The article mentions a leaked password hash from 2014, but as far as I know, there were at least 3 password (not hash!) leaks over the last 10 years.
Generally, I recommend people buy their own routers and never use the "Self Service" for managing passwords.
As for hostility of service providers - the situation isn't that good.
Some years ago, a white hat reported some data leak vulnerabilities in a medical "self service" portal.
Vulnerability: change your personal code/id (SSN for folks in US) to another person's number in the POST, and voila - you get the medical history of another person.
What happened is that the white hat got blamed for "hacking" that system.
Result: Vulnerabilities aren't getting reported.
Bad guys are exploiting them left and right.
White hats don't bother disclosing them.
I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.
I can tell you from experience, the only way to reliably get a vulnerability fixed is to publish on Twitter.
Of course if you've got vulnerabilities in government sites and power plants, you may prefer to not disclose to twitter to avoid harm to the public. Sitting on vulnerabilities in the absence of alternative is a perfectly ethical and reasonable choice.
Thats what full disclosure is for. Drop the vuln somewhere via Tor, maybe point someone there via some anonymous comunique. Et voila, you made the world a safer and better place.
Imho sitting on vulnerabilities is immoral as long as anonymous full disclosure is possible.
Many different hops will log things like HTTP paths, which include GET information - or DB audit logging which can easily be traced with message ID's or timestamp comparisons. It's surprising how easy it is to trace issues, debug logging is often left on in Production systems..
I wouldn't take that risk.
I did it once, I've found probably 10 other issues with customers, partners and our own products that I won't be reporting since I have to go through that process every time with my employer.
There is no benefit to me for reporting it aside from an automated thank you message when they close a ticket.
I'd submit/advise anonymously but I usually discover this stuff in a way they can trace it back to me.
So instead, my data as well as my customers, colleagues and good peoples data remains accessible to the internet.
I'm sorry for that.
I did send a few reports from throwaway email accounts, but the issues did not get resolved.
I suspect there's another way to go about it - if you're a Telia customer - send them GDPR Article 33 request.
Tangentially related Swedish bork:
And they use dropbear to connect to the router to do changes from remote/customer service/online customer portal, if you're curious (you can see it in logs of the router, Inteno ones)
They allow login with BankID (Swedish authentication system using Personal Identity Number) or a Telia login, implying I don't need the admin password printed on the back of the router so it ought to use the same type of backdoor I'd expect support personal has and the Lithuanian web site has.
Judging by the comments of both apps though, it seems it doesn't work at all... maybe they need to add more than 5 PHP workers.
And he's not wrong in the figurative way, the labour laws are quite strict and the unions are in an impossibly strong standing in Sweden.
By disclosing the vulnerability, I'd be taking a risk of a criminal investigation. This is not a joke. This has already happened at least once in Lithuania.
I have a job, one that has nothing to do with infosec, but I'd be risking that job if I had an ongoing criminal investigation.
I know first hand that such big telcos are slow and bureaucratic. But they still need help and patience. They do after all have all the important government contracts.
If you login on your account on their homepage you get this popup 1 time each day:
Where they utilize a dark pattern to make users check the boxes and have their customers web traffic data monitored and analyzed for ad purposes. The only other option is "Svara senare" which translates to "Answer later". If you login after 24 hours, the same popup will be shown until you tick those boxes.
This should be illegal.
I have steered many people away from them over the years. They would have to have at least a decade of good behaviour and a sun shining out of their ass before I would pick them.
Very interesting, can you please say more or point to somewhere? I couldn't parse if the last sentence was about you or Telia.
The carrier business is a lot more sane.
To contrast with your experience, I've never had issues with the support, private customers can get static IPs just fine, and my fiber connection and router has uptime measured in years.
Also compared to other local ISPs, the Telia global peering is unmatched. Latency is consistently lower and connections to exotic countries still achieve high bandwidth.
 I've been a Telia client for over 20 years now at four different locations.
> And, yes, it turns out that Telia's client does not attempt to verify the remote server's [customer's router] public key
Using malicious SSH server to trigger server side RCE
> First, Telia did not have a PGP key and did not know how to use it, so instead they asked us to ZIP the report with password and send the password over a separate email (private GMail). I hope Telia's engineers will be reading this article, so I would like to explain why the report should be encrypted.
> Thank you for the information. We will continue to check whether you made your report legally without violating any law. And we will ensure that no fake information will be published that could do any harm to the company's reputation and to the critical part of Lithuanian network infrastructure.
> And finally, we found that the hash was cracked and was available in the old "weakpass" database
There also was a user called `tadmin`, but I wasn't able to figure out the password for that one.
Even if it's not a glaring security hole like this one, using the ISP's router makes it easier for them to monitor you and serve you ads using "DNS assistance"-type programs. And most of the time you pay them for it with an extra $5-$10 on your monthly bill!
> In order to exploit RCE we needed to build a virtual test environment that fully copies Telia's PHP client. Step by step we have gone through the sequence of Telia's commands sent over the SSH. And finally we got a malicious SSH server and a test libssh2 client running in our test lab. With this server we could fully control the protocol and start fuzzing.
> In the first few days of the fuzzing we got some crashes and partially confirmed that RCE may be exploited.
My first understanding of this:
- They eavesdropped on the "requests" (HTTP? Is there TCP tunneling involved?) using a malicious SSH server
- They replicated the HTTP (?) requests using some php code they wrote
- They then caused segfaults/infinite loops in their own PHP code
(Witness the task manager in that screenshot gif running on their own windows machine showing high cpu usage for a PHP process.)
This seems a bit away from an actual "Remote Code Execution on Telia Routers", unless I'm misunderstanding this fundamentally.
Perhaps their high-level thought process is like this?
1. The version numbers in the "php client", triggered by the change-your-wifi-password website, from a trusted IP (10.0.98.251) indicate that this client runs a version of libssh which allows for the password eavesdropping they did, and the php runtime, which is sometimes insecure.
2. Someone could perhaps use the fact that Telia is using PHP to hack their "remote management client" using a malicious ssh server at a customer endpoint.
This is a very poorly written vulnerability report.
Anyway, @dang - I think the title "RCE on Telia Routers" is pretty incorrect. Suggestion: "Possible Telia consumer router security issue".
SSH pubkey auth would have avoided the problem I guess. Not sure if it would have helped their attitude though.
Yes, I think you're right and it was difficult to understand. The thinking is that, as you can trigger Telia servers to connect to you, using software which appears past its expiration date, you may be able to exploit that software to root their command and control server. Do that and you own Telias whole botnet of customers.
They say later models allow only pub keys but didn't go into more details. I would assume they all have the same keys in firmware if not shown otherwise.
Either way, the Telia CnC server would know all unique (if so) passwords or keys, so it may make little difference if exploited.
Ah, missed that.
Edit: Also: Why is all of the technical discussion on this topic at the bottom of the page?