Tsutomu Shimomura, a security expert at the San Diego Supercomputing Center (best known for tracking down hacker Kevin Mitnick in 1995), has uncovered several security vulnerabilities in the Alcatel Speed Touch line of ADSL “modems.” Flaws in this popular Asymmetric Digital Subscriber Line router/bridge could allow an attacker to reconfigure or disable the device, and even upload code that would spy on outgoing and incoming network traffic.?

The SDSC report identified three primary areas of concern with the Alcatel Speed Touch ADSL modem: unauthenticated Trivial File Transfer Protocol (TFTP) access, weak password protection, and no validation of downloaded firmware.

Taking a Bad Bounce

Exploiting these vulnerabilities requires either access to the physical copper wire attached to the Speed Touch (via a DSLAM, or DSL Access Multiplexor), or to its LAN (local area network) or WAN (wide area network) interfaces. In the latter two cases, a proven strategy is to “bounce” UDF packets (the data format used by streaming audio and video) off an active server on the WAN/LAN side of the network, and fool the modem into believing the data was delivered internally. Once the source of the data has been thus “spoofed,” the sender can gain access to the modem via TFTP.

TFTP is a subset of the File Transfer Protocol (FTP) used to upload and download files over the Internet. TFTP has no directory or password capability. It is used in the Speed Touch to allow a DSL service provider with DSLAM access to update the user’s firmware and make configuration changes to the modem. However, in this case it also creates an unobstructed “back door” to the device.

Who Goes There?

Perhaps the biggest security problem with all password-protected systems occurs when the password is not set. This is true of the Alcatel Speed Touch, which, according to the SDSC, is shipped with only a “null” password enabled. It’s up to the user or service provider to set the password when the modem is configured.

However, even when this password is set, the modem contains a second administrative account that can be accessed via Telnet, HTTP, and FTP, provided that a connection can first be established using TFTP (as described above). This administrative account, called EXPERT, relies on a standard challenge-response mechanism. Unfortunately, the SDSC considers the underlying algorithm insufficiently strong and the password itself “easily reversible.” Setting the user password separately does not affect the security (or lack of it) of the EXPERT account.

Show Me an ID

Even if a malicious person were to gain access to a Speed Touch modem, further damage could be limited by requiring that a known digital signature key be presented before allowing a change in the firmware. This Alcatel does not do either. The company contends that the packet bounce strategy that makes these exploits possible is a “security problem in all data communication networks”, and should be “solved by means of a firewall.”

The CERT Coordination Center at Carnegie Mellon University concurs to an extent, suggesting that you can prevent a TFTP UDP bounce attack by setting up a firewall to filter packets with spoofed source addresses, packets with a source address of 255.255.255.255, and packets with a destination port of ECHO. They also strongly recommend that Alcatel product owners check their devices to make sure the password has been reset from its null default setting.

No Chicken Little (Yet)

Considering the expertise required to execute such a hack, the home user is an unlikely target. More typical would be businesses and institutions with valuable network traffic at risk. As Tom Perrine, who with Shimomura authored the SDSC article, told the San Diego Union Tribune, it would take a “savvy” hacker, well versed in both network operations and the inner workings of the Speed Touch modem to cause any serious damage. “The sky isn’t falling,” he said. The vulnerabilities of Alcatel devices remain, for the time being, hypothetical ones.

And all these documented flaws notwithstanding, Alcatel does have a point when it insists that like analog modems, telephones, and fax machines, these devices provide “connectivity not security,” and that “private and LAN security is in the responsibility of the user.” In this ever more wired world, that’s what it always comes down to, you can count on it.