Welcome Guest ( Log In | Register )

Bump Topic Topic Closed RSS Feed

Outline · [ Standard ] · Linear+

> WARNING TO ALL UNIFI USERS, Threat warning, read inside (Unifi)

views
     
TSrizvanrp
post May 29 2010, 06:59 AM, updated 11y ago

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



You know, the first day I got Unifi, I asked you guys (TMnet) if I would be able to use my own router. Well you said no. When I discovered the SSH daemon running on the router (which used a different password than the web user interface), you said you couldn't disclose the password. An hour ago, I discovered that password and the reason why you won't give it out.

TM, you basically planted a bloody backdoor in everyone's DIR-615 router.

user posted image

What is this? What are all these hidden options in this special account you neglected to tell us about? You mean to say I could have used my own router all along? You mean people spent >RM1000 on Cisco grade equipment just because you didn't want to tell them about this?

user posted image

You mean in a sample group of 900 nodes, 600 of them who think their networks are 'secure' are actually completely open? Even those companies on Unifibiz which use the same router? WOW..

That's right guys, TM named the "administrator" account on the DIR-615 as "admin" when there was actually a secondary administrator account with a higher access level. The VLAN settings were never locked out, that account which we all assumed was the admin (because they told us so) was actually a noob piece of shit with <60% access to the router. This account has the same user/pass across every Unifi router that has been given out so far and cannot be changed or even seen with the default 'admin' account.

----

What's the fix?

user posted image

Untick remote management. If you have a firewall on it, block all the ports (TCP 22/23/80/8080/443) from WAN access.

vmad.gif

UPDATE : If you're a Unifi user on firmware 7.05, if you read everything in the management page you can find the username for this account. The pass is the same, once you get access log in and reconfigure your router security properly. I can't believe not a single technician set this account up properly.

----

FAQ

Some less tech-savvy people have asked me what this all means.. so here goes -

Q: What is this and how is this possible?
A: Every consumer router has a username/password combination to access it. This is a basic security feature to ensure that only you (the owner) can access it. This Unifi router however, has two accounts by default. When TM installed Unifi in your home/office, they only configured the first account. The second account -- which has a higher level of access was left configured with its default username/password. They also neglected to inform the customers (you) and their own technicians who did the install about this second account. As every Unifi user is 'forced' to use this router and this account has not been configured properly, every Unifi user is also vulnerable to have their routers accessed by unauthorized users simply by using this default account user/password combination.

Q: So what if outsiders can access my router? What does this mean?
A: The Unifi router is not just a simple box that sits on your network. It can be considered to be a full computer system and has the capability to run any executable that's made for it. Since an outsider can access your router, he can also do the following :

- Turn your router into a proxy, if he commits any crimes online it will be traced back to you instead and you will take the fall for it
- Use your 10/20mbps Unifi account so he doesn't have to pay for his
- Use up your bandwidth quota (once quotas are implemented) as much as he wants and you will pay for it
- 'Spy' on your Internet connection and view every site you are visiting
- Forward all connections to your home PC using DMZ, making your home PC completely vulnerable to Internet attacks.. if you have an open NAS (network attached storage) on your home network, he will be able to access all your files

And the list goes on and on..

Q: So how can I fix this?!
A: Make sure remote management is disabled (as it is enabled by default). With this enabled, anybody with this default user/pass combination can access your home router and perform the attacks I mentioned above. This fix however, doesn't prevent people on your own LAN network from accessing the router. If you are running an open Unifi hotspot (shop wifi, etc) and you are using the default DIR-615 router, the only fix is to access this second account and change the password.

I've uploaded a Router Security guide and VLAN bridging guide (to use your own hardware with Unifi) on my website @ http://unifi.athena.my

This post has been edited by rizvanrp: Jun 12 2010, 08:19 PM
xxmetalhead86xx
post May 29 2010, 07:21 AM

Getting Started
**
Junior Member
219 posts

Joined: Feb 2008
From: Sunway/Kuching


wooo nice info.... pro la u...
YoYaYo
post May 29 2010, 07:27 AM

New Member
*
Junior Member
18 posts

Joined: Apr 2007
Wow... this should be ... a STICKY!


Zepx
post May 29 2010, 07:30 AM

Regular
******
Senior Member
1,231 posts

Joined: Dec 2005
Good share rizvanrp!
MX510
post May 29 2010, 07:31 AM

Love Me Sin Hate Me Sinner
*******
Senior Member
3,961 posts

Joined: Aug 2005
From: Earth



Flash to dd-wrt n disable the remote management
palmjack
post May 29 2010, 07:38 AM

Getting Started
**
Junior Member
84 posts

Joined: Feb 2005
@Riz thank you very much for this headsup.

Moogle Stiltzkin
post May 29 2010, 07:42 AM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
user posted image

TIME TO MASS COMPLAIN TO CFM. EVERYBODY On your mark.... GO!!



As an after thought, i hope they don't delay Unifi in my area because of this shocking.gif

This post has been edited by Moogle Stiltzkin: May 29 2010, 07:56 AM
morpheuzneo
post May 29 2010, 07:59 AM

Getting Started
**
Junior Member
234 posts

Joined: Jul 2008
thanks rizvan for sharing..!

great info for all of us - whether already a subscriber or not yet one.. (me lah..)

now next step :

1. Is there anything good we can do with this info?

2. Any setting that we can change to improve our speed / bandwidth? (maybe basic 5mb upgrade to 10? tongue.gif)


zenquix
post May 29 2010, 08:35 AM

Life is short!
*******
Senior Member
2,513 posts

Joined: Jan 2008


thanks for the headsup. was digging thru the router and think i found the account... luckily i already disable remote management smile.gif

Edit: and i found the password. very tempted to change it...

This post has been edited by zenquix: May 29 2010, 08:38 AM
Moogle Stiltzkin
post May 29 2010, 08:43 AM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
Just curious what is their purpose for doing this ???

1. more control to monitor unifi user usage ???

2. customer service support to help configure modem and router ???


Reason 1 i don't need, 2 i don't need if it means reason 1 :/

For Unifi should i get VPN ;x ??

This post has been edited by Moogle Stiltzkin: May 29 2010, 08:44 AM
<-- no content -->
xxerton
post May 29 2010, 09:06 AM

Getting Started
**
Junior Member
62 posts

Joined: Apr 2006
hahaha i had a good laugh...
TM such a big corporate could afford such half-past-six cowboy solution doh.gif
kons
post May 29 2010, 09:10 AM

Конс
Group Icon
Moderator
5,955 posts

Joined: Oct 2004



It's normal for UniFi or normal DSL broadband.
Those guys who installed the riger modems at my new house last time also enabled remote management and locked out the admin mgmt account.
I have replaced them straight away.

As long as it's RJ45/RJ11, I guess it's always possible to use our own equipment.

gkl83
post May 29 2010, 09:40 AM

Look at all my stars!!
*******
Senior Member
8,295 posts

Joined: Nov 2004
is it possible or legal to replace TM's DIR-615?
Moogle Stiltzkin
post May 29 2010, 09:44 AM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
QUOTE(gkl83 @ May 29 2010, 09:40 AM)
is it possible or legal to replace TM's DIR-615?
*
I don't see why not. As long as you don't try that hack riv said possible to increase your speed to 100mb or any other speed then your subscribed speed ;x
akidos
post May 29 2010, 09:45 AM

Casual
***
Junior Member
470 posts

Joined: Apr 2008


gg ....
Sting Ray
post May 29 2010, 10:07 AM

Getting Started
**
Junior Member
149 posts

Joined: Apr 2006


hi rizvanrp, under the secondary administrator account is there any option to allow VPN passthrough ? my wife's VPN connection problem is still not resolved and Unifi service centre didn't respond to my emails at all. vmad.gif
thomasyke
post May 29 2010, 10:49 AM

Casual
***
Junior Member
383 posts

Joined: Jun 2007
From: <20k group
If port 80 is blocked, how is facebook gonna reply to my port 80 request for Restaurant City~ =X

"but me no have webserver~"

This post has been edited by thomasyke: May 29 2010, 10:50 AM
DeanKueh
post May 29 2010, 11:44 AM

Enthusiast
*****
Senior Member
700 posts

Joined: Jul 2007
From: Malaysia
gj. someone should post this up on 'The Star' tongue.gif
infra
post May 29 2010, 11:45 AM

Getting Started
**
Junior Member
249 posts

Joined: Nov 2008
From: Penang > AmanSiara > Penang


Dlink DIR-615 default administrator login is not "admin" meh? I thought only can login as "admin" or "user" only ma...got other type of login ah??
ahpek26
post May 29 2010, 12:15 PM

Casual
***
Junior Member
475 posts

Joined: Apr 2007


Ops they're going to tell you about this but hey, your guinea pigs and test subjects which is on the "need to know only" basis. Plus even if they tell you about it, its not like most unifail customers would care since they don't get tech stuff like this.

Arguably tech savvy users would know what to do with it but lets face it, some people who uses streamyx for 2 years and more wouldn't even know how to check their line status; remote management wha...??

I smell job opportunity from TM, ROFL.
iipohbee
post May 29 2010, 12:28 PM

On my way
****
Senior Member
603 posts

Joined: Dec 2008
QUOTE(Sting Ray @ May 29 2010, 10:07 AM)
hi rizvanrp, under the secondary administrator account is there any option to allow VPN passthrough ? my wife's VPN connection problem is still not resolved and Unifi service centre didn't respond to my emails at all.  vmad.gif
*
Register an account with DynDNS, and let us see what you have there in your DLink router. brows.gif
sg999
post May 29 2010, 12:48 PM

Enthusiast
*****
Senior Member
868 posts

Joined: May 2008
not understand
got simple explanation?

Neptern
post May 29 2010, 12:56 PM

Casual
***
Junior Member
424 posts

Joined: Aug 2005
Hell tmnut is simply trying to lock us in using their own router.I don't want tmnut to keep monitoring what i am doing on the internet.Invasion of privacy...

Damn i hate it when companies use such tactics to cheat us and won't let us change the damn router.... mad.gif

Btw please do not uncap the connection.It is a serious breach of contract and it is considered stealing...a criminal offence.Probably means jailtime whistling.gif
heizad
post May 29 2010, 01:36 PM

~ Harimau Malaya ~
******
Senior Member
1,736 posts

Joined: Jul 2006
From: Shah Alam



why is lan port 4 mapped to WAN 2?
iipohbee
post May 29 2010, 01:45 PM

On my way
****
Senior Member
603 posts

Joined: Dec 2008
QUOTE(heizad @ May 29 2010, 01:36 PM)
why is lan port 4 mapped to WAN 2?
*
That port is used to connect with the IPTV STB.
As you can see they have 2 WAN profiles created one for the dedicated IPTV using VLAN 600 and the first WAN profile is for your internet.

With the new global admin account, you'll gain access to all these.You can assign more WAN profiles for each port as well if you wanted.
heizad
post May 29 2010, 01:46 PM

~ Harimau Malaya ~
******
Senior Member
1,736 posts

Joined: Jul 2006
From: Shah Alam



QUOTE(iipohbee @ May 29 2010, 01:45 PM)
That port is used to connect with the IPTV STB.
As you can see they have 2 WAN profiles created one for the dedicated IPTV using VLAN 600 and the first WAN profile is for your internet.

With the new global admin account, you'll gain access to all these.You can assign more WAN profiles for each port as well if you wanted.
*
just logged in using the global acc tongue.gif btw thx for the heads up smile.gif
TSrizvanrp
post May 29 2010, 01:48 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(kons @ May 29 2010, 09:10 AM)
It's normal for UniFi or normal DSL broadband.
Those guys who installed the riger modems at my new house last time also enabled remote management and locked out the admin mgmt account.
I have replaced them straight away.

As long as it's RJ45/RJ11, I guess it's always possible to use our own equipment.
*
It's bad in this case because the router runs BusyBox. You can sniff the traffic running on other people's home networks.. and since the router runs an SSH daemon (dropbear), you can use it to setup an open/closed SOCKS proxy on their routers and forward data through their connections. Not to mention these are high speed 5-20mbps links..

If I compromised all those nodes I would have 3Gbps of bandwidth at minimum to use as a botnet (assuming everyone is on 5mbps at the very least).
ysc
post May 29 2010, 01:52 PM

Enthusiast
*****
Senior Member
833 posts

Joined: Nov 2008
QUOTE(ahpek26 @ May 29 2010, 12:15 PM)
Ops they're going to tell you about this but hey, your guinea pigs and test subjects which is on the "need to know only" basis. Plus even if they tell you about it, its not like most unifail customers would care since they don't get tech stuff like this.

*
thats why someone SHOULD write the batch script and blow everything into pieces to teach TM a lesson for taking advantage of those non-techsavvy
iipohbee
post May 29 2010, 02:09 PM

On my way
****
Senior Member
603 posts

Joined: Dec 2008
QUOTE(rizvanrp @ May 29 2010, 01:48 PM)
It's bad in this case because the router runs BusyBox. You can sniff the traffic running on other people's home networks.. and since the router runs an SSH daemon (dropbear), you can use it to setup an open/closed SOCKS proxy on their routers and forward data through their connections. Not to mention these are high speed 5-20mbps links..

If I compromised all those nodes I would have 3Gbps of bandwidth at minimum to use as a botnet (assuming everyone is on 5mbps at the very least).
*
Well Rizvanrp, how did you know they did not exploited the backdoor from day 1 in the first place?

The existence of a botnet within TM's network has been known since Streamyx time with DPI tracking technologies such as Phorm,121media as such.

It's true that there's something going on behind TM's network.

When doing secure transactions such as online payment as such I still feel safer using other prepaid isps such as Umobile, Jaring, DiGi Broadband or even Maxis.
TSrizvanrp
post May 29 2010, 02:21 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



@iipohbee

I don't think they would need to since they're the ISP.. they have logs on their side.

But honestly, this is a bad case security through obscurity. You tell all your customers there's only 1 user/pass to access the router, you tell all your technicians who install for the customers the same thing (even those who are doing Unifibiz installs).. then it turns out there's a second user/pass combo and this user/pass has a higher access level.

At least I found this <2 months into the launch and people will be aware of this now. I actually just thought of leaving it be because it would be too much trouble to fix.. but I'm not the only guy who's decent with security/networking here and if this came out once Unifi's as popular as Streamyx .. good f-ing game sir.

I actually hate this more than when they were throttling BT. At least with a BT throttle my home network is still secure. Not to mention they had me running around like a dog trying to find a way to let people use their own routers when it was possible all along.

I honestly don't know what the hell was running through the minds of the people who set this up. mad.gif
iipohbee
post May 29 2010, 02:32 PM

On my way
****
Senior Member
603 posts

Joined: Dec 2008
QUOTE(rizvanrp @ May 29 2010, 02:21 PM)
@iipohbee

I don't think they would need to since they're the ISP.. they have logs on their side.

But honestly, this is a bad case security through obscurity. You tell all your customers there's only 1 user/pass to access the router, you tell all your technicians who install for the customers the same thing (even those who are doing Unifibiz installs).. then it turns out there's a second user/pass combo and this user/pass has a higher access level.

At least I found this <2 months into the launch and people will be aware of this now. I actually just thought of leaving it be because it would be too much trouble to fix.. but I'm not the only guy who's decent with security/networking here and if this came out once Unifi's as popular as Streamyx .. good f-ing game sir.

I actually hate this more than when they were throttling BT. At least with a BT throttle my home network is still secure. Not to mention they had me running around like a dog trying to find a way to let people use their own routers when it was possible all along.

I honestly don't know what the hell was running through the minds of the people who set this up. mad.gif
*
Yes they do have logs on their side but they needed tools to dig further and understand the behaviors of their users.
They could use this to clear up logs in your modem, clean out evidences and take control of your usage.

I guess this idea was thought by one of their planning R&D team for pre-emptive measures. Those who have access to their DPI servers.
skincladalien
post May 29 2010, 02:42 PM

Densha Otaku
******
Senior Member
1,888 posts

Joined: Jan 2003
From: New Selangor ^.^Y


heh, lucky the first day i already disabled remote admin
TSrizvanrp
post May 29 2010, 02:55 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



CODE
BusyBox v1.00 (2009.12.23-07:29+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# ifconfig
br0       Link encap:Ethernet  HWaddr -hidden-
         inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:86488217 errors:0 dropped:0 overruns:0 frame:0
         TX packets:96746664 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:2358979520 (2.1 GiB)  TX bytes:2086808986 (1.9 GiB)

br2       Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:125967376 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:3015485720 (2.8 GiB)  TX bytes:0 (0.0 B)

eth2      Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
         RX packets:224355660 errors:0 dropped:0 overruns:0 frame:0
         TX packets:89240917 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:60425356 (57.6 MiB)  TX bytes:740660944 (706.3 MiB)
         Interrupt:3

eth2.11   Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:736540 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 B)  TX bytes:122513467 (116.8 MiB)

eth2.12   Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:736540 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 B)  TX bytes:122513467 (116.8 MiB)

eth2.13   Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:736540 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 B)  TX bytes:122513467 (116.8 MiB)

eth2.14   Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth2.500  Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:98379123 errors:0 dropped:0 overruns:0 frame:0
         TX packets:87031297 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:1981289064 (1.8 GiB)  TX bytes:359594081 (342.9 MiB)

eth2.600  Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:125976528 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:3528091028 (3.2 GiB)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:938 errors:0 dropped:0 overruns:0 frame:0
         TX packets:938 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:134414 (131.2 KiB)  TX bytes:134414 (131.2 KiB)


ra0       Link encap:Ethernet  HWaddr -hidden-
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:72228903 errors:0 dropped:0 overruns:0 frame:0
         TX packets:94474366 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:611831149 (583.4 MiB)  TX bytes:927019935 (884.0 MiB)
         Interrupt:4

#
# brctl show
bridge name     bridge id               STP enabled     interfaces
br2             8000.-hidden-       no              eth2.600
br0             8000.-hidden-       no              eth2.11
                                                       eth2.12
                                                       eth2.13
                                                       ra0
#

This is the shell from a Unifi user's router. Takes only 5 seconds to get this access. One interesting thing to note is they have 4 additional VLANs that are not in the UI or that I've seen being used before.. VLAN 11/12/13/14 on the WAN interface. Then for some reason, they've bridged three of these VLANs to the wireless interface on the router (MACs are -hidden- by myself). These VLANs are just broadcasting data.

QUOTE(Sting Ray @ May 29 2010, 10:07 AM)
hi rizvanrp, under the secondary administrator account is there any option to allow VPN passthrough ? my wife's VPN connection problem is still not resolved and Unifi service centre didn't respond to my emails at all.  vmad.gif
*
Nope, but using this account you can use whatever router you want with Unifi by using the DIR-615 as a VLAN bridge.

Another interesting thing :

user posted image
TR-069 protocol is enabled by default and hidden from the 'admin' account. Connects to a remote server and sets up a listener on your own router. Don't know what the implications of this are.. yet.

Anyway time to sleep, so bloody exhausted sweat.gif

This post has been edited by rizvanrp: May 29 2010, 03:04 PM
skincladalien
post May 29 2010, 03:01 PM

Densha Otaku
******
Senior Member
1,888 posts

Joined: Jan 2003
From: New Selangor ^.^Y


shit...now that you mention it, i manage to find that account in 5 minute O.o

TM screw up big time on this
TSrizvanrp
post May 29 2010, 03:05 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(skincladalien @ May 29 2010, 03:01 PM)
shit...now that you mention it, i manage to find that account in 5 minute O.o

TM screw up big time on this
*
Yeap.
ciohbu
post May 29 2010, 03:12 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(sg999 @ May 29 2010, 12:48 PM)
not understand
got simple explanation?
*
simple answer ? ur network is open to TM.. thumbup.gif and they know if u are downloading po*n

This post has been edited by ciohbu: May 29 2010, 03:14 PM
[+]
post May 29 2010, 03:17 PM

Regular
******
Senior Member
1,935 posts

Joined: Apr 2007
this needs to go to the press lo~
Neptern
post May 29 2010, 03:18 PM

Casual
***
Junior Member
424 posts

Joined: Aug 2005
QUOTE
simple answer ? ur network is open to TM.. thumbup.gif  and they know if u are downloading po*n


Is it even legal for them to monitor your internet usage like that instead of just logs on their side?
ciohbu
post May 29 2010, 03:34 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(Neptern @ May 29 2010, 03:18 PM)
Is it even legal for them to monitor your internet usage like that instead of just logs on their side?
*
i am not sure about legal stuff, but if network admin go too far into ur network, i think that's against the privacy .. its like telco monitor wat u talk in every phone call..
mylinear
post May 29 2010, 03:39 PM

Enthusiast
*****
Senior Member
974 posts

Joined: Jan 2009
I think this should be reported to MCMC and MYCERT.

ciohbu
post May 29 2010, 03:39 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(mylinear @ May 29 2010, 03:39 PM)
I think this should be reported to MCMC and MYCERT.
*
MCMC ? its like reporting BN's MP corruption case to MACC ...lollzz

i think the only way we can do now is to disable the account and remote management.. use firewall to block related traffics.. and also spread this in ur blog or fb if u have..

This post has been edited by ciohbu: May 29 2010, 03:41 PM
takkicom
post May 29 2010, 03:47 PM

Casual
***
Junior Member
422 posts

Joined: Sep 2008
=.= all your pornos kena stole by tm ahahaha
zenquix
post May 29 2010, 03:49 PM

Life is short!
*******
Senior Member
2,513 posts

Joined: Jan 2008


toying with idea of turning off tr-069. not keen on its implications at all.
harriss
post May 29 2010, 03:54 PM

Casual
***
Junior Member
306 posts

Joined: Jan 2009
From: OH YEAH



UNIPHAIL TRULY SCREW this time
mylinear
post May 29 2010, 03:59 PM

Enthusiast
*****
Senior Member
974 posts

Joined: Jan 2009
QUOTE(ciohbu @ May 29 2010, 03:39 PM)
MCMC ? its like reporting BN's MP corruption case to MACC ...lollzz

*
Didn't say they will take action. But there must be a documented report made in case for future reference.

And MYCERT is supposed to:

QUOTE
Mission
To address the computer security concerns of Malaysian Internet users.
Mokuton
post May 29 2010, 04:02 PM

Getting Started
**
Junior Member
51 posts

Joined: Dec 2008
From: Earth
use your own modem/router in the future?
VengenZ
post May 29 2010, 04:24 PM

La la la~
****
Senior Member
608 posts

Joined: Nov 2009
From: 127.0.0.1



I think their monitoring the usage for the cap limit?
YoungMan
post May 29 2010, 04:57 PM

Look at all my stars!!
*******
Senior Member
3,171 posts

Joined: Oct 2008
From: Kuala Lumpur



well... since it's possible, don't use their router. Buy one that is better and use it.
sg999
post May 29 2010, 05:01 PM

Enthusiast
*****
Senior Member
868 posts

Joined: May 2008
QUOTE(ciohbu @ May 29 2010, 04:12 PM)
simple answer ? ur network is open to TM..  thumbup.gif and they know if u are downloading po*n
*
WTF
no PRIVACY liao mad.gif mad.gif mad.gif
ciohbu
post May 29 2010, 05:13 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(YoungMan @ May 29 2010, 04:57 PM)
well... since it's possible, don't use their router. Buy one that is better and use it.
*
why always we consumer have to pay the price ? sweat.gif
night_wolf_in
post May 29 2010, 05:18 PM

On my way
****
Junior Member
509 posts

Joined: Mar 2007
im not sure if i should laugh or cry.

If you think they want to spy on YOU by creating a second management account. Then it is big fail for all you guys, pretending to know how internet works.

Your Modem/router will be connected a layer two switch. or lets say connected to a port. they can use "SPAN" to see all the traffic you are sending and receiving.

But again, doing that to every indivicual will be really tiring. Easier is, run "SPAN" to the uplink, that is connecting the layer two switch to the distribution switch. and bam, they can get all i/o traffic from the whole switch.

WAIT.

They can add high end firewalls at the uplinks to every area (logical or geographical) or just again SPAN the traffic to the firewalls. AND they practically SEE every traffic you sending.

Conclusion is. dont cry a river for a second account your ISP put it. if they did, it is to make your experience better. but if you think you can out smart them. please do.

How i know. I'm a CCNP and working under routing/ switching and security for some enterprise.


Added on May 29, 2010, 5:19 pm
QUOTE(VengenZ @ May 29 2010, 04:24 PM)
I think their monitoring the usage for the cap limit?
*
No, they use packet shaping devices for that.

This post has been edited by night_wolf_in: May 29 2010, 05:19 PM
ciohbu
post May 29 2010, 06:02 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(night_wolf_in @ May 29 2010, 05:18 PM)
im not sure if i should laugh or cry.

If you think they want to spy on YOU by creating a second management account. Then it is big fail for all you guys, pretending to know how internet works.

Your Modem/router will be connected a layer two switch. or lets say connected to a port. they can use "SPAN" to see all the traffic you are sending and receiving. 

But again, doing that to every indivicual will be really tiring. Easier is, run "SPAN" to the uplink, that is connecting the layer two switch to the distribution switch. and bam, they can get all i/o traffic from the whole switch.

WAIT.

They can add high end firewalls at the uplinks to every area (logical or geographical) or just again SPAN the traffic to the firewalls.  AND they practically SEE every traffic you sending.

Conclusion is. dont cry a river for a second account your ISP put it. if they did, it is to make your experience better. but if you think you can out smart them. please do.

How i know. I'm a CCNP and working under routing/ switching and security for some enterprise.


Added on May 29, 2010, 5:19 pm

No, they use packet shaping devices for that.
*
well..since u claim that u are CCNP (which is one level on top of CCNA) and working under security huh ? u should know that any unknown account in user's router give security thread to the user ? no matter the account is for good or for bad ... thats the simple and basic theory, imagine ur customer found out that u have a secret account in their main router ? whistling.gif whistling.gif

and more serious is the remote management enabled...

This post has been edited by ciohbu: May 29 2010, 06:06 PM
night_wolf_in
post May 29 2010, 06:07 PM

On my way
****
Junior Member
509 posts

Joined: Mar 2007
ya. it is management. there is no security issues to worry about. the moment you connected to the internet with your own router/modem with only your account, you are screwed by anyone who wants to screw you.

It is remote mangment of the ROUTER/MODEM. so if someone who is very smart, go play with the settings, then internet doesn't work. they dont have to send a guy to fix it. and dont tell me there are no people who screw their own modem then swear at tmnuts.

this great discovery is not worth the rant. If you think you know better than ISP bout network and security. then do what you want to do. Otherwise, i suggest keeping things the way they are.
ciohbu
post May 29 2010, 06:13 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(night_wolf_in @ May 29 2010, 06:07 PM)
ya. it is management. there is no security issues to worry about. the moment you connected to the internet with your own router/modem with only your account, you are screwed by anyone who wants to screw you.

It is remote mangment of the ROUTER/MODEM. so if someone who is very smart, go play with the settings, then internet doesn't work. they dont have to send a guy to fix it. and dont tell me there are no people who screw their own modem then swear at tmnuts.

this great discovery is not worth the rant. If you think you know better than ISP bout network and security. then do what you want to do. Otherwise, i suggest keeping things the way they are.
*
i think the main topic here is the security thread by having remote management enabled and having a 2ndary admin account which is invisible to the user..

its the same as windows..

now since everyone knows it, they can choose whether to disable it or not.. icon_rolleyes.gif icon_rolleyes.gif

This post has been edited by ciohbu: May 29 2010, 06:18 PM
Neptern
post May 29 2010, 06:20 PM

Casual
***
Junior Member
424 posts

Joined: Aug 2005
Yea i don't quite like the idea of a secret account which is akin to a secret backdoor in my router...

Even if you say remote management saves the time tm needs to fix the internet,i still don't feel too good about it.
tch9
post May 29 2010, 06:24 PM

New Member
*
Junior Member
15 posts

Joined: Dec 2005
How you guys found out the login name and password for global admin?
Cliffrison
post May 29 2010, 06:24 PM

It's so fluffy I'm gonna die!
*****
Senior Member
819 posts

Joined: Apr 2010
From: Kitchen -_-
pro la ts
76radius
post May 29 2010, 06:26 PM

Getting Started
**
Junior Member
221 posts

Joined: Jan 2006


QUOTE(tch9 @ May 29 2010, 07:24 PM)
How you guys found out the login name and password for global admin?
*
One Sifu found it. The same person who helped to fix my router to connect to Unifi.

Salute to Rizvanrp!!! thumbup.gif thumbup.gif thumbup.gif thumbup.gif thumbup.gif
KAHAK
post May 29 2010, 07:25 PM

Getting Started
**
Junior Member
179 posts

Joined: Mar 2010
wow it this true mean TM net can remote control your bandwith speed?? because you guy use TM router?
fastreader
post May 29 2010, 07:47 PM

.
*******
Senior Member
4,468 posts

Joined: Feb 2010
guess its kinda risky...blame rais for this...information freedom eh..
nitewish
post May 29 2010, 07:51 PM

Viva La Resistance
*****
Senior Member
810 posts

Joined: Feb 2008
From: 127.0.0.1



@Rizvanrp:
is this why the DIR-615 feels so laggy when accessing it? =x
TSrizvanrp
post May 29 2010, 08:25 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(night_wolf_in @ May 29 2010, 05:18 PM)
im not sure if i should laugh or cry.

If you think they want to spy on YOU by creating a second management account. Then it is big fail for all you guys, pretending to know how internet works.

Your Modem/router will be connected a layer two switch. or lets say connected to a port. they can use "SPAN" to see all the traffic you are sending and receiving. 

But again, doing that to every indivicual will be really tiring. Easier is, run "SPAN" to the uplink, that is connecting the layer two switch to the distribution switch. and bam, they can get all i/o traffic from the whole switch.

WAIT.

They can add high end firewalls at the uplinks to every area (logical or geographical) or just again SPAN the traffic to the firewalls.  AND they practically SEE every traffic you sending.

Conclusion is. dont cry a river for a second account your ISP put it. if they did, it is to make your experience better. but if you think you can out smart them. please do.

How i know. I'm a CCNP and working under routing/ switching and security for some enterprise.


Added on May 29, 2010, 5:19 pm

No, they use packet shaping devices for that.
*
Oh no, CCNP's and their logic ._.

Never once did I claim this was for TM to 'spy' on you, I said its a hole for outsiders to spy on you or mess with you. I stated that TM doesn't need to spy on you when they control the network.

The problem is because there's this secondary account, other people can log into your router and enable the SSHd for busybox. As a CCNP, you should already be aware of the implications of SSHd running on your Internet gateway with full root access to the outside world?

SSHd comes with a few functions, you have SCP/SFTP (which is disabled on this dropbear build) and most importantly.. it has the ability to do SOCKS forwarding. I've already tested this and it works -- in order words, I was able to turn every Unifi router into an open SOCKS proxy. Imagine what I could do, credit card fraud, ICMP based DDoS attacks.. etc., this doesn't concern you as a CCNP?

The router also has about 10MB of free ram and a filesystem loaded to utilize it, what if I compile a special binary for busybox then pull it into the router using tftp or ftpget? This binary could be a traffic sniffer, dynamic IP notifier and so on, what then? The main router that's handling all your Unifi traffic has a traffic sniffer attached to it but you still feel your network is secure?

Did you know every Unifibiz (with static PPPoE addressing) has this enabled by default? That anyone can access the router and do all this shit?

So please, I get that you're a CCNP and you could build your own Internet if you wanted but you and I both know that leaving an embedded Linux based router with SSHd wide open to the internet while its routing all your Internet traffic is a bloody bad idea and its highly exploitable. I wouldn't write a thread like this unless I've already done the attacks and understood the implications. I'm glad you know how to setup networking hardware and advanced routing protocols but when it comes to security you seem to be completely 'blur'.

QUOTE
so if someone who is very smart, go play with the settings, then internet doesn't work.

You really think that BusyBox can only 'play with the settings' and cut you off the net? Lol, you need to get off IOS and into embedded Linux. It's stupid assumptions like this which created this mess in the first place. You have a VLAN capable router here with a full embedded Linux distro running on it and you assume all it runs is a PPP daemon. Bloody laughable.

user posted image
There's no way such a cheap device could have a webserver with a PHP interpreter huh? smile.gif

Maybe you should work on that CEH soon wink.gif

This post has been edited by rizvanrp: May 29 2010, 08:40 PM
GameSky
post May 29 2010, 08:33 PM

Nyancat too much
*******
Senior Member
6,069 posts

Joined: Jun 2005
From: meow meow
QUOTE(kons @ May 29 2010, 09:10 AM)
It's normal for UniFi or normal DSL broadband.
Those guys who installed the riger modems at my new house last time also enabled remote management and locked out the admin mgmt account.
I have replaced them straight away.

As long as it's RJ45/RJ11, I guess it's always possible to use our own equipment.
*
This, last time my company applied for streamyx, they also have remote management enabled. At first I was curious if my boss did enable remote management on the modem since he use remote desktop on one of the account computer..but no, he didn't even noticed.

So I just straight away disable the remote management on the modem, and changed the password to stronger password, password with symbols, caps, numeric and alpha.

So it seems in unifi case...I'm suspecting tm try to monitor what kind of data/packet their user currently using most?
And does involves companies as well? sweat.gif ...sounds like way than data privacy breach here....

Thanks for the TS for the head-up. nod.gif nod.gif nod.gif

no matter how, this should be reported to mcmc/mycert already...since other groups/people might use this advantage and abuse existing unifi users...think what kind of damages they might causes?


sigh, monopoly player... whistling.gif

This post has been edited by GameSky: May 29 2010, 08:36 PM
ciohbu
post May 29 2010, 08:56 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(rizvanrp @ May 29 2010, 08:25 PM)
Oh no, CCNP's and their logic ._.

So please, I get that you're a CCNP and you could build your own Internet if you wanted but you and I both know that leaving an embedded Linux based router with SSHd wide open to the internet while its routing all your Internet traffic is a bloody bad idea and its highly exploitable. I wouldn't write a thread like this unless I've already done the attacks and understood the implications. I'm glad you know how to setup networking hardware and advanced routing protocols but when it comes to security you seem to be completely 'blur'.
You really think that BusyBox can only 'play with the settings' and cut you off the net? Lol, you need to get off IOS and into embedded Linux. It's stupid assumptions like this which created this mess in the first place. You have a VLAN capable router here with a full embedded Linux distro running on it and you assume all it runs is a PPP daemon. Bloody laughable.

There's no way such a cheap device could have a webserver with a PHP interpreter huh? smile.gif

Maybe you should work on that CEH soon wink.gif
*
ya...i also cannot tahan with the last line..when he put he is CCNP..lolzz

This post has been edited by ciohbu: May 29 2010, 08:56 PM
night_wolf_in
post May 29 2010, 09:00 PM

On my way
****
Junior Member
509 posts

Joined: Mar 2007
QUOTE(rizvanrp @ May 29 2010, 08:25 PM)
*
so you want to tell me. that by disabling that other management account. and cause you know how to give a good password for your own user account. your modem/router is secured?

the first thing in security, there is no security. Even if you unplug your system from the internet. there is possible of security attacks.

Believe me. if someone wants to use that box you have for hacking. they would have done it long time ago.

so when it comes to, should ISP make an account for them to access your box to assist you. or should they close it. They rather make an account.

If later on they can't control the situation cause all the boxes turned into bots. then it is their issue to solve.

Just know that by disabling that account, you are not safer than when it was open. cheers

TSrizvanrp
post May 29 2010, 09:11 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



@night_wolf_in

Glad you've changed your stance from 'this is not significant' to 'this is not secure'. I guess you finally see what root access on this router allows an attacker to do so I'm happy for you smile.gif

I am fully aware that nothing is secure, the fix I gave is only to temporarily secure their routers from outside attacks on the WAN. The LAN can still access the SSH daemon by default, it cannot be turned off.

Having this extra security will already prevent a multitude of attacks people can perform. The only way to completely remove this is to access that secondary account and change the password, set up iptables or disable that account completely @ the /etc/passwd level.

QUOTE
Believe me. if someone wants to use that box you have for hacking. they would have done it long time ago.

Unfortunately, I was the first person to discover it so this doesn't really apply rolleyes.gif . But if you're just talking about hacking for router boxes, google DD-WRT. There's already a huge community set up. These attacks start now and its better I disclose the vulnerability than let their user base grow to the point it cannot be stopped. At least if their tech's are reading this, they will disable the feature in their future installs and possibly change their policy to let the user utilize the main admin account or upgrade their firmware to completely remove this account.

This shit has to stop now, they can't keep treating their users like morons.

Its not a problem if the user ever forgets the password because these systems run on FLASH memory with the bootloader being in ROM. They can just hit a reset button and everything is fixed (including the NVRAM parameters). There's no reason not to trust the user with this account. In fact, giving them access to this account will allow them to use the DIR-615 as a VLAN - physical port bridge and completely remove this exploit.

I went to a Unifibiz setup once and the company (a very large one) was forced to use the DIR-615 for routing because the latest ZyWall did not support PPPoE over VLAN interfaces. I'm pretty sure the sysadmin changed the 'admin' password and left remote management open because it lets him remotely diagnose problems with the router instead of having to stand in the server room all day. I don't think he's aware of this secondary account which bypasses that completely.

So yeah smile.gif

This post has been edited by rizvanrp: May 29 2010, 09:13 PM
Creative-
post May 29 2010, 09:11 PM

Getting Started
**
Junior Member
264 posts

Joined: Nov 2004
From: 127.0.0.1
hey i just got unifi installed yesterday. was trying to fiddle with the router settings but i realised they didnt give me the password; so, i reset the damn thing haha. but i didnt know about the "global account" thing, whats the user/pass for that? care to PM me anyone? sweat.gif
TSrizvanrp
post May 29 2010, 09:20 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



Sorry I forgot to add this in, Unifi's main VLAN has no caps on it. Every user is capped at the account level only. This means if a 5mbps breaks into a 20mbps users router and takes his user/pass, he will get 20mbps at home. Nice job TM smile.gif

Since you're going to be implementing an account cap, I can't imagine what people would do to get past it sweat.gif

This post has been edited by rizvanrp: May 29 2010, 09:25 PM
iipohbee
post May 29 2010, 09:29 PM

On my way
****
Senior Member
603 posts

Joined: Dec 2008
QUOTE(rizvanrp @ May 29 2010, 09:20 PM)
Sorry I forgot to add this in, Unifi's main VLAN has no caps on it. Every user is capped at the account level only. This means if a 5mbps breaks into a 20mbps users router and takes his user/pass, he will get 20mbps at home. Nice job TM smile.gif

Since you're going to be implementing an account cap, I can't imagine what people would do to get past it  sweat.gif
*
Unfortunately the Dlink DIR-615 doesn't have gigabit ethernet ports.Else this would mean havoc!

But you can still assign multiple 20M accounts to each port or maybe choose to watch IPTV channels in different rooms at home.
Dedicated 20M for each computer

You have 4 ports to play with tongue.gif
ciohbu
post May 29 2010, 09:41 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(night_wolf_in @ May 29 2010, 09:00 PM)
so you want to tell me. that by disabling that other management account. and cause you know how to give a good password for your own user account. your modem/router is secured?

the first thing in security, there is no security. Even if you unplug your system from the internet. there is possible of security attacks.

Believe me. if someone wants to use that box you have for hacking. they would have done it long time ago.

so when it comes to, should ISP make an account for them to access your box to assist you. or should they close it. They rather make an account.

If later on they can't control the situation cause all the boxes turned into bots. then it is their issue to solve.

Just know that by disabling that account, you are not safer than when it was open. cheers
*
if u are really ccnp, u should know that nothing is 100% secured, u deal with enterprise a lot in ur work rite? i believe u do disable some unnecessary cisco router services such as bootp .. and giv ur router a AAA authentication .. ya.. it is not secured but at least its better than nothing.. same goes to this unifi router.

i notice that ur ideology is kinda funny.. that "if someone wants to use that box you have for hacking. they would have done it long time ago " .. sweat.gif sweat.gif izzit mean that if my new pc doesn't get hack on 1st day without antivirus, i no need to install antivirus for the rest of my life on that pc ?

This post has been edited by ciohbu: May 29 2010, 09:42 PM
azwan92
post May 29 2010, 09:48 PM

Casual
***
Junior Member
358 posts

Joined: Sep 2009



according to my belkin router, remote management means:


Remote Management
Before you enable this function, MAKE SURE YOU HAVE SET THE ADMINISTRATOR PASSWORD. Remote management allows you to make changes to your Router's settings from anywhere on the Internet. There are two methods of remotely managing the router. The first method is to allow access to the router from anywhere on the Internet by selecting "Any IP address can remotely manage the router". By typing in your WAN IP address from any computer on the Internet, you will be presented with a login screen where you need to type in the password of your router. The Second method is to allow a specific IP address only to remotely manage the router. This is more secure, but less convenient. To use this method, enter the IP address you know you will be accessing the Router from in the space provided and select "Only this IP address can remotely" manage the Router. Before you enable this function, it is STRONGLY RECOMMENDED that you set your administrator password. Leaving the password empty will potentially open your router to intrusion.

VengenZ
post May 29 2010, 10:17 PM

La la la~
****
Senior Member
608 posts

Joined: Nov 2009
From: 127.0.0.1



QUOTE(azwan92 @ May 29 2010, 09:48 PM)
according to my belkin router, remote management means:

 
Remote Management
Before you enable this function, MAKE SURE YOU HAVE SET THE ADMINISTRATOR PASSWORD. Remote management allows you to make changes to your Router's settings from anywhere on the Internet. There are two methods of remotely managing the router. The first method is to allow access to the router from anywhere on the Internet by selecting "Any IP address can remotely manage the router". By typing in your WAN IP address from any computer on the Internet, you will be presented with a login screen where you need to type in the password of your router. The Second method is to allow a specific IP address only to remotely manage the router. This is more secure, but less convenient. To use this method, enter the IP address you know you will be accessing the Router from in the space provided and select "Only this IP address can remotely" manage the Router. Before you enable this function, it is STRONGLY RECOMMENDED that you set your administrator password. Leaving the password empty will potentially open your router to intrusion.
*
So, if they cud only change the router settings, they can't spy our porns? hmm.gif
Creative-
post May 29 2010, 10:18 PM

Getting Started
**
Junior Member
264 posts

Joined: Nov 2004
From: 127.0.0.1
does disabling Remote Management from the standard "admin" account disable it from the routers global access as well? or do we have to use the "hidden" account to disable it?
TSrizvanrp
post May 29 2010, 10:22 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(VengenZ @ May 29 2010, 10:17 PM)
So, if they cud only change the router settings, they can't spy our porns?  hmm.gif
*
Its different from router-to-router. In this case, the remote management lets you enable the SSH server. The SSH server gives you full control over the router, more than whats in the web UI. And since there's a secondary account to access the remote management, there's really no security at all lol
prasys
post May 29 2010, 10:59 PM

Heros Never Die
Group Icon
Staff
12,925 posts

Joined: Mar 2005
From: Kuala Lumpur
QUOTE(rizvanrp @ May 29 2010, 10:22 PM)
Its different from router-to-router. In this case, the remote management lets you enable the SSH server. The SSH server gives you full control over the router, more than whats in the web UI. And since there's a secondary account to access the remote management, there's really no security at all lol
*
Thanks for putting it up

Really bad people can do really mean thing , having SSH is like having candy , oh wait , did I say that it grants you root access. Oh goodie , someone could be stealing all your porn (maybe who knows you might have sharing enabled and I could exploit it , by silently installing OpenVPN , does it even fit , I hope it does and silently be part of your network). They should do something about it
mitodna
post May 29 2010, 11:21 PM

Getting Started
********
All Stars
13,866 posts

Joined: Jan 2003
I believe that this is not the first Unifi "exploit", the first one was access to more channel of its IPTV ??? Until TM decided to scramble IPTV
Moogle Stiltzkin
post May 29 2010, 11:39 PM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
QUOTE(night_wolf_in @ May 29 2010, 05:18 PM)
im not sure if i should laugh or cry.

If you think they want to spy on YOU by creating a second management account. Then it is big fail for all you guys, pretending to know how internet works.

Your Modem/router will be connected a layer two switch. or lets say connected to a port. they can use "SPAN" to see all the traffic you are sending and receiving. 

But again, doing that to every indivicual will be really tiring. Easier is, run "SPAN" to the uplink, that is connecting the layer two switch to the distribution switch. and bam, they can get all i/o traffic from the whole switch.

WAIT.

They can add high end firewalls at the uplinks to every area (logical or geographical) or just again SPAN the traffic to the firewalls.  AND they practically SEE every traffic you sending.

Conclusion is. dont cry a river for a second account your ISP put it. if they did, it is to make your experience better. but if you think you can out smart them. please do.

How i know. I'm a CCNP and working under routing/ switching and security for some enterprise.


Added on May 29, 2010, 5:19 pm

No, they use packet shaping devices for that.
*
If i use VPN will that at least give me some privacy despite all the stuff you mentioned ??? That is all i want to know hmm.gif

Does anyone else think tmnut should hire Riv and give him a 6 figure salary ??? *raise hands thumbup.gif

This post has been edited by Moogle Stiltzkin: May 29 2010, 11:48 PM
pengiranijam
post May 29 2010, 11:44 PM

Regular
******
Senior Member
1,567 posts

Joined: Dec 2004
From: Malaysia Truly Asia



Sometimes high speed are not good when exploit found, especially on router or modem, using fiber optics at high speed, your computer might be nightmare for your whole life if those "have full right over your router or modem" to perform the attacks.
yvonnesoo
post May 30 2010, 12:18 AM

Wanderluster
*******
Senior Member
2,136 posts

Joined: Jan 2009
From: PJ | Seoul


unifi currently is available at my area.. after readin all tis.. dunno whether shuld i upgrade to unifi or nt.. i'm nt a tech savvy.. might nt kno much.. neway.. those who haf unifi.. may i kno hw is the overall speed? heard tat they will capped their speed soon.. is tat true?
VengenZ
post May 30 2010, 12:20 AM

La la la~
****
Senior Member
608 posts

Joined: Nov 2009
From: 127.0.0.1



QUOTE(rizvanrp @ May 29 2010, 10:22 PM)
Its different from router-to-router. In this case, the remote management lets you enable the SSH server. The SSH server gives you full control over the router, more than whats in the web UI. And since there's a secondary account to access the remote management, there's really no security at all lol
*
SSH shocking.gif

Isn't that shell, can connect using PuTTy and linux shocking.gif
darkskies
post May 30 2010, 12:23 AM

Look at all my stars!!
*******
Senior Member
2,255 posts

Joined: Nov 2007
From: 特別壱参番対ゴミ人間調査隊大将



Yup it's their death trap to get user into Unifi. After enough users they won't listen to anymore complaints and continue to do like what they do to streamyx users. Somemore it's a 2yrs contract which u must be vary of. The price doesnt sounds cheap when u terminate within 2 years.

Tmnet's greed had turn very ugly recently. Their technology and services still sux then before but their strategy to market their failure products is improving. They know how to avoid complaints and cover up their problems perfectly.

This post has been edited by darkskies: May 30 2010, 12:28 AM
ysc
post May 30 2010, 12:26 AM

Enthusiast
*****
Senior Member
833 posts

Joined: Nov 2008
QUOTE(darkskies @ May 30 2010, 12:23 AM)
Yup it's their death trap to get user into Unifi. After enough users they won't listen to anymore complaints and continue to do like what they do to streamyx users. Somemore it's a 2yrs contract which u must be vary of. The price doesnt sounds cheap when u terminate within 2 years.
*
the contract bandwidth cap thingy was removed after the QQ but i think it'll come back soon

edit- lol typo

This post has been edited by ysc: May 30 2010, 01:48 AM
ciohbu
post May 30 2010, 12:28 AM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(darkskies @ May 30 2010, 12:23 AM)
Yup it's their death trap to get user into Unifi. After enough users they won't listen to anymore complaints and continue to do like what they do to streamyx users. Somemore it's a 2yrs contract which u must be vary of. The price doesnt sounds cheap when u terminate within 2 years.
*
the worst thing is u have to pay + u will have high blood pressure dealing with their customer service within this 2 years tongue.gif
andrew9292
post May 30 2010, 12:29 AM

-/Livin' On A Prayer/-
*****
Senior Member
950 posts

Joined: Sep 2008
From: Petaling Jaya


QUOTE
13.1 The Customer shall:-
not use the Service for any unlawful purpose including without limitation for any criminal purposes;
not use the Service to send unsolicited electronic messages or any message which is obscene, threatening or offensive on moral, religious, racial or political grounds to any person including a company or a corporation;
not compromise or infect any systems with computer viruses or otherwise;
not infringe any intellectual property rights of TM, its related companies and subsidiaries or any third party;
not gain unauthorised access to any computer system connected to the Internet or any information regarded as private by any person including a company or corporation;
not share the Service with any person including a company or corporation without the prior written approval of TM and shall use the Service only for the purpose for which it is subscribed;
not resell or sublet the Service to any third parties without prior written consent from TM; and,
not use the Service in any manner, which in the opinion of TM may adversely affect the use of the Service by other Customers or efficiency or security as a whole.


Probably why they put that up ;p

Okay, good job for TS as he found out this major security risk considering the number of IT grads and professionals these days are out there...
But posting this here is actually publicity to this loophole.

Only those who came to LYN would find out about this and if they are tech savvy enough, they will know how to get around it to minimize the exposure risk as much as possible.

But again, if someone with unholy intention stumbles upon this, it could mean disaster for those unaware and incapable to prevent it...

I would like to ask TS, now that you have found out and posted it to public, what is your next step? Will you report to relevant authorities?
Otherwise the purpose of this thread will be:

1. Publicize a major loophole in UniFi
2. Giving knowledgeable users the chance to avoid the risk, a really small amount of people in LYN.
3. Exposing a mass mount of UniFi-ers to exploits...

So, just be aware of that. I'm no IT expert with any qualification btw. TS, u're doing the right thing, salute! but there is still a loophole in what you are doing tongue.gif haha

This post has been edited by andrew9292: May 30 2010, 12:30 AM
darkskies
post May 30 2010, 12:32 AM

Look at all my stars!!
*******
Senior Member
2,255 posts

Joined: Nov 2007
From: 特別壱参番対ゴミ人間調査隊大将



QUOTE(ysc @ May 30 2010, 12:26 AM)
the contract thingy was removed after the QQ but i think it'll come back soon
*
Bandwidth cap lifted but not contract. Check the Term & Condition on the website. They are not stupid enough to lift their contract which is where their bait gonna be.
TSrizvanrp
post May 30 2010, 01:00 AM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(andrew9292 @ May 30 2010, 12:29 AM)
Probably why they put that up ;p

Okay, good job for TS as he found out this major security risk considering the number of IT grads and professionals these days are out there...
But posting this here is actually publicity to this loophole.

Only those who came to LYN would find out about this and if they are tech savvy enough, they will know how to get around it to minimize the exposure risk as much as possible.

But again, if someone with unholy intention stumbles upon this, it could mean disaster for those unaware and incapable to prevent it...

I would like to ask TS, now that you have found out and posted it to public, what is your next step? Will you report to relevant authorities?
Otherwise the purpose of this thread will be:

1. Publicize a major loophole in UniFi
2. Giving knowledgeable users the chance to avoid the risk, a really small amount of people in LYN.
3. Exposing a mass mount of UniFi-ers to exploits...

So, just be aware of that. I'm no IT expert with any qualification btw. TS, u're doing the right thing, salute! but there is still a loophole in what you are doing  tongue.gif haha
*
I spent some time thinking about it. There were a lot of things I took into consideration..

In the end I feel as though its my duty to notify the community about these things. It's not my job to fix it, it's TM's job. If they had planned this through and allowed for open access to their hardware in the first place, we wouldn't be in this mess. Why even bother putting the PPPoE server on VLAN 500? Why didn't they just not use any tagging in the first place? It wouldn't make a difference to them but it would give their customers tons of new options and better security. It's because they chose to follow this closed method that all these flaws are starting to come out. If I'm not mistaken, I even mentioned on LYN in the first week I got Unifi that there's a telnet daemon on the set top box and SSH daemon on the DIR-615.. and it would only be a matter of time till someone found the keys.

It took me less than 2 months to completely break the system (from the users end). Sure, I have a lot of experience in this field but I'm just a final year network security student and I did this in my free time because I was trying to help people @ LYN. 2 months in however, all these flaws in their system start to get noticed. You hand this system to a professional blackhat hacker and the entire network is going to go down in a week or so.

I know sending a message to LYN isn't exactly sending a message to every Unifi user in Malaysia, there are tons of users (even TM staff) which have their routers exposed at the moment. Eventually however, the word is going to get out. They will either patch their firmware 7.05 and fix it or notify their technicians to not enable these particular features doing install. The best case scenario I can hope for is that they start doing installs with this secondary admin account so people have full control over the hardware and service they're dishing out RM200+ a month for.

And you know, even though this 'fix' blocks WAN access.. I believe the SSH daemon is still running on the LAN subnet. It cannot be turned off without using the secondary admin account and logging into the SSH server using PuTTy or something. Those people who are running Unifi hotspots (aka kopitiam shops) are still vulnerable.

I know some of you are going to hate me with the typical 'why did you let others know' mentality.. but lets be honest here, just because I don't tell you something it doesn't magically make it non-existent okay? I'm not going to release the account details yet and I'm hoping those of you who have also found this account wont either.. and I know that's not a perfect solution but its better than closing both your eyes and pretending there is no problem with the system.
squall0833
post May 30 2010, 01:00 AM

Regular
******
Senior Member
1,418 posts

Joined: Oct 2006
From: Jupiter


this is bad, force to use a device that's not secure than usual device,

biggrin.gif good job rivan, nice find
Moogle Stiltzkin
post May 30 2010, 01:00 AM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
QUOTE(andrew9292 @ May 30 2010, 12:29 AM)
Probably why they put that up ;p

Okay, good job for TS as he found out this major security risk considering the number of IT grads and professionals these days are out there...
But posting this here is actually publicity to this loophole.

Only those who came to LYN would find out about this and if they are tech savvy enough, they will know how to get around it to minimize the exposure risk as much as possible.

But again, if someone with unholy intention stumbles upon this, it could mean disaster for those unaware and incapable to prevent it...

I would like to ask TS, now that you have found out and posted it to public, what is your next step? Will you report to relevant authorities?
Otherwise the purpose of this thread will be:

1. Publicize a major loophole in UniFi
2. Giving knowledgeable users the chance to avoid the risk, a really small amount of people in LYN.
3. Exposing a mass mount of UniFi-ers to exploits...

So, just be aware of that. I'm no IT expert with any qualification btw. TS, u're doing the right thing, salute! but there is still a loophole in what you are doing  tongue.gif haha
*
No no, i think it was right making this public. Maybe this will get into the star and we can pressure tmnut to let their users use their own routers.

If we do have any problem, we would call tmnut helpline 100 and they can send a technician over. No need to expose our security just for that doh.gif


So anyway, anyone working for the newspaper, and please copy paste riv's statement into the news, thx. A good headline would be "TMnut obsession with control leads to security loophole for Unifi consumer and business users alike" rolleyes.gif

This post has been edited by Moogle Stiltzkin: May 30 2010, 01:03 AM
darkskies
post May 30 2010, 01:11 AM

Look at all my stars!!
*******
Senior Member
2,255 posts

Joined: Nov 2007
From: 特別壱参番対ゴミ人間調査隊大将



QUOTE(Moogle Stiltzkin @ May 30 2010, 01:00 AM)
No no, i think it was right making this public. Maybe this will get into the star and we can pressure tmnut to let their users use their own routers.

If we do have any problem, we would call tmnut helpline 100 and they can send a technician over. No need to expose our security just for that  doh.gif
So anyway, anyone working for the newspaper, and please copy paste riv's statement into the news, thx. A good headline would be "TMnut obsession with control leads to security loophole for Unifi consumer and business users alike"  rolleyes.gif
*
It'll nv appear in the news. Everything is controlled. The only way is to discourage users frm signing up for unifi. Money is still the best way to deal with them rather then going on with complaints. If they are still earning money they'll just continue to do what they want. Once their budget is blown they'll learn their lesson.
Neptern
post May 30 2010, 01:16 AM

Casual
***
Junior Member
424 posts

Joined: Aug 2005
Yea keeping quiet won't solve anything.It is better knowing than mati katak for unifi users.Good job.
AZNo.O
post May 30 2010, 01:18 AM

New Member
*
Junior Member
42 posts

Joined: Dec 2009
Thanks rivanvp.
Time to fire up my backtrack.
celicaizpower
post May 30 2010, 01:25 AM

Race : ☐ Malay ☐ Chinese ☐ India ☑ /k/tard
******
Senior Member
1,164 posts

Joined: Jan 2009
From: No 1, Moon of Earth, Milky Way Galaxy, Universe #1



Hi guys,

I think as what @Riz already mention, as a Unifi owner do you think you can SUE TMNUT?

ermmm.. food for thought.
ysc
post May 30 2010, 01:47 AM

Enthusiast
*****
Senior Member
833 posts

Joined: Nov 2008
QUOTE(darkskies @ May 30 2010, 12:32 AM)
Bandwidth cap lifted but not contract. Check the Term & Condition on the website. They are not stupid enough to lift their contract which is where their bait gonna be.
*
lol

i wanted to say bandwidth but didnt notice.. dunno why my hand typed contrct instead
didnt notice till some1 pm me
xbomer
post May 30 2010, 01:47 AM

New Member
*
Newbie
1 posts

Joined: Sep 2008
From: Ipoh


any1 care to explain this thing...im so noob btw
VengenZ
post May 30 2010, 02:59 PM

La la la~
****
Senior Member
608 posts

Joined: Nov 2009
From: 127.0.0.1



QUOTE(xbomer @ May 30 2010, 01:47 AM)
any1 care to explain this thing...im so noob btw
*
Simple, TM can spy ur porn. Rizvan can spy ur porn.(If u r using unifi)
thumbup.gif
almaty
post May 30 2010, 05:57 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
QUOTE(VengenZ @ May 29 2010, 04:24 PM)
I think their monitoring the usage for the cap limit?
*
firstly, GOOD exposé rizwan!!

@vengenz, they dont need to touch the dir-615 to check usage of cap limit.
eg. your mobile usage for billing telco dont need to touch your phone wink.gif


Added on May 30, 2010, 6:02 pm
QUOTE(night_wolf_in @ May 29 2010, 06:07 PM)
ya. it is management. there is no security issues to worry about. the moment you connected to the internet with your own router/modem with only your account, you are screwed by anyone who wants to screw you.

It is remote mangment of the ROUTER/MODEM. so if someone who is very smart, go play with the settings, then internet doesn't work. they dont have to send a guy to fix it. and dont tell me there are no people who screw their own modem then swear at tmnuts.

this great discovery is not worth the rant. If you think you know better than ISP bout network and security. then do what you want to do. Otherwise, i suggest keeping things the way they are.
*
wahh!! started already. deflect. trivialise. ridicule.


Added on May 30, 2010, 6:37 pm
QUOTE(rizvanrp @ May 29 2010, 09:20 PM)
Sorry I forgot to add this in, Unifi's main VLAN has no caps on it. Every user is capped at the account level only. This means if a 5mbps breaks into a 20mbps users router and takes his user/pass, he will get 20mbps at home. Nice job TM smile.gif

Since you're going to be implementing an account cap, I can't imagine what people would do to get past it  sweat.gif
*
in future...this will be a fav pastime for some. and the unsuspecting user after 3 days. eh?!@ why so slow?!?
call helpdesk...quota used LOL...sorry we cant help you. no proof that you did not use it yourself.




This post has been edited by almaty: May 30 2010, 06:37 PM
eddie_lim
post May 30 2010, 07:12 PM

You Never Walk Alone
Group Icon
Elite
4,010 posts

Joined: Jan 2003
From: In the deepest part of your heart !




They so called CCNP in the whole design of TM network sucks, if they are so call clever, they won't design the whole network layout like this in the first place. enterprise user won't be using their DIR-615 for default router anyway, but double NAT-ed behind DIR-615 is not doing any good with application like FTP except DMZ it; futhermore if the DIR-615 being exploited, they will be a middleman which can run something like SSLstrip, ur maybank2u, pbebank will be monitored without SSL.

night_wolf_in, i do not mean to hurt ur feeling but, get your old school cisco rules knowledge away, go learn some linux and get certified with RHCE instead of CCNP anyway.
TSrizvanrp
post May 30 2010, 08:13 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



I already updated the first page with a FAQ for all those "CCNP"s who are somehow still unaware of the capabilities of embedded systems in the year 2010.
almaty
post May 30 2010, 08:14 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
really who cares ccna/ccnp. blow a whistle, hundreds/thousands will come.
in constrast, banks/big corps will pay big $$$ to consultants to verify security.

anyway rizwan good on ya. some people would have kept quiet so that they can exploit for their personal gain for as long as possible/forever...

i think tm owes you at least 1 years free subscription wink.gif

eddie_lim
post May 30 2010, 10:41 PM

You Never Walk Alone
Group Icon
Elite
4,010 posts

Joined: Jan 2003
From: In the deepest part of your heart !




Btw, rizvanrp, didn't notice that u have promoted to Elite member, congrats!
DeniseLau
post May 30 2010, 10:46 PM

Casual
***
Junior Member
324 posts

Joined: Mar 2008
omg man, this is a serious fking breach of security. What's the issue with using your own router? Wouldn't it work?

Has anyone made complaints to MCMC?


p.s. Thanks riz for posting this. It's good to have a whitehat around.

This post has been edited by DeniseLau: May 30 2010, 10:47 PM
cannavaro
post May 31 2010, 06:43 AM

CATTENACIO
*******
Senior Member
2,959 posts

Joined: Sep 2005
From: T.T.D.I, Bukit Damansara


Still can't find out the other admin account. thought it was 'operator, but no cigar.
mylinear
post May 31 2010, 12:37 PM

Enthusiast
*****
Senior Member
974 posts

Joined: Jan 2009
QUOTE(rizvanrp @ May 30 2010, 08:13 PM)
I already updated the first page with a FAQ for all those "CCNP"s who are somehow still unaware of the capabilities of embedded systems in the year 2010.
*
What happens if you reset the router back to factory defaults? Will this "hidden" account remain? Will it reset the password for the account? Will the account still have remote management enabled after a reset?

TSrizvanrp
post May 31 2010, 12:43 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



Resetting doesn't work, this exploit relies on the fact that this account uses the default user/pass combo. Resetting it just resets it back to the same user/pass, remote management will be disabled however. But there's really no point anyway, the SSH daemon is still accessible via LAN.. cant stop it at all from the GUI even with this second account.
cshong
post May 31 2010, 01:09 PM

Look at all my stars!!
*******
Senior Member
2,904 posts

Joined: Oct 2007
Even though I am not UNIFI user, but according to the manual of DIR-615 downloaded from D-Link website, the default user name is 'Admin' and the default password is to leave the password field empty, means no password.

Have anyone tried resetting the DIR-615 and try login with user name 'Admin' and empty password?
TSrizvanrp
post May 31 2010, 01:12 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(cshong @ May 31 2010, 01:09 PM)
Even though I am not UNIFI user, but according to the manual of DIR-615 downloaded from D-Link website, the default user name is 'Admin' and the default password is to leave the password field empty, means no password.

Have anyone tried resetting the DIR-615 and try login with user name 'Admin' and empty password?
*
admin and an empty pass works on some Unifi routers with older firmware <7.05. The newer one is admin and (removed by wkkay) as the pass.

This post has been edited by wKkaY: Jun 1 2010, 04:28 PM
cshong
post May 31 2010, 01:18 PM

Look at all my stars!!
*******
Senior Member
2,904 posts

Joined: Oct 2007
QUOTE(rizvanrp @ May 31 2010, 01:12 PM)
admin and an empty pass works on some Unifi routers with older firmware <7.05. The newer one is admin and 'telekom' as the pass.
*
May be TM use customized firmware.

But, since you found the password, better change it.
skincladalien
post May 31 2010, 01:20 PM

Densha Otaku
******
Senior Member
1,888 posts

Joined: Jan 2003
From: New Selangor ^.^Y


I just had lunch with someone. Can't reveal much but look up for the Space Shuttle Challenger case study, and related it to a big Government linked company like TM...

Thats the max hint I can give.
mylinear
post May 31 2010, 01:56 PM

Enthusiast
*****
Senior Member
974 posts

Joined: Jan 2009
QUOTE(rizvanrp @ May 31 2010, 12:43 PM)
Resetting doesn't work, this exploit relies on the fact that this account uses the default user/pass combo. Resetting it just resets it back to the same user/pass, remote management will be disabled however. But there's really no point anyway, the SSH daemon is still accessible via LAN.. cant stop it at all from the GUI even with this second account.
*
At least if you reset the router, the remote management becomes disabled without you having to access the account to do it manually. Easier for basic users to do. Then the account becomes inaccessible from the outside world, right? Isn't the SSH damon also disabled by default? So without remote access to the account, you cannot enable ssh? Correct me if I am wrong please.

When you say "accessible via LAN" , are you referring to your own internal network, ie other users at home / office? Or are you referring to other Unifi users within the Unifi network?

If I understad correctly, TM should disable remote management by default. They just have to reset the router upon installation. If TM requires remote management to do troubleshooting or maintenance, when a user calls the helpline, they can be instructed on how to enable the remote management , do the necessary maintenance and then rest / disable it again.

TSrizvanrp
post May 31 2010, 02:02 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



It's part of the Unifi installation process to enable remote management for some reason. Its disabled in a fresh reset but the technicians will enable it. Don't ask me why :S

The SSH server is always running. Even when you do a reset, its still running. The box in the 2ndary account for SSH access will be unticked, which only means the WAN (others on the internet) cannot access the SSH daemon. Other people on your LAN (192.168.0.0/24) will be able to access it fine when its not 'enabled' in the web user interface. That's why I say its still a risk to people running open Unifi hotspots at shops.
mylinear
post May 31 2010, 02:29 PM

Enthusiast
*****
Senior Member
974 posts

Joined: Jan 2009
QUOTE(skincladalien @ May 31 2010, 01:20 PM)
I just had lunch with someone. Can't reveal much but look up for the Space Shuttle Challenger case study, and related it to a big Government linked company like TM...

Thats the max hint I can give.
*
You may not want to give hints on the details, but at least hint more on the general topic you are referring to...

Guesses..

1. Is TM going to contact these forum admins and request that this and other similar topics about TM be removed or banned? Or the media has been informed not to take up this matter?

2. TM is fully aware of this but they are waiting for something to happen first, then take action or come up with excuses later?
I would think security professionals would rather be pro-active about security rather than re-active.

3 rizvanrp is going to be blown up via remote management?...??

zstan
post May 31 2010, 02:53 PM

10k Club
********
All Stars
14,459 posts

Joined: Nov 2007



first and foremost,

thanks rizvanrp for the post!

so what's the conclusion for all these?

don't subscribe to unifi? hmm.gif

p/s: not a tech savvy person, don't get 90% of things u guys talking. except TM can rob ur porn.
cannavaro
post May 31 2010, 03:25 PM

CATTENACIO
*******
Senior Member
2,959 posts

Joined: Sep 2005
From: T.T.D.I, Bukit Damansara


QUOTE(rizvanrp @ May 31 2010, 01:12 PM)
admin and an empty pass works on some Unifi routers with older firmware <7.05. The newer one is admin and 'telekom' as the pass.
*
Mine is version 7.05. Login is 'admin' and password is blank. Got it from the installer btw.
Ah.. so telekom is the pass for... let me try when I get home. hmm.gif
sevenBYseven
post May 31 2010, 06:29 PM

New Member
*
Newbie
0 posts

Joined: Oct 2009
QUOTE(rizvanrp @ May 31 2010, 02:02 PM)
It's part of the Unifi installation process to enable remote management for some reason. Its disabled in a fresh reset but the technicians will enable it. Don't ask me why :S

The SSH server is always running. Even when you do a reset, its still running. The box in the 2ndary account for SSH access will be unticked, which only means the WAN (others on the internet) cannot access the SSH daemon. Other people on your LAN (192.168.0.0/24) will be able to access it fine when its not 'enabled' in the web user interface. That's why I say its still a risk to people running open Unifi hotspots at shops.
*
my friend told me they enable the remote management for the FIRST level of troubleshooting purpose doing by network operation center, to "see" our router (damage or not) in case if our service down before they send their tech to cust house... hmm.gif

i still remember somebody mentioned about his router suddenly reboot just about minute after he called Unifi support center. cool2.gif

cannavaro
post May 31 2010, 07:58 PM

CATTENACIO
*******
Senior Member
2,959 posts

Joined: Sep 2005
From: T.T.D.I, Bukit Damansara


Well thank you for the hint rizvanrp. Finally got access to 'true' admin account. rclxms.gif
76radius
post May 31 2010, 08:27 PM

Getting Started
**
Junior Member
221 posts

Joined: Jan 2006


QUOTE(cannavaro @ May 31 2010, 08:58 PM)
Well thank you for the hint rizvanrp. Finally got access to 'true' admin account.  rclxms.gif
*
Yeah. Thanks to Rizvanrp & Cannavaro for the Hints. I definitely wanna make DIR615 as a "Back-up" Vlan Bridge. Hahahaha. Fun Fun Fun!!!!
silverhawk
post May 31 2010, 11:30 PM

I'm Positively Lustrous
Group Icon
Elite
4,088 posts

Joined: Jan 2003


Rizvan, good job as usual smile.gif

t3chn0m4nc3r
post Jun 1 2010, 12:07 AM

Teh Necron Lord
*******
Senior Member
4,139 posts

Joined: Sep 2006
From: Internet


allow me to say these:

1) TM staff are mostly less IT-literate than any IT personnel in other large IT MNC firms.

2) TM management are mostly completely IT-illiterate.

3) TM 2 dumb to know all this and assumes the public are no better than them.


Added on June 1, 2010, 12:20 am
QUOTE(DeniseLau @ May 30 2010, 10:46 PM)
What's the issue with using your own router? Wouldn't it work?
*

this info will be very very much appreciated if any1 have it... hmm.gif


This post has been edited by t3chn0m4nc3r: Jun 1 2010, 12:20 AM
HeHeHunter
post Jun 1 2010, 01:24 AM

On my way
****
Senior Member
664 posts

Joined: Dec 2006
QUOTE(t3chn0m4nc3r @ Jun 1 2010, 12:07 AM)
allow me to say these:

1) TM staff are mostly less IT-literate than any IT personnel in other large IT MNC firms.

2) TM management are mostly completely IT-illiterate.

3) TM 2 dumb to know all this and assumes the public are no better than them.
*
You're wrong. They are smarter than us. Or else, they would be the one working for us instead of the other way round.

Anyway, time to boot up backtrack now~
nitewish
post Jun 1 2010, 02:06 AM

Viva La Resistance
*****
Senior Member
810 posts

Joined: Feb 2008
From: 127.0.0.1



are both global account and the ssh accounts the same?

edit: never mind, i figured it out. =D

This post has been edited by nitewish: Jun 1 2010, 03:04 AM
MX510
post Jun 1 2010, 09:07 AM

Love Me Sin Hate Me Sinner
*******
Senior Member
3,961 posts

Joined: Aug 2005
From: Earth



TM also did this on their GITN Customers
faud
post Jun 1 2010, 07:18 PM

New Member
*
Newbie
0 posts

Joined: Sep 2009


u all who read this must understand what "ISP" stands for. As an Internet Service Provider, all they can do is to give internet access to customer. n they manage to give it. the problem is about that modem. the D-link modem. they should be blame bcause they set the default settings. i think TM have no rights to change the default setting except the one that has to do with internet access.

about the question on can people change the modem..... i think they cant.... bcoz it has something to do with the main equipment at TM office n MAC address of the modem(my friend at TM told me). so if u n ur neighbour both subscribe unfi, their modem cant be exchange eventhough they have the same modem brand....

try to google about the d-link modem to find more answers
ihsan
post Jun 1 2010, 07:29 PM

Regular
Group Icon
Elite
1,235 posts

Joined: Jan 2003
From: kuala lipis
i think the issue is not about running ssh daemon or not. most routers run ssh on internet-facing segment so no biggie. the real issue in my opinion is the fact that the remote management is enabled for 0/0 network which actually means anyone including my mother can access any resources in the router.

so if it's part of the t&c that tm can and must access the RG then they can do that. the incompetence part of this is opening it up for all the world to access. ideally the router should only be access from trusted/authorized segment which has to be explicitly specified in the remote management section.
t3chn0m4nc3r
post Jun 1 2010, 08:48 PM

Teh Necron Lord
*******
Senior Member
4,139 posts

Joined: Sep 2006
From: Internet


QUOTE(HeHeHunter @ Jun 1 2010, 01:24 AM)
You're wrong. They are smarter than us. Or else, they would be the one working for us instead of the other way round.

Anyway, time to boot up backtrack now~
*

u work for TM...? don think so... u pay TM bill 1 la... laugh.gif
HeHeHunter
post Jun 1 2010, 09:01 PM

On my way
****
Senior Member
664 posts

Joined: Dec 2006
QUOTE(t3chn0m4nc3r @ Jun 1 2010, 08:48 PM)
u work for TM...? don think so... u pay TM bill 1 la... laugh.gif
*
You don't pay TM bill, they suspend your account. tongue.gif
mitodna
post Jun 2 2010, 10:50 AM

Getting Started
********
All Stars
13,866 posts

Joined: Jan 2003
For ISP remote management, there is something called TR-069 right?
silverhawk
post Jun 2 2010, 12:11 PM

I'm Positively Lustrous
Group Icon
Elite
4,088 posts

Joined: Jan 2003


Link to this topic has been spreading alot today on twitter smile.gif
TehWateva
post Jun 2 2010, 12:38 PM

Schadenfreude Beaches.
******
Senior Member
1,422 posts

Joined: Sep 2005
From: Kay Elle



Actually it's not really that surprising that remote management is enabled. I've worked for another ISP and we have access to the company given routers that can be accessed via Remote management to check if there's anything wrong with the line. Though this feature is only available to corporate level clients.
atomica
post Jun 2 2010, 01:04 PM

Casual
***
Junior Member
340 posts

Joined: Nov 2006
Can someone PM me the default password for the firmware > 7.05?

Wish to test.

Tks.
almaty
post Jun 2 2010, 01:10 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
QUOTE(faud @ Jun 1 2010, 07:18 PM)
u all who read this must understand what "ISP" stands for. As an Internet Service Provider, all they can do is to give internet access to customer. n they manage to give it. the problem is about that modem. the D-link modem. they should be blame bcause they set the default settings. i think TM have no rights to change the default setting except the one that has to do with internet access.

about the question on can people change the modem..... i think they cant.... bcoz it has something to do with the main equipment at TM office n MAC address of the modem(my friend at TM told me). so if u n ur neighbour both subscribe unfi, their modem cant be exchange eventhough they have the same modem brand....

try to google about the d-link modem to find more answers
*
eh apologist. firstly its a wifi router. secondly, stop deflecting blame to dlink!!
that router is a custom router that tm oem-d from dlink. you cant buy it off the shelf from any store.
it is a tm router. i dont care if dlink or flink or nolink or slolink made it.

the tm logo pasted everywhere.

user posted image



HeHeHunter
post Jun 2 2010, 01:13 PM

On my way
****
Senior Member
664 posts

Joined: Dec 2006
QUOTE(almaty @ Jun 2 2010, 01:10 PM)
eh apologist. firstly its a wifi router. secondly, stop deflecting blame to dlink!!
that router is a custom router that tm oem-d from dlink. you cant buy it off the shelf from any store.
it is a tm router. i dont care if dlink or flink or nolink or slolink made it.

the tm logo pasted everywhere.

user posted image
*
Actually, we can flash it with WRT firmware. smile.gif
TSrizvanrp
post Jun 2 2010, 01:16 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(faud @ Jun 1 2010, 07:18 PM)
u all who read this must understand what "ISP" stands for. As an Internet Service Provider, all they can do is to give internet access to customer. n they manage to give it. the problem is about that modem. the D-link modem. they should be blame bcause they set the default settings. i think TM have no rights to change the default setting except the one that has to do with internet access.

about the question on can people change the modem..... i think they cant.... bcoz it has something to do with the main equipment at TM office n MAC address of the modem(my friend at TM told me). so if u n ur neighbour both subscribe unfi, their modem cant be exchange eventhough they have the same modem brand....

try to google about the d-link modem to find more answers
*
I've already broken their IPTV, VLAN tagging, bandwidth limits and now this stupid router account. Did all my own research using Linux, wireshark and a 10mbps ISDN hub from 10 years ago.

PPPoE can use MAC authentication but its not set on Unifi or streamyx at the moment. Even if they did use MAC authentication, most routers have MAC address cloning/spoofing features even on their stock firmware. TM seems to not know the capabilities of their own equipment at the moment.

I didn't get this information from a friend of a friend who works at TM or anything, I just observed the protocols, system configuration and made my own assumptions (which 95%+ of the time turned out to be correct).

Anyway, just uploaded some material regarding Unifi on my own site @ http://unifi.athena.my/ or http://athena.my/unifi . Should be sufficient to get you running on your own router hardware using the DIR-615 as a VLAN bridge (which they still claim is impossible whistling.gif ).

@ihsan

Having the SSHd enabled alone allows them to turn every router into a proxy using SSH tunneling. It's not necessary to have SSH at all since the web interface provides all the necessary tools.. and there are TTL connectors on the DIR-615 board which allow for serial connections. Hiding the account made us crack our heads for months wondering what would be a good VLAN switch to use as a bridge when the DIR-615 could be used all along.. something they denied was possible. I'm sure newbies wont mind letting TM's support staff access their router to help them troubleshoot the situation but advanced users and corporations may not feel comfortable with that sort of thing. Even if this was the case, TM wouldn't be able to access the router remotely if the HSBB line was having connection issues.

I'm already getting tons of PMs from non-Unifi users regarding how to do this while pretending to be Unifi users, it's like they can taste the premium HSBB bandwidth or something.

---

I'm also just scratching the surface of this exploit here, the GPON routers (Fiberhome) are also not configured properly and open to outsider access but thankfully they operate at a much lower layer.

This post has been edited by rizvanrp: Jun 2 2010, 02:59 PM
knuxed
post Jun 2 2010, 02:43 PM

Regular
******
Senior Member
1,877 posts

Joined: Jan 2003
From: Bangsar,Kuala Lumpur



this is brilliant,thanks riz
cannavaro
post Jun 2 2010, 02:57 PM

CATTENACIO
*******
Senior Member
2,959 posts

Joined: Sep 2005
From: T.T.D.I, Bukit Damansara


QUOTE(rizvanrp @ Jun 2 2010, 01:16 PM)
I'm already getting tons of PMs from non-Unifi users regarding how to do this while pretending to be Unifi users, it's like they can taste the premium HSBB bandwidth or something.
*
I also got a few PMs regarding the username/password... which is a no brainer really if you read some posts properly.
Moogle Stiltzkin
post Jun 2 2010, 03:06 PM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
QUOTE(almaty @ Jun 2 2010, 01:10 PM)
eh apologist. firstly its a wifi router. secondly, stop deflecting blame to dlink!!
that router is a custom router that tm oem-d from dlink. you cant buy it off the shelf from any store.
it is a tm router. i dont care if dlink or flink or nolink or slolink made it.

the tm logo pasted everywhere.

user posted image
*
Oem or not the hardware is still a piece of shit for p2p especially and that is the truth.

QUOTE
But, more significantly, the 615 could reliably sustain only 32 connections in the maximum simultaneous connections test. Ubicom questioned these results when they first posted in the charts and said its tests (also done with IxChariot) produced results more like the 625's. D-Link had no comment on the results.


WAN to LAN Throughput: 87.5 Mbps

LAN to WAN Throughput: 88.1 Mbps

Total Simultaneous Throughput: 62.1 Mbps

Maximum Simultaneous Connections: 32  !!!

user posted image

Uploaded with ImageShack.us 
http://www.smallnetbuilder.com/content/view/30349/187/



All tmnut did was make a piece of shit an even bigger pile of piece of shit (which sadly they proved possible by making it a security disaster and needlessly not letting their users use their own routers) shakehead.gif

This post has been edited by Moogle Stiltzkin: Jun 2 2010, 03:21 PM
ihsan
post Jun 2 2010, 05:20 PM

Regular
Group Icon
Elite
1,235 posts

Joined: Jan 2003
From: kuala lipis
QUOTE(rizvanrp @ Jun 2 2010, 01:16 PM)
@ihsan

Having the SSHd enabled alone allows them to turn every router into a proxy using SSH tunneling. It's not necessary to have SSH at all since the web interface provides all the necessary tools.. and there are TTL connectors on the DIR-615 board which allow for serial connections. Hiding the account made us crack our heads for months wondering what would be a good VLAN switch to use as a bridge when the DIR-615 could be used all along.. something they denied was possible. I'm sure newbies wont mind letting TM's support staff access their router to help them troubleshoot the situation but advanced users and corporations may not feel comfortable with that sort of thing. Even if this was the case, TM wouldn't be able to access the router remotely if the HSBB line was having connection issues.
if the access list only allows certain range to access the box, then only from that segment can someone tunnel over SSH. since I would think that the origin the router has to be a linux or something similar to that, i figure an sshd daemon is needed to do low-level diagnostics or configuration since you expose yourself to unnecessary risk if you open up low level access via web application. of course there's a way to mitigate the level of compromise i.e. webapp speak to system daemon via restricted socket etc, i doubt that current breeds of RGs have that level of sophistication.

back to the question whether or not it's appropriate to have low-level access from the perspective of remote RG management, i think it's more of a matter of policy. and of course having said that the password management could have done better.

good job for the expose. it takes just one exploit for them to feel the heat.

This post has been edited by ihsan: Jun 2 2010, 05:25 PM
TSrizvanrp
post Jun 2 2010, 05:36 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



@ihsan

I completely agree that they botched the access control for the router.

Regarding policy, I'm not really contending the fact that they can decide if they want to have access to their own hardware. After all, none of us actually bought the DIR-615 from them. I just wish they that they would have a less restrictive and more open policy when it comes to the hardware. If they had informed us about this second account, not only would we have been able to avoid this whole security fiasco.. we would have been able to use our own routers with their system for internet access from the very beginning.

I think they should have remote access up to the Fiberhome unit but beyond that it's really up to the users what hardware they want to use. There's no hardware policy on Streamyx, there shouldn't be one on Unifi either. I don't really want them telling me what router I can or cannot use with Unifi and judging by the response I've received from other users on LYN, I think they feel the same way. When it comes to securing my network, I've never trusted TM from day one.
TheFalcon
post Jun 2 2010, 06:05 PM

Getting Started
**
Junior Member
124 posts

Joined: Jan 2003
From: Subang Jaya


this thread is in the news already
kaka

surely tm will see it now

http://www.themalaysianinsider.com/malaysi...hacking-spying/
ayamkambing
post Jun 2 2010, 06:29 PM

Getting Started
**
Junior Member
66 posts

Joined: Aug 2009
From: Kenpachi Fried Chicken!


Why is this place all YELLOW??? i thought i was in some Digi ad or something
Kravo
post Jun 2 2010, 06:36 PM

Regular
******
Senior Member
1,194 posts

Joined: Apr 2006
moral of the lesson:

can you trust tmnut?

absolutely no.
almaty
post Jun 2 2010, 06:36 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
bcoz we like the yellow fellow not the copycat blue bear
Neptern
post Jun 2 2010, 06:38 PM

Casual
***
Junior Member
424 posts

Joined: Aug 2005
I'm curious what kind of lame ass response will tmnut give smile.gif
TSrizvanrp
post Jun 2 2010, 06:43 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(Neptern @ Jun 2 2010, 06:38 PM)
I'm curious what kind of lame ass response will tmnut give smile.gif
*
TMnet cable fault.. in your router. icon_idea.gif
gnx
post Jun 2 2010, 06:50 PM

New Member
*
Junior Member
43 posts

Joined: Jun 2006
TheStar has the news as well.

http://techcentral.my/news/story.aspx?file...235&sec=IT_News
ayamkambing
post Jun 2 2010, 07:00 PM

Getting Started
**
Junior Member
66 posts

Joined: Aug 2009
From: Kenpachi Fried Chicken!


QUOTE(gnx @ Jun 2 2010, 06:50 PM)
Will TMNet sue "rizvanrp" for exposing them? maybe say he is defaming TMNet? blink.gif
almaty
post Jun 2 2010, 07:07 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
he is stating a fact/truth. he has nothing to worry about. tm should thank him.

klseet
post Jun 2 2010, 07:27 PM

Getting Started
**
Junior Member
130 posts

Joined: Mar 2008
I was reading:
http://www.themalaysianinsider.com/malaysi...hacking-spying/
and the link leads me to here....

How ignorant yet stupid enough to turn-on remote access with guessable or findable password.... this is terrible .... what the hell TM is doing ?? shocking.gif

I must thank "rizvanrp" for discovering the facts rclxms.gif
at least now the public know TM is trying to do some funny things at out back-door without our knowledge. mad.gif
ayamkambing
post Jun 2 2010, 07:31 PM

Getting Started
**
Junior Member
66 posts

Joined: Aug 2009
From: Kenpachi Fried Chicken!


QUOTE(almaty @ Jun 2 2010, 07:07 PM)
he is stating a fact/truth. he has nothing to worry about. tm should thank him.
*
Butthurt companies dont like the truth where it hurts them at their pockets and reputation. A lawsuit may happen.
almaty
post Jun 2 2010, 07:46 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
Unifi ‘backdoor’ allows hacking, spying

http://blog.limkitsiang.com/2010/06/02/uni...hacking-spying/

read the first comment in the blog. carboncopy is wondering whether unifi users can file class action suit against tm LOL.

on the other hand i wonder what other manufacturers like linksys, aztech for eg think about unifi and the dir-615 exclusivity.



This post has been edited by almaty: Jun 2 2010, 07:59 PM
soundsyst64
post Jun 2 2010, 07:50 PM

I'm No-Longer-Noobs
*******
Senior Member
3,725 posts

Joined: Jul 2005
From: In /hardware/

QUOTE(ayamkambing @ Jun 2 2010, 07:00 PM)
Will TMNet sue "rizvanrp" for exposing them? maybe say he is defaming TMNet?  blink.gif
*
how to sue. Do they know rizvanrp in the first place? And to they know that they violate their own T&C ? biggrin.gif
skincladalien
post Jun 2 2010, 07:50 PM

Densha Otaku
******
Senior Member
1,888 posts

Joined: Jan 2003
From: New Selangor ^.^Y


i guess the challenger has blown up now. Wonder how the TM team gonna solve this
nitewish
post Jun 2 2010, 07:51 PM

Viva La Resistance
*****
Senior Member
810 posts

Joined: Feb 2008
From: 127.0.0.1



lol from TM's tweet
http://bit.ly/a4h2qs
soundsyst64
post Jun 2 2010, 07:53 PM

I'm No-Longer-Noobs
*******
Senior Member
3,725 posts

Joined: Jul 2005
From: In /hardware/

News Release

2 June 2010


STATEMENT


Telekom Malaysia Berhad ™ wishes to clarify the concerns raised by various parties with regards to the remote accessibility of UniFi routers which are part of the customer premises equipment (CPE) for all UniFi subscribers.

TM would like to assure all concerned parties that the only reason the UniFi router setting for remote access is enabled is for remote access troubleshooting purposes for the express use of our technical support personnel. In the event there is a technical support issue with any of our UniFi subscribers; at the first level of troubleshooting, TM’s network operation centre (NOC) can immediately remotely diagnose the problem before sending a support team on-site.

TM takes note of the security concerns that have been raised, and we have taken these issues to heart.

TM also acknowledges that there is a need to balance the public’s level of comfort with regards to security and privacy and TM’s own commitment to faster support turnaround time. As such, TM would like to maintain the higher level of service enabled by remote access management on customer routers, and in recognition of that TM will immediately change every UniFi customers’ router management password into a high security, unique one (which will be only known to the customer and TM). TM will notify all our Unifi customers of this change accordingly.
ayamkambing
post Jun 2 2010, 07:54 PM

Getting Started
**
Junior Member
66 posts

Joined: Aug 2009
From: Kenpachi Fried Chicken!


QUOTE(soundsyst64 @ Jun 2 2010, 07:50 PM)
how to sue. Do they know rizvanrp in the first place? And to they know that they violate their own T&C ? biggrin.gif
*
Suing a forummer is an easy task. All u need is police report and/or lawyers letter to demand such, and can hold this forum board accountable.

So if want to say something bad about TMnet, careful la. Now all blogs and news site points to this thread...so careful abit. tongue.gif


Added on June 2, 2010, 7:56 pm
QUOTE(soundsyst64 @ Jun 2 2010, 07:53 PM)
News Release

2  June 2010


STATEMENT


Telekom Malaysia Berhad ™ wishes to clarify the concerns raised by various parties with regards to the remote accessibility of UniFi routers which are part of the customer premises equipment (CPE) for all UniFi subscribers.

TM would like to assure all concerned parties that the only reason the UniFi router setting for remote access is enabled is for remote access troubleshooting purposes for the express use of our technical support personnel. In the event there is a technical support issue with any of our UniFi subscribers; at the first level of troubleshooting, TM’s network operation centre (NOC) can immediately remotely diagnose the problem before sending a support team on-site.

TM takes note of the security concerns that have been raised, and we have taken these issues to heart.

TM also acknowledges that there is a need to balance the public’s level of comfort with regards to security and privacy and TM’s own commitment to faster support turnaround time. As such, TM would like to maintain the higher level of service enabled by remote access management on customer routers, and in recognition of that TM will immediately change  every UniFi customers’ router management password into a high security, unique one (which will be only known to the customer and TM). TM will notify all our Unifi customers of this change accordingly.
*
Not good enough

Remote access should only be granted on a need to bases by the client, and no TM staff should know nor be allowed such access unless explicitly granted.

They still want to maintain it. How can they assure that their TM staff dont exploit it?

This post has been edited by ayamkambing: Jun 2 2010, 07:56 PM
MX510
post Jun 2 2010, 08:05 PM

Love Me Sin Hate Me Sinner
*******
Senior Member
3,961 posts

Joined: Aug 2005
From: Earth



Actually they also did this on their corporate customer it just ur router username n password tongue.gif . Nobody can install anything into it tongue.gif . Even default username n password for Streamyx are also unsecured if u set the modem dial and store ur password in there tongue.gif
lok3i
post Jun 2 2010, 08:07 PM

cycling for a healthy life
****
Senior Member
559 posts

Joined: Mar 2009


rizvanrp really famous this time..
TM screw up..
TSrizvanrp
post Jun 2 2010, 08:10 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



QUOTE(MX510 @ Jun 2 2010, 08:05 PM)
Actually they also did this on their corporate customer it just ur router username n password tongue.gif . Nobody can install anything into it tongue.gif . Even default username n password for Streamyx are also unsecured if u set the modem dial and store ur password in there tongue.gif
*
MX there's a difference between their Riger DSL modem which is pretty crappy and only has a web UI compared to a custom made DLINK DIR-615 with full SSH access.. full SSH access you can SSH tunnel.. you can view the conntrack table.. you can modify the iptables and DNS servers to redirect users to phishing sites..
almaty
post Jun 2 2010, 08:13 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
QUOTE(ayamkambing @ Jun 2 2010, 07:54 PM)
Remote access should only be granted on a need to bases by the client, and no TM staff should know nor be allowed such access unless explicitly granted.

They still want to maintain it. How can they assure that their TM staff dont exploit it?
*
exactly. totally agree with you on this.

example...employee plans to leave tm or finds out he is getting fired etc...he starts to collect user/pwd wink.gif




ayamkambing
post Jun 2 2010, 08:16 PM

Getting Started
**
Junior Member
66 posts

Joined: Aug 2009
From: Kenpachi Fried Chicken!


QUOTE(rizvanrp @ Jun 2 2010, 08:10 PM)
MX there's a difference between their Riger DSL modem which is pretty crappy and only has a web UI compared to a custom made DLINK DIR-615 with full SSH access.. full SSH access you can SSH tunnel.. you can view the conntrack table.. you can modify the iptables and DNS servers to redirect users to phishing sites..
*
Sir, this is very greek to me. icon_question.gif
TSrizvanrp
post Jun 2 2010, 08:17 PM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



MX will understand biggrin.gif
MX510
post Jun 2 2010, 08:21 PM

Love Me Sin Hate Me Sinner
*******
Senior Member
3,961 posts

Joined: Aug 2005
From: Earth



QUOTE(rizvanrp @ Jun 2 2010, 08:10 PM)
MX there's a difference between their Riger DSL modem which is pretty crappy and only has a web UI compared to a custom made DLINK DIR-615 with full SSH access.. full SSH access you can SSH tunnel.. you can view the conntrack table.. you can modify the iptables and DNS servers to redirect users to phishing sites..
*
I don't see much exploit can be install inside the router itself. Only as u said it they can view connections and ip tables and dns servers :-) . Anyway it's good that u point up the issues as i already notice it that they did it as practice common among their users since years ago and apply it for Unify.

As i also in my case did change the username n password default for my router in my office that use GITN line hehe they give a call and ask me why did i change it tongue.gif because they want to monitor tongue.gif.

CODE
TM would like to assure all concerned parties that the only reason the UniFi router setting for remote access is enabled is for remote access troubleshooting purposes for the express use of our technical support personnel. In the event there is a technical support issue with any of our UniFi subscribers; at the first level of troubleshooting, TM’s network operation centre (NOC) can immediately remotely diagnose the problem before sending a support team on-site.


Anyway u just give UniFi teams more work to do and setup their own database for unique password for each customers. As the issues already when public into www.thestar.com.my

CODE
TM also acknowledges that there is a need to balance the public’s level of comfort with regards to security and privacy and TM’s own commitment to faster support turnaround time. As such, TM would like to maintain the higher level of service enabled by remote access management on customer routers, and in recognition of that TM will immediately  change  every UniFi customers’ router management password into a high security, unique one (which will be only known to the customer and TM). TM will notify all our Unifi customers of this change accordingly.


Hehehe just for those who set username n password for ppoe into ur ADSL modem also pls change the default password because ppl can scan ip and get into ur ADSL modem and get ur username n password.


nitewish
post Jun 2 2010, 08:23 PM

Viva La Resistance
*****
Senior Member
810 posts

Joined: Feb 2008
From: 127.0.0.1



reminds me of the usual streamyx's default password tmnet123 =x

edit: by the way, what's TR-069, can we disable that feature as well?

This post has been edited by nitewish: Jun 2 2010, 08:26 PM
Mido575
post Jun 2 2010, 08:39 PM

Getting Started
**
Junior Member
123 posts

Joined: May 2010


may i know how to change the default password to my desired pw in a belkin modem setting?
ayamkambing
post Jun 2 2010, 08:47 PM

Getting Started
**
Junior Member
66 posts

Joined: Aug 2009
From: Kenpachi Fried Chicken!


Not to mention how TMNut's tech came and set the default WEP wifi security as aabbccddeeff for the end users who got their streamyx package including a wifi modem

How LAX! Shit work. Exposing unknown issues to their clients.
ycs
post Jun 2 2010, 08:53 PM

MEMBER
*******
Senior Member
3,172 posts

Joined: Jan 2003
From: Selangor



headline story in M Insider:

Attached Image

This post has been edited by ycs: Jun 2 2010, 08:55 PM
ayamkambing
post Jun 2 2010, 09:00 PM

Getting Started
**
Junior Member
66 posts

Joined: Aug 2009
From: Kenpachi Fried Chicken!


QUOTE(ycs @ Jun 2 2010, 08:53 PM)
headline story in M Insider:

Attached Image
*
wow, spilling blood!!! must go until spill blood? TMnet may be bad, no need spill blood! icon_question.gif
almaty
post Jun 2 2010, 09:05 PM

Enthusiast
*****
Senior Member
944 posts

Joined: Jan 2003
From: does not exist
that pic has something to do with israel?
funny to see the word hack and the pic...are you trying to insinuate something biggrin.gif

prasys
post Jun 2 2010, 09:18 PM

Heros Never Die
Group Icon
Staff
12,925 posts

Joined: Mar 2005
From: Kuala Lumpur
QUOTE(ycs @ Jun 2 2010, 08:53 PM)
headline story in M Insider:

Attached Image
*
You could post a link rather then posting a screenshot

Anyway its

http://www.themalaysianinsider.com/malaysi...hacking-spying/


mylinear
post Jun 2 2010, 09:50 PM

Enthusiast
*****
Senior Member
974 posts

Joined: Jan 2009
IMO, TM has shown:

QUOTE(soundsyst64 @ Jun 2 2010, 07:53 PM)
TM would like to assure all concerned parties that the only reason the UniFi router setting for remote access is enabled is for remote access troubleshooting purposes for the express use of our technical support personnel. In the event there is a technical support issue with any of our UniFi subscribers; at the first level of troubleshooting, TM’s network operation centre (NOC) can immediately remotely diagnose the problem before sending a support team on-site.
*
1. Failure to make users fully aware of such remote access in the first place.

2. Failure to realise that they cannot guarantee that the remote access would only be used by their support personnel and not a third party, especially with a weak password being used.

3. Failure to take into consideration the security aspects of the users, rather than focusing on easier support

QUOTE(soundsyst64 @ Jun 2 2010, 07:53 PM)
TM takes note of the security concerns that have been raised, and we have taken these issues to heart.
*
4. Failure to "get away" by trying to use "security by obscurity" method.

QUOTE(soundsyst64 @ Jun 2 2010, 07:53 PM)
TM also acknowledges that there is a need to balance the public’s level of comfort with regards to security and privacy and TM’s own commitment to faster support turnaround time. As such, TM would like to maintain the higher level of service enabled by remote access management on customer routers, and in recognition of that TM will immediately change  every UniFi customers’ router management password into a high security, unique one (which will be only known to the customer and TM). TM will notify all our Unifi customers of this change accordingly.
*
5. Failure to be pro-active, rather than re-active. The proposed unique password method could have been done right from the start.

6. Failure to follow some basic rules of creating passwords:
- do not use simple passwords
- do not use dictionary words or simple words as passwords
- do not use the same password on multiple accounts / services

druppert
post Jun 2 2010, 10:26 PM

New Member
*
Newbie
0 posts

Joined: Jun 2010
Sorry if i ask so directly BUT what is the higher-level admin login ? I do have the firmware 7.05.
What do you mean by "If you're a Unifi user on firmware 7.05, if you read everything in the management page you can find the username for this account. The pass is the same, ..."

Please help - I do need to change it!

Thanks!!
silverhawk
post Jun 2 2010, 10:47 PM

I'm Positively Lustrous
Group Icon
Elite
4,088 posts

Joined: Jan 2003


I wub twitter <3

I bet the tmnet guys have rizvanrp's username and avatar pinned up on the wall and throwing knives at it laugh.gif Making their job a lot harder tongue.gif


schmeichel7
post Jun 3 2010, 12:05 AM

The JERSEYMAN
Group Icon
Elite
2,475 posts

Joined: Jan 2003
From: Shah Alam


When I got my unifi installed last month.. I tweaked around the router (to change the DHCP addressing etc etc) and I notice the remote management feature is enabled by default.. Luckily I've turned it off ever since.. because I know, there is no need to remotely configure it since I can do so directly... Phewww...

Thanks rizvanrp for the info.
klseet
post Jun 3 2010, 12:16 AM

Getting Started
**
Junior Member
130 posts

Joined: Mar 2008
After much of pressure, now TM have to change:

http://www.themalaysianinsider.com/malaysi...ccess-settings/

ciohbu
post Jun 3 2010, 12:19 AM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
TM..TM... stil think malaysian is stupid..

and credit to those ZTE's network engineer hired by TM + TM CCIEs .. tongue.gif

This post has been edited by ciohbu: Jun 3 2010, 12:38 AM
SlayerXT
post Jun 3 2010, 01:25 AM

PRIDE!
*******
Senior Member
2,042 posts

Joined: Jan 2003
From: KL



QUOTE(ciohbu @ Jun 3 2010, 12:19 AM)
TM..TM... stil think malaysian is stupid..

and credit to those ZTE's network engineer hired by TM + TM CCIEs .. tongue.gif
*
Hey are u working for those TM ZTE companies? Dont simply spill the beans here okay tongue.gif
schmeichel7
post Jun 3 2010, 01:37 AM

The JERSEYMAN
Group Icon
Elite
2,475 posts

Joined: Jan 2003
From: Shah Alam


Actually for every user... don't be lazy.. one thing they should do is always change the default admin password for the router and also the default settings for other features (such as the WIFI hotspot WPA key).

Lucky for me because I decided to disable the 'Remote Management' feature earlier after they've installed the unifi equipment at my home after I noticed this:

user posted image

When it says "or set 0.0.0.0 to allow access to any computer on the Internet'... That made me worry and straight away I decided to disable it. Lucky me because I decided to play around with the router and change the WPA Wifi password and the admin password as well.. Funnily though, there is another message in the picture above that reminds us "For security reasons, it is recommended that you change the login password for the admin accounts"

The intentions are noble. TM created an account that can be used to remotely access by the TM staff for troubleshooting purposes. But two big mistakes were made by TM which were:

1. Customer was not told about this up front (existence of another secondary account)
2. Customer was not given the option to change the password for this secondary account (how would they even know it exists since it can't be seen by the default admin userID)

You feel a bit cheated after finding out all this..

VengenZ
post Jun 3 2010, 01:54 AM

La la la~
****
Senior Member
608 posts

Joined: Nov 2009
From: 127.0.0.1



I am proud of u rivan:
http://www.tm.com.my/about-tm/media-centre...IFIROUTERS.aspx


STATEMENT


Telekom Malaysia Berhad ™ wishes to clarify the concerns raised by various parties with regards to the remote accessibility of UniFi routers which are part of the customer premises equipment (CPE) for all UniFi subscribers.

TM would like to assure all concerned parties that the only reason the UniFi router setting for remote access is enabled is for remote access troubleshooting purposes for the express use of our technical support personnel. In the event there is a technical support issue with any of our UniFi subscribers; at the first level of troubleshooting, TM’s network operation centre (NOC) can immediately remotely diagnose the problem before sending a support team on-site.

TM takes note of the security concerns that have been raised, and we have taken these issues to heart.

TM also acknowledges that there is a need to balance the public’s level of comfort with regards to security and privacy and TM’s own commitment to faster support turnaround time. As such, TM would like to maintain the higher level of service enabled by remote access management on customer routers, and in recognition of that TM will immediately change every UniFi customers’ router management password into a high security, unique one (which will be only known to the customer and TM). TM will notify all our Unifi customers of this change accordingly.


schmeichel7
post Jun 3 2010, 01:59 AM

The JERSEYMAN
Group Icon
Elite
2,475 posts

Joined: Jan 2003
From: Shah Alam


It is a shame on how this was not planned properly....

And I'm not surprised that TM quickly released that statement to safeguard their business and potential future customers.. Who wants to subscribe to unifi if they feel insecure and worried due to the risks..

If only they planned things properly in the first place.. Remote support can be done in a proper way..

This post has been edited by schmeichel7: Jun 3 2010, 02:00 AM
Moogle Stiltzkin
post Jun 3 2010, 03:57 AM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
QUOTE(VengenZ @ Jun 3 2010, 01:54 AM)
I am proud of u rivan:
http://www.tm.com.my/about-tm/media-centre...IFIROUTERS.aspx
STATEMENT


Telekom Malaysia Berhad ™ wishes to clarify the concerns raised by various parties with regards to the remote accessibility of UniFi routers which are part of the customer premises equipment (CPE) for all UniFi subscribers.

TM would like to assure all concerned parties that the only reason the UniFi router setting for remote access is enabled is for remote access troubleshooting purposes for the express use of our technical support personnel. In the event there is a technical support issue with any of our UniFi subscribers; at the first level of troubleshooting, TM’s network operation centre (NOC) can immediately remotely diagnose the problem before sending a support team on-site.

TM takes note of the security concerns that have been raised, and we have taken these issues to heart.

TM also acknowledges that there is a need to balance the public’s level of comfort with regards to security and privacy and TM’s own commitment to faster support turnaround time. As such, TM would like to maintain the higher level of service enabled by remote access management on customer routers, and in recognition of that TM will immediately change  every UniFi customers’ router management password into a high security, unique one (which will be only known to the customer and TM). TM will notify all our Unifi customers of this change accordingly.
*
This if frakkin bullshit. All they said is

1. they are keeping remote access despite our complaints for the CHOICE of not having it (we don't want them poking around inside our stuff. And we don't want a backdoor for l33t hackers.)

2. Their only solution is to change the operator password so we cannot access....... so if we can't access, how do we bypass their shitty router and use our own using Riv's method of making the Dir-615 a vlan bridge (i refuse to use their 32 concurrent connections capable hardware for routing my p2p downloads), and connect it to our own router instead. Why is tmnut ignoring the other issue at hand??? They did not even mention any solution for letting us use our own routers. That is bullshit vmad.gif

This post has been edited by Moogle Stiltzkin: Jun 3 2010, 03:59 AM
TSrizvanrp
post Jun 3 2010, 04:10 AM

Getting Started
Group Icon
Elite
189 posts

Joined: Sep 2006



Updated the Router Security guide on http://unifi.athena.my to disable TR-069
ciohbu
post Jun 3 2010, 07:53 AM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(SlayerXT @ Jun 3 2010, 01:25 AM)
Hey are u working for those TM ZTE companies? Dont simply spill the beans here okay  tongue.gif
*
i mean "credit" ... hahaaa..
flowerhorn
post Jun 3 2010, 09:09 AM

Getting Started
**
Junior Member
257 posts

Joined: Feb 2007
QUOTE(rizvanrp @ Jun 3 2010, 04:10 AM)
Updated the Router Security guide on http://unifi.athena.my to disable TR-069
*
Thx for sharing all this. Thanks for all the efford! notworthy.gif
KHS
post Jun 3 2010, 09:28 AM

New Member
*
Junior Member
41 posts

Joined: Mar 2007
this is posted on The Star also: http://techcentral.my/news/story.aspx?file...235&sec=it_news
+Newbie+
post Jun 3 2010, 10:26 AM

To be needed as The Sand's Kazekage
Group Icon
VIP
3,055 posts

Joined: Jan 2003
@rizvanrp,
Thanks for all the research and sharing them. For those whose Remote Management is enabled, did TM even bother to ensure that it is configured to allow only their own technicians to access? E.g. Lock IP address, etc.

That newspaper article did not address the main problem. shakehead.gif

QUOTE(schmeichel7 @ Jun 3 2010, 01:59 AM)
It is a shame on how this was not planned properly....

And I'm not surprised that TM quickly released that statement to safeguard their business and potential future customers.. Who wants to subscribe to unifi if they feel insecure and worried due to the risks..

If only they planned things properly in the first place.. Remote support can be done in a proper way..
*
Precisely. Remote management is not the main issue. It's the way they did it.
Not only did they not tell users, consumers and commercial, that there is a superior hidden root access account, but they also chose to use a generic password for all their routers. The way it's being done currently, it's just plain laziness.

QUOTE(Moogle Stiltzkin @ Jun 3 2010, 03:57 AM)
This if frakkin bullshit. All they said is

1. they are keeping remote access despite our complaints for the CHOICE of not having it (we don't want them poking around inside our stuff. And we don't want a backdoor for l33t hackers.)

2. Their only solution is to change the operator password so we cannot access....... so if we can't access, how do we bypass their shitty router and use our own using Riv's method of making the Dir-615 a vlan bridge (i refuse to use their 32 concurrent connections capable hardware for routing my p2p downloads), and connect it to our own router instead. Why is tmnut ignoring the other issue at hand??? They did not even mention any solution for letting us use our own routers. That is bullshit  vmad.gif
*
Actually, if you read that carefully, they said they will change the passwords and then share that password with the customer. If they live up to their word, once they change it and inform you the new password, just change it back to another password.
If TM needs access in future, let them call you and you can reset the password to a temp password, let them use it and then change the password again in future.

This post has been edited by +Newbie+: Jun 3 2010, 10:31 AM
Moogle Stiltzkin
post Jun 3 2010, 10:36 AM

Look at all my stars!!
*******
Senior Member
3,594 posts

Joined: Jan 2003
QUOTE(+Newbie+ @ Jun 3 2010, 10:26 AM)
Actually, if you read that carefully, they said they will change the passwords and then share that password with the customer. If they live up to their word, once they change it and inform you the new password, just change it back to another password.
If TM needs access in future, let them call you and you can reset the password to a temp password, let them use it and then change the password again in future.
*
Oh :/

Well if that is the case, we will just have to see then hmm.gif

This post has been edited by Moogle Stiltzkin: Jun 3 2010, 10:37 AM
palmjack
post Jun 3 2010, 10:51 AM

Getting Started
**
Junior Member
84 posts

Joined: Feb 2005
QUOTE(flowerhorn @ Jun 3 2010, 09:09 AM)
Thx for sharing all this. Thanks for all the efford! notworthy.gif
*
Appreciate it too Riz. Very helpful, thanks.
silverhawk
post Jun 3 2010, 11:15 AM

I'm Positively Lustrous
Group Icon
Elite
4,088 posts

Joined: Jan 2003


Actually if they wanted to create a unique password, it would be easy cause they already have the customer information, and could do easy substitution to create a pretty strong password which tmnet can easily use to access cause they have your personal information which other people do not have.

This would have pretty much avoided the issue. Although I still do not like the idea of tmnet being able to remotely access my router.




unker
post Jun 3 2010, 12:57 PM

New Member
*
Newbie
4 posts

Joined: Jun 2007
Dear Riz,
Again, thanks for all that you're doing. M'sia is such a screwed up place, full of rhetorics like the bullshit 1MalangSial and now TM Nut is screwing us conned-sumers. Lucky for us, we have you to make this country a much better place. notworthy.gif cheers.gif rclxms.gif

What you've suggested to me sounds complicated. I'll need to check with TM and get them to come over. Then, work with them on changing the accessibility and password.

Have a great day ahead!!!
ciohbu
post Jun 3 2010, 01:14 PM

Group: Senior Member
*******
Senior Member
2,104 posts

Joined: Oct 2006
QUOTE(unker @ Jun 3 2010, 12:57 PM)
Dear Riz,
Again, thanks for all that you're doing. M'sia is such a screwed up place, full of rhetorics like the bullshit 1MalangSial and now TM Nut is screwing us conned-sumers. Lucky for us, we have you to make this country a much better place.  notworthy.gif  cheers.gif  rclxms.gif

What you've suggested to me sounds complicated. I'll need to check with TM and get them to come over. Then, work with them on changing the accessibility and password.

Have a great day ahead!!!
*
TMnut screw us since dial - up and streamyx era.. lolzz
squall0833
post Jun 3 2010, 01:28 PM

Regular
******
Senior Member
1,418 posts

Joined: Oct 2006
From: Jupiter


wah, the star posted this news somemore,

riz, you've done really well biggrin.gif


They said, hacker unlikely can success to hack a user because of don't know the target's IP address,

ok la, Dynamic IP always change IP, but to check a user's current IP isn't hard, even we can do it, but only valid at the time that user still stay connected as the same ip,

How about Unifi for business? static IP address, once the hacker knows the ip address, business unifi user always risky, as long the remote management still remain opened hmm.gif

This post has been edited by squall0833: Jun 3 2010, 01:40 PM