Eircom - TCP port 7547 - Vulnerability

sqdz

Hi,

After a check of my network, the port 7547 is currently open, and we are not allowed to close it.

This port is used for a remote control protocol, and could be targeted by Mirai Malware.

More details : ISC Infosec Forum

So currently, I could be find with Shodan (and probably a lot of your customers)

Could you escalate this security issue ?

Thanks in advance for your help,

Kind regards,

Eir: Pamela

sqdz wrote: »

Hi,

After a check of my network, the port 7547 is currently open, and we are not allowed to close it.

This port is used for a remote control protocol, and could be targeted by Mirai Malware.

More details : ISC Infosec Forum

So currently, I could be find with Shodan (and probably a lot of your customers)

Could you escalate this security issue ?

Thanks in advance for your help,

Kind regards,

Hi  sqdz,


Thanks for getting in touch. Can you advise what modem you are using?

Thanks,
Pamela 

sqdz

Hi Pamela,

My modem : Eircom F1000

And after a scan, it's the same thing for the model TR-609

Kind regards,

Sqdz'

sqdz

lag

sqdz

lag

sqdz

lag

Willbo

Same Story here, port 7547 open!!!!

SECURITY ISSUE!!

ED E

This has been previously addressed. The original FW should have been provisioned to listen to one range only so anything other than Eirs management gateway could connect but alas...

Eir is to contact 130,000 of its broadband customers by email and letter to advise them to reset their modems because of a security concern.

It follows the discovery that the customers' routers are vulnerable to infection by a form of computer virus, and that at least 2,000 have been breached.

The supplier of the routers informed Eir of the vulnerability on 22 November.

They've abandoned Zyxel now (finally). Call and request an F2000(Huawei).

Eir: Pamela

sqdz wrote: »

Hi Pamela,

My modem : Eircom F1000

And after a scan, it's the same thing for the model TR-609

Kind regards,

Sqdz'

I have queried this with the technical team  sqdz and they have advised that the purpose of this port is to allow for firmware updates and remote access by technical support only when troubleshooting broadband issues. This is password protected to ensure maximum security. 

Thanks,
Pamela 

sqdz

Eir: Pamela wrote: »

sqdz wrote: »

Hi Pamela,

My modem : Eircom F1000

And after a scan, it's the same thing for the model TR-609

Kind regards,

Sqdz'

I have queried this with the technical team  sqdz and they have advised that the purpose of this port is to allow for firmware updates and remote access by technical support only when troubleshooting broadband issues. This is password protected to ensure maximum security. 

Thanks,
Pamela 

ED E : I'm a new customer (~ 5 months), I think I make a mistake and the last model eircom F2000

@Pamela : 
Close the port is probably better than a "password protection".

Why this port is open for Eircom, and not the others ISP ? How they do ? what could you do to fix it ?

Article : 
- The hacker news 
- ARS Technica
- IS Preview

Quote IS Preview :
The attack started by hitting Eir in Ireland and then Deutsche Telekom’s etc.



So far none of BT, Sky Broadband or Virgin Media’s kit has been affected, although ISPs would be wise to pay attention to this threat and liaise with their partners in order to ensure that the firmware on their customer router(s) is not at risk

Eir: Pamela

sqdz wrote: »

Eir: Pamela wrote: »

sqdz wrote: »

Hi Pamela,

My modem : Eircom F1000

And after a scan, it's the same thing for the model TR-609

Kind regards,

Sqdz'

I have queried this with the technical team  sqdz and they have advised that the purpose of this port is to allow for firmware updates and remote access by technical support only when troubleshooting broadband issues. This is password protected to ensure maximum security. 

Thanks,
Pamela 

ED E : I'm a new customer (~ 5 months), I think it's a mistake and I have your last model eircom F2000


@Pamela : 
Sorry Pamela, it's not against you, but the company.

Close the port is probably better than a "password protection".

Why this port is open for Eircom, and not the others ISP ? How they do ? what could you do to fix it ?

Article : 
- The hacker news 
- ARS Technica
- IS Preview

Quote IS Preview :
The attack started by hitting Eir in Ireland and then Deutsche Telekom’s etc.



So far none of BT, Sky Broadband or Virgin Media’s kit has been affected, although ISPs would be wise to pay attention to this threat and liaise with their partners in order to ensure that the firmware on their customer router(s) is not at risk


---


So you know this issue, but it's still there... Maybe it could be great to make a scan and help your customers ?


[font=Helvetica Neue, Helvetica, Arial, sans-serif]If someone got this worm, Eircom will be responsible, not the customer.. [/font]

This port needs to be open to allow for remote access and updating firmware sqdz. Our remote access system allows for us to log into a modem from the eir Admin network. The system basically creates a secure handshake (See: https://en.wikipedia.org/wiki/TR-069) with the modem and polls it for information. A unique one-time password (OTP) is generated for logging into a modem remotely. Whenever a new key is generated, the pre-existing one expires and becomes invalid. The only way to remotely log into the Huawei F2000 modem is by using our own technical support username and the OTP. It is not currently possible to log in as the default “admin” user from outside of the local network.

You would have the option to use a third party modem should you be unhappy yo continue to use an eir modem. We would be unable to provide support on this I'm afraid should you choose to use third party equipment.

-Pamela