not need. Not only do they make it easier for hackers by giving them more targets to exploit, it also adds load to your modem/router by having these daemons running. I recommend disabling all services except telnet, PING_RESPONDER, Dynamic DNS and the DNS client (DNS-C). Your modem should not have to act as a DNS Server, many cases you will have an Active Directory domain controller running DNS or a bind server somewhere in your organisation.

Additionally I do not use the web interface for speedtouches, I find them extremely limited, and a very annoying layout. You may want to keep HTTP running, however I recommend disabling it!

To disable a service type modify. All data you enter here is K-Sensitive. Enter data in a similar fassion to my screenshot below:



Hit enter for all other values in the modify wizard, that will leave these values at default. The DNS Server is now disabled. Continue through disabling the unwanted services, make sure you don’t disable telnet otherwise you will have to restore factory defaults.

A few weird protocols are SSDP and MDAP.

SSDP stands for Simple Service Discovery Protocol. It is an expired IETF protocol. It is used to provide a mechanism which network clients can use to discover network services. It is no longer needed!

MDAP is protocol used by Speedtouch devices to issue commands to CPEs (called ants) using multicast address 224.0.0.103 and port 3235 registered by IANA. It is usually used when you want to do something like update the firmware on your router. This protocol can be manually enabled if you ever need to use it, other than that I recommend leaving it disabled.

Side note: to trigger a firmware upgrade navigate to software under the root menu and just type upgrade... as in the example below.




This is my service screen now that I have finished disabling all my unwanted services:


For some reason it wouldn’t let me disable HTTPI so I left it running.

Time to save the config. Navigate back to the root menu by typing .. twice. Then enter the config menu. Type “list” to list your current configuration files.


Note it is possible to download this user.ini file if you go back and enable FTP, you can simply transfer the entire configuration file for config backup purposes. Pretty handy!

Next type save, give it the same filename user.ini as this is the default config file it loads



You’re done. Hope you benefitted out of this tutorial. Drop me an email for any feedback.

No comments:

Post a Comment