WARNING TO ALL UNIFI USERS

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Networks and Broadband

Bump Topic Topic Closed RSS Feed

3 Pages 1 2 3 >Bottom

Outline · [ Standard ] · Linear+

Unifi WARNING TO ALL UNIFI USERS, Threat warning, read inside

views

TSrizvanrp	May 29 2010, 06:59 AM, updated 15y ago Return to original view \| Post #1
Getting Started Elite 195 posts Joined: Sep 2006	You know, the first day I got Unifi, I asked you guys (TMnet) if I would be able to use my own router. Well you said no. When I discovered the SSH daemon running on the router (which used a different password than the web user interface), you said you couldn't disclose the password. An hour ago, I discovered that password and the reason why you won't give it out. TM, you basically planted a bloody backdoor in everyone's DIR-615 router. What is this? What are all these hidden options in this special account you neglected to tell us about? You mean to say I could have used my own router all along? You mean people spent >RM1000 on Cisco grade equipment just because you didn't want to tell them about this? You mean in a sample group of 900 nodes, 600 of them who think their networks are 'secure' are actually completely open? Even those companies on Unifibiz which use the same router? WOW.. That's right guys, TM named the "administrator" account on the DIR-615 as "admin" when there was actually a secondary administrator account with a higher access level. The VLAN settings were never locked out, that account which we all assumed was the admin (because they told us so) was actually a noob piece of shit with <60% access to the router. This account has the same user/pass across every Unifi router that has been given out so far and cannot be changed or even seen with the default 'admin' account. ---- What's the fix? Untick remote management. If you have a firewall on it, block all the ports (TCP 22/23/80/8080/443) from WAN access. UPDATE : If you're a Unifi user on firmware 7.05, if you read everything in the management page you can find the username for this account. The pass is the same, once you get access log in and reconfigure your router security properly. I can't believe not a single technician set this account up properly. ---- FAQ Some less tech-savvy people have asked me what this all means.. so here goes - Q: What is this and how is this possible? A: Every consumer router has a username/password combination to access it. This is a basic security feature to ensure that only you (the owner) can access it. This Unifi router however, has two accounts by default. When TM installed Unifi in your home/office, they only configured the first account. The second account -- which has a higher level of access was left configured with its default username/password. They also neglected to inform the customers (you) and their own technicians who did the install about this second account. As every Unifi user is 'forced' to use this router and this account has not been configured properly, every Unifi user is also vulnerable to have their routers accessed by unauthorized users simply by using this default account user/password combination. Q: So what if outsiders can access my router? What does this mean? A: The Unifi router is not just a simple box that sits on your network. It can be considered to be a full computer system and has the capability to run any executable that's made for it. Since an outsider can access your router, he can also do the following : - Turn your router into a proxy, if he commits any crimes online it will be traced back to you instead and you will take the fall for it - Use your 10/20mbps Unifi account so he doesn't have to pay for his - Use up your bandwidth quota (once quotas are implemented) as much as he wants and you will pay for it - 'Spy' on your Internet connection and view every site you are visiting - Forward all connections to your home PC using DMZ, making your home PC completely vulnerable to Internet attacks.. if you have an open NAS (network attached storage) on your home network, he will be able to access all your files And the list goes on and on.. Q: So how can I fix this?! A: Make sure remote management is disabled (as it is enabled by default). With this enabled, anybody with this default user/pass combination can access your home router and perform the attacks I mentioned above. This fix however, doesn't prevent people on your own LAN network from accessing the router. If you are running an open Unifi hotspot (shop wifi, etc) and you are using the default DIR-615 router, the only fix is to access this second account and change the password. I've uploaded a Router Security guide and VLAN bridging guide (to use your own hardware with Unifi) on my website @ http://unifi.athena.my This post has been edited by rizvanrp: Jun 12 2010, 08:19 PM
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 01:48 PM Return to original view \| Post #2
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(kons @ May 29 2010, 09:10 AM) It's normal for UniFi or normal DSL broadband. Those guys who installed the riger modems at my new house last time also enabled remote management and locked out the admin mgmt account. I have replaced them straight away. As long as it's RJ45/RJ11, I guess it's always possible to use our own equipment. It's bad in this case because the router runs BusyBox. You can sniff the traffic running on other people's home networks.. and since the router runs an SSH daemon (dropbear), you can use it to setup an open/closed SOCKS proxy on their routers and forward data through their connections. Not to mention these are high speed 5-20mbps links.. If I compromised all those nodes I would have 3Gbps of bandwidth at minimum to use as a botnet (assuming everyone is on 5mbps at the very least).
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 02:21 PM Return to original view \| Post #3
Getting Started Elite 195 posts Joined: Sep 2006	@iipohbee I don't think they would need to since they're the ISP.. they have logs on their side. But honestly, this is a bad case security through obscurity. You tell all your customers there's only 1 user/pass to access the router, you tell all your technicians who install for the customers the same thing (even those who are doing Unifibiz installs).. then it turns out there's a second user/pass combo and this user/pass has a higher access level. At least I found this <2 months into the launch and people will be aware of this now. I actually just thought of leaving it be because it would be too much trouble to fix.. but I'm not the only guy who's decent with security/networking here and if this came out once Unifi's as popular as Streamyx .. good f-ing game sir. I actually hate this more than when they were throttling BT. At least with a BT throttle my home network is still secure. Not to mention they had me running around like a dog trying to find a way to let people use their own routers when it was possible all along. I honestly don't know what the hell was running through the minds of the people who set this up.
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 02:55 PM Return to original view \| Post #4
Getting Started Elite 195 posts Joined: Sep 2006	CODE BusyBox v1.00 (2009.12.23-07:29+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # ifconfig br0 Link encap:Ethernet HWaddr -hidden- inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:86488217 errors:0 dropped:0 overruns:0 frame:0 TX packets:96746664 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2358979520 (2.1 GiB) TX bytes:2086808986 (1.9 GiB) br2 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:125967376 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3015485720 (2.8 GiB) TX bytes:0 (0.0 B) eth2 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:224355660 errors:0 dropped:0 overruns:0 frame:0 TX packets:89240917 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:60425356 (57.6 MiB) TX bytes:740660944 (706.3 MiB) Interrupt:3 eth2.11 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:736540 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:122513467 (116.8 MiB) eth2.12 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:736540 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:122513467 (116.8 MiB) eth2.13 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:736540 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:122513467 (116.8 MiB) eth2.14 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) eth2.500 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:98379123 errors:0 dropped:0 overruns:0 frame:0 TX packets:87031297 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1981289064 (1.8 GiB) TX bytes:359594081 (342.9 MiB) eth2.600 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:125976528 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3528091028 (3.2 GiB) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:938 errors:0 dropped:0 overruns:0 frame:0 TX packets:938 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:134414 (131.2 KiB) TX bytes:134414 (131.2 KiB) ra0 Link encap:Ethernet HWaddr -hidden- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:72228903 errors:0 dropped:0 overruns:0 frame:0 TX packets:94474366 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:611831149 (583.4 MiB) TX bytes:927019935 (884.0 MiB) Interrupt:4 # # brctl show bridge name bridge id STP enabled interfaces br2 8000.-hidden- no eth2.600 br0 8000.-hidden- no eth2.11 eth2.12 eth2.13 ra0 # This is the shell from a Unifi user's router. Takes only 5 seconds to get this access. One interesting thing to note is they have 4 additional VLANs that are not in the UI or that I've seen being used before.. VLAN 11/12/13/14 on the WAN interface. Then for some reason, they've bridged three of these VLANs to the wireless interface on the router (MACs are -hidden- by myself). These VLANs are just broadcasting data. QUOTE(Sting Ray @ May 29 2010, 10:07 AM) hi rizvanrp, under the secondary administrator account is there any option to allow VPN passthrough ? my wife's VPN connection problem is still not resolved and Unifi service centre didn't respond to my emails at all. Nope, but using this account you can use whatever router you want with Unifi by using the DIR-615 as a VLAN bridge. Another interesting thing : TR-069 protocol is enabled by default and hidden from the 'admin' account. Connects to a remote server and sets up a listener on your own router. Don't know what the implications of this are.. yet. Anyway time to sleep, so bloody exhausted This post has been edited by rizvanrp: May 29 2010, 03:04 PM
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 03:05 PM Return to original view \| Post #5
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(skincladalien @ May 29 2010, 03:01 PM) shit...now that you mention it, i manage to find that account in 5 minute O.o TM screw up big time on this Yeap.
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 08:25 PM Return to original view \| Post #6
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(night_wolf_in @ May 29 2010, 05:18 PM) im not sure if i should laugh or cry. If you think they want to spy on YOU by creating a second management account. Then it is big fail for all you guys, pretending to know how internet works. Your Modem/router will be connected a layer two switch. or lets say connected to a port. they can use "SPAN" to see all the traffic you are sending and receiving. But again, doing that to every indivicual will be really tiring. Easier is, run "SPAN" to the uplink, that is connecting the layer two switch to the distribution switch. and bam, they can get all i/o traffic from the whole switch. WAIT. They can add high end firewalls at the uplinks to every area (logical or geographical) or just again SPAN the traffic to the firewalls. AND they practically SEE every traffic you sending. Conclusion is. dont cry a river for a second account your ISP put it. if they did, it is to make your experience better. but if you think you can out smart them. please do. How i know. I'm a CCNP and working under routing/ switching and security for some enterprise. Added on May 29, 2010, 5:19 pm No, they use packet shaping devices for that. Oh no, CCNP's and their logic ._. Never once did I claim this was for TM to 'spy' on you, I said its a hole for outsiders to spy on you or mess with you. I stated that TM doesn't need to spy on you when they control the network. The problem is because there's this secondary account, other people can log into your router and enable the SSHd for busybox. As a CCNP, you should already be aware of the implications of SSHd running on your Internet gateway with full root access to the outside world? SSHd comes with a few functions, you have SCP/SFTP (which is disabled on this dropbear build) and most importantly.. it has the ability to do SOCKS forwarding. I've already tested this and it works -- in order words, I was able to turn every Unifi router into an open SOCKS proxy. Imagine what I could do, credit card fraud, ICMP based DDoS attacks.. etc., this doesn't concern you as a CCNP? The router also has about 10MB of free ram and a filesystem loaded to utilize it, what if I compile a special binary for busybox then pull it into the router using tftp or ftpget? This binary could be a traffic sniffer, dynamic IP notifier and so on, what then? The main router that's handling all your Unifi traffic has a traffic sniffer attached to it but you still feel your network is secure? Did you know every Unifibiz (with static PPPoE addressing) has this enabled by default? That anyone can access the router and do all this shit? So please, I get that you're a CCNP and you could build your own Internet if you wanted but you and I both know that leaving an embedded Linux based router with SSHd wide open to the internet while its routing all your Internet traffic is a bloody bad idea and its highly exploitable. I wouldn't write a thread like this unless I've already done the attacks and understood the implications. I'm glad you know how to setup networking hardware and advanced routing protocols but when it comes to security you seem to be completely 'blur'. QUOTE so if someone who is very smart, go play with the settings, then internet doesn't work. You really think that BusyBox can only 'play with the settings' and cut you off the net? Lol, you need to get off IOS and into embedded Linux. It's stupid assumptions like this which created this mess in the first place. You have a VLAN capable router here with a full embedded Linux distro running on it and you assume all it runs is a PPP daemon. Bloody laughable. There's no way such a cheap device could have a webserver with a PHP interpreter huh? Maybe you should work on that CEH soon This post has been edited by rizvanrp: May 29 2010, 08:40 PM
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 09:11 PM Return to original view \| Post #7
Getting Started Elite 195 posts Joined: Sep 2006	@night_wolf_in Glad you've changed your stance from 'this is not significant' to 'this is not secure'. I guess you finally see what root access on this router allows an attacker to do so I'm happy for you I am fully aware that nothing is secure, the fix I gave is only to temporarily secure their routers from outside attacks on the WAN. The LAN can still access the SSH daemon by default, it cannot be turned off. Having this extra security will already prevent a multitude of attacks people can perform. The only way to completely remove this is to access that secondary account and change the password, set up iptables or disable that account completely @ the /etc/passwd level. QUOTE Believe me. if someone wants to use that box you have for hacking. they would have done it long time ago. Unfortunately, I was the first person to discover it so this doesn't really apply . But if you're just talking about hacking for router boxes, google DD-WRT. There's already a huge community set up. These attacks start now and its better I disclose the vulnerability than let their user base grow to the point it cannot be stopped. At least if their tech's are reading this, they will disable the feature in their future installs and possibly change their policy to let the user utilize the main admin account or upgrade their firmware to completely remove this account. This shit has to stop now, they can't keep treating their users like morons. Its not a problem if the user ever forgets the password because these systems run on FLASH memory with the bootloader being in ROM. They can just hit a reset button and everything is fixed (including the NVRAM parameters). There's no reason not to trust the user with this account. In fact, giving them access to this account will allow them to use the DIR-615 as a VLAN - physical port bridge and completely remove this exploit. I went to a Unifibiz setup once and the company (a very large one) was forced to use the DIR-615 for routing because the latest ZyWall did not support PPPoE over VLAN interfaces. I'm pretty sure the sysadmin changed the 'admin' password and left remote management open because it lets him remotely diagnose problems with the router instead of having to stand in the server room all day. I don't think he's aware of this secondary account which bypasses that completely. So yeah This post has been edited by rizvanrp: May 29 2010, 09:13 PM
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 09:20 PM Return to original view \| Post #8
Getting Started Elite 195 posts Joined: Sep 2006	Sorry I forgot to add this in, Unifi's main VLAN has no caps on it. Every user is capped at the account level only. This means if a 5mbps breaks into a 20mbps users router and takes his user/pass, he will get 20mbps at home. Nice job TM Since you're going to be implementing an account cap, I can't imagine what people would do to get past it This post has been edited by rizvanrp: May 29 2010, 09:25 PM
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 29 2010, 10:22 PM Return to original view \| Post #9
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(VengenZ @ May 29 2010, 10:17 PM) So, if they cud only change the router settings, they can't spy our porns? Its different from router-to-router. In this case, the remote management lets you enable the SSH server. The SSH server gives you full control over the router, more than whats in the web UI. And since there's a secondary account to access the remote management, there's really no security at all lol
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 30 2010, 01:00 AM Return to original view \| Post #10
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(andrew9292 @ May 30 2010, 12:29 AM) Probably why they put that up ;p Okay, good job for TS as he found out this major security risk considering the number of IT grads and professionals these days are out there... But posting this here is actually publicity to this loophole. Only those who came to LYN would find out about this and if they are tech savvy enough, they will know how to get around it to minimize the exposure risk as much as possible. But again, if someone with unholy intention stumbles upon this, it could mean disaster for those unaware and incapable to prevent it... I would like to ask TS, now that you have found out and posted it to public, what is your next step? Will you report to relevant authorities? Otherwise the purpose of this thread will be: 1. Publicize a major loophole in UniFi 2. Giving knowledgeable users the chance to avoid the risk, a really small amount of people in LYN. 3. Exposing a mass mount of UniFi-ers to exploits... So, just be aware of that. I'm no IT expert with any qualification btw. TS, u're doing the right thing, salute! but there is still a loophole in what you are doing haha I spent some time thinking about it. There were a lot of things I took into consideration.. In the end I feel as though its my duty to notify the community about these things. It's not my job to fix it, it's TM's job. If they had planned this through and allowed for open access to their hardware in the first place, we wouldn't be in this mess. Why even bother putting the PPPoE server on VLAN 500? Why didn't they just not use any tagging in the first place? It wouldn't make a difference to them but it would give their customers tons of new options and better security. It's because they chose to follow this closed method that all these flaws are starting to come out. If I'm not mistaken, I even mentioned on LYN in the first week I got Unifi that there's a telnet daemon on the set top box and SSH daemon on the DIR-615.. and it would only be a matter of time till someone found the keys. It took me less than 2 months to completely break the system (from the users end). Sure, I have a lot of experience in this field but I'm just a final year network security student and I did this in my free time because I was trying to help people @ LYN. 2 months in however, all these flaws in their system start to get noticed. You hand this system to a professional blackhat hacker and the entire network is going to go down in a week or so. I know sending a message to LYN isn't exactly sending a message to every Unifi user in Malaysia, there are tons of users (even TM staff) which have their routers exposed at the moment. Eventually however, the word is going to get out. They will either patch their firmware 7.05 and fix it or notify their technicians to not enable these particular features doing install. The best case scenario I can hope for is that they start doing installs with this secondary admin account so people have full control over the hardware and service they're dishing out RM200+ a month for. And you know, even though this 'fix' blocks WAN access.. I believe the SSH daemon is still running on the LAN subnet. It cannot be turned off without using the secondary admin account and logging into the SSH server using PuTTy or something. Those people who are running Unifi hotspots (aka kopitiam shops) are still vulnerable. I know some of you are going to hate me with the typical 'why did you let others know' mentality.. but lets be honest here, just because I don't tell you something it doesn't magically make it non-existent okay? I'm not going to release the account details yet and I'm hoping those of you who have also found this account wont either.. and I know that's not a perfect solution but its better than closing both your eyes and pretending there is no problem with the system.
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 30 2010, 08:13 PM Return to original view \| Post #11
Getting Started Elite 195 posts Joined: Sep 2006	I already updated the first page with a FAQ for all those "CCNP"s who are somehow still unaware of the capabilities of embedded systems in the year 2010.
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 31 2010, 12:43 PM Return to original view \| Post #12
Getting Started Elite 195 posts Joined: Sep 2006	Resetting doesn't work, this exploit relies on the fact that this account uses the default user/pass combo. Resetting it just resets it back to the same user/pass, remote management will be disabled however. But there's really no point anyway, the SSH daemon is still accessible via LAN.. cant stop it at all from the GUI even with this second account.
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 31 2010, 01:12 PM Return to original view \| Post #13
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(cshong @ May 31 2010, 01:09 PM) Even though I am not UNIFI user, but according to the manual of DIR-615 downloaded from D-Link website, the default user name is 'Admin' and the default password is to leave the password field empty, means no password. Have anyone tried resetting the DIR-615 and try login with user name 'Admin' and empty password? admin and an empty pass works on some Unifi routers with older firmware <7.05. The newer one is admin and (removed by wkkay) as the pass. This post has been edited by wKkaY: Jun 1 2010, 04:28 PM
Card PM	Report Top Like Quote Reply

TSrizvanrp	May 31 2010, 02:02 PM Return to original view \| Post #14
Getting Started Elite 195 posts Joined: Sep 2006	It's part of the Unifi installation process to enable remote management for some reason. Its disabled in a fresh reset but the technicians will enable it. Don't ask me why :S The SSH server is always running. Even when you do a reset, its still running. The box in the 2ndary account for SSH access will be unticked, which only means the WAN (others on the internet) cannot access the SSH daemon. Other people on your LAN (192.168.0.0/24) will be able to access it fine when its not 'enabled' in the web user interface. That's why I say its still a risk to people running open Unifi hotspots at shops.
Card PM	Report Top Like Quote Reply

TSrizvanrp	Jun 2 2010, 01:16 PM Return to original view \| Post #15
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(faud @ Jun 1 2010, 07:18 PM) u all who read this must understand what "ISP" stands for. As an Internet Service Provider, all they can do is to give internet access to customer. n they manage to give it. the problem is about that modem. the D-link modem. they should be blame bcause they set the default settings. i think TM have no rights to change the default setting except the one that has to do with internet access. about the question on can people change the modem..... i think they cant.... bcoz it has something to do with the main equipment at TM office n MAC address of the modem(my friend at TM told me). so if u n ur neighbour both subscribe unfi, their modem cant be exchange eventhough they have the same modem brand.... try to google about the d-link modem to find more answers I've already broken their IPTV, VLAN tagging, bandwidth limits and now this stupid router account. Did all my own research using Linux, wireshark and a 10mbps ISDN hub from 10 years ago. PPPoE can use MAC authentication but its not set on Unifi or streamyx at the moment. Even if they did use MAC authentication, most routers have MAC address cloning/spoofing features even on their stock firmware. TM seems to not know the capabilities of their own equipment at the moment. I didn't get this information from a friend of a friend who works at TM or anything, I just observed the protocols, system configuration and made my own assumptions (which 95%+ of the time turned out to be correct). Anyway, just uploaded some material regarding Unifi on my own site @ http://unifi.athena.my/ or http://athena.my/unifi . Should be sufficient to get you running on your own router hardware using the DIR-615 as a VLAN bridge (which they still claim is impossible ). @ihsan Having the SSHd enabled alone allows them to turn every router into a proxy using SSH tunneling. It's not necessary to have SSH at all since the web interface provides all the necessary tools.. and there are TTL connectors on the DIR-615 board which allow for serial connections. Hiding the account made us crack our heads for months wondering what would be a good VLAN switch to use as a bridge when the DIR-615 could be used all along.. something they denied was possible. I'm sure newbies wont mind letting TM's support staff access their router to help them troubleshoot the situation but advanced users and corporations may not feel comfortable with that sort of thing. Even if this was the case, TM wouldn't be able to access the router remotely if the HSBB line was having connection issues. I'm already getting tons of PMs from non-Unifi users regarding how to do this while pretending to be Unifi users, it's like they can taste the premium HSBB bandwidth or something. --- I'm also just scratching the surface of this exploit here, the GPON routers (Fiberhome) are also not configured properly and open to outsider access but thankfully they operate at a much lower layer. This post has been edited by rizvanrp: Jun 2 2010, 02:59 PM
Card PM	Report Top Like Quote Reply

TSrizvanrp	Jun 2 2010, 05:36 PM Return to original view \| Post #16
Getting Started Elite 195 posts Joined: Sep 2006	@ihsan I completely agree that they botched the access control for the router. Regarding policy, I'm not really contending the fact that they can decide if they want to have access to their own hardware. After all, none of us actually bought the DIR-615 from them. I just wish they that they would have a less restrictive and more open policy when it comes to the hardware. If they had informed us about this second account, not only would we have been able to avoid this whole security fiasco.. we would have been able to use our own routers with their system for internet access from the very beginning. I think they should have remote access up to the Fiberhome unit but beyond that it's really up to the users what hardware they want to use. There's no hardware policy on Streamyx, there shouldn't be one on Unifi either. I don't really want them telling me what router I can or cannot use with Unifi and judging by the response I've received from other users on LYN, I think they feel the same way. When it comes to securing my network, I've never trusted TM from day one.
Card PM	Report Top Like Quote Reply

TSrizvanrp	Jun 2 2010, 06:43 PM Return to original view \| Post #17
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(Neptern @ Jun 2 2010, 06:38 PM) I'm curious what kind of lame ass response will tmnut give TMnet cable fault.. in your router.
Card PM	Report Top Like Quote Reply

TSrizvanrp	Jun 2 2010, 08:10 PM Return to original view \| Post #18
Getting Started Elite 195 posts Joined: Sep 2006	QUOTE(MX510 @ Jun 2 2010, 08:05 PM) Actually they also did this on their corporate customer it just ur router username n password . Nobody can install anything into it . Even default username n password for Streamyx are also unsecured if u set the modem dial and store ur password in there MX there's a difference between their Riger DSL modem which is pretty crappy and only has a web UI compared to a custom made DLINK DIR-615 with full SSH access.. full SSH access you can SSH tunnel.. you can view the conntrack table.. you can modify the iptables and DNS servers to redirect users to phishing sites..
Card PM	Report Top Like Quote Reply

TSrizvanrp	Jun 2 2010, 08:17 PM Return to original view \| Post #19
Getting Started Elite 195 posts Joined: Sep 2006	MX will understand
Card PM	Report Top Like Quote Reply

TSrizvanrp	Jun 3 2010, 04:10 AM Return to original view \| Post #20
Getting Started Elite 195 posts Joined: Sep 2006	Updated the Router Security guide on http://unifi.athena.my to disable TR-069
Card PM	Report Top Like Quote Reply

« Next Oldest · Networks and Broadband · Next Newest »

3 Pages 1 2 3 >Top

Topic ClosedOptions

Change to:

0.0278sec

0.34

7 queries

GZIP Disabled
Time is now: 1st December 2025 - 02:41 AM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.