September 21, 2014

In Brief: Telstra routers have hard coded password – Broadband users at risk

(LiveHacking.Com) – It has been discovered that a recent line of Telstra broadband routers have hard-coded usernames and passwords that could allow attackers access to user’s home networks. SC Magzaine Australia was told of the vulnerability just under a month ago and contacted Telstra and delayed disclosing the problem until Telstra had a new firmware ready.

Telstra has now published a patch to fix the issue and is contacting affected customers so that they can upgrade. Applying the new firmware is the only way of removing the permanent login account. The firmware only applies to the BigPond EliteTM Network Gateway routers.

“We’ve now published a firmware update and are contacting all customers with this type of modem to ensure they install the patch,” Telstra told SC Magzinein a statement. “…we’ve worked as quickly as possible with our vendor to design, create, test and deploy a software update for our customers.”

The vulnerability was found by Milan-based security researcher and consultant Roberto Paleari. He later worked with Telstra and Netcomm to explain the details of the the vulnerabilities. As well as the hard-coded passwords, Roberto also found a command-injection vulnerability that existed due to the server-side script failing to correctly validate user-supplied input.