Researcher Gergely Eberhardt with Hungarian security testing outfit SEARCH Laboratory has unearthed over fifty vulnerabilities in five home gateway modems/routers used by Hungarian Cable TV operator UPC Magyarország, but also by many ISPs around the world.
The devices in question are Ubee EVW3226, Technicolor TC7200, Cisco EPC3925, Hitron CGNV4, and Compal CH7465LG-LC.
The security of some of them have been evaluated for mere hours, and others for 2 days or two weeks, but the “final” cross section of found vulnerability types is as follows (the “bomb” means that at least one vulnerability was found, and the “check mark” that the correct protection measure was applied).
As you might have noticed, three of the five tested devices used default SSIDs and passphrases for the user’s WiFi network, and they were generated from publicly known identifiers. And even without that knowledge, these passphrases can be brute-forced with lightning speed.
“Fixing the default SSID/passphrase calculation without doing a physical recall is probably not feasible (the default password is on a sticker on the side of the device),” Balázs Kiss, project manager and R&D engineer at SEARCH Laboratory, told Help Net Security.
“In fact, UPC has sent out advisory emails to customers to change the default passwords instead.”
The testing of the devices was started by the company independently, but after they notified UPC Magyarország and its mother company Liberty Global of some of the found vulnerabilities, it continued with their blessing and help (they provided samples of Compal CH7465LG-LC modems).
PoC scripts for the exploitation of some of the bugs have been provided through Eberhardt’s GitHub repository, some PoC code is also included in the separate advisories (1, 2, 3, 4, 5).