Telia Router and TV Box – Backdoor
Telia, a Swedish multinational telecommunications company, provides mobile service, FTTH internet, DSL internet and IPTV. They are also known for renting and selling custom routers and set-top tv boxes to customers that have limited to no administration access to them. What’s important to note with these routers and tv boxes is that each of them has a backdoor or “management interface.” This backdoor is an SSH server running on VLAN 5 and/or WAN, typically running on port 8022. Older models, like the ADB, have password login enabled. The more recent models, like Technicolor, have password login disabled and only use SSH with public key authentication, but its important to note that this is still vulnerable as well.
A selling feature of the Telia routers and tv boxes is their Savitarna system (in Lithuanian, “Self Service.”) This is a web service that allows Telia customers to order and manager services, get invoices, pay bills, etc. This service uses password authentication or external logins via Facebook, Google, banking, etc. One of the newer features of this system, and the most alarming, is the ability for it to change the customer’s router’s password.
When a user wants to change their password, the web service initiates a SSH connection to the user’s associated router. Depending on the type of router, it will either be password authentication or RSA public key. After successfully logging in to the router in question, a PHP script on the backend will issue commands to the router’s shell, parse the result, and output some of the data to the user through the web user-interface, such as the wireless network name. What is alarming thus far is that Telia stores and transmits the user’s WIFI password in plaintext throughout this operation.
Taking a deeper look into the established SSH connection, we see that network capture shows an SSH client banner and the remote Ip that initiated the connection: ‘SSH-2.0-libssh2_1.4.2 PHP 10.0.98.251’.
Items of import here are:
- Vulnerable libssh2 version 1.4.2 https://www.libssh2.org/security.html
- Weak and deprecated key exchange diffie-hellman-group1-sha1
- The client does not verify remote SSH server public key (see below)
- PHP
The research team behind this discovery, Full-Disclosure.eu, notes that the Telia client does not attempt to verify the remote server’s public key, thus they were able to start a custom SSH server on port 8022 (the port normally used in this operation) and the Savitarna web-service successfully established a connection with no protections in place against a man-in-the-middle. They were then able to view the password used by the client and could even create a malicious SSH server that exploits public vulnerabilities on Telia’s side of the connection.
Upon establishing the malicious SSH server and establishing a connection to the Savitarna service, they were sent the universal router credentials: ‘tadmin/hqMV8Wps.’ They were able to connect locally with the aforementioned credentials and were given a limited shell and given access to much more hidden information and vulnerabilities in the router, and through exploiting these vulnerabilities they were able to escalate privileges to a root shell.
After notifying Telia of the above-mentioned vulnerabilities, exploits, and weak passwords, nothing of note has been fixed or passwords changed, despite the claims of Telia; Telia was notified in October of 2019 with the full disclosure of this information taking place in late June of 2020. Full-Disclosure.eu claims that no changes have been made to the vulnerable applications.
Sources: