FiOS router allows remote administration access

[hierophant]

From http://www.wilderssecurity.com/showt...12#post1617612

Quote:

Originally Posted by Searching_ _ _

... The FiOS router, which has a firewall built in, allows remote administration access to all computers on a network even if set to maximum level.
Blocking specific RA ports is the only way to prevent it, but the internet service is interrupted if you do. ...

That can't be good. Could you put a firewall between the FiOS router and your network? You could even give it an old machine to play with, just to keep it happy.

[Searching_ _ _]

That appears to be the only solution and is what FiOS tech support has suggested I do to prevent RA to my computers.
It must be designed that way for STB maintence I assume.

When the STB's are connected in the system, the firewall adds them as allowed under access control. They are connected on the coax wan side so I don't understand how they get LAN access.

[hierophant]

Quote:

Originally Posted by Searching_ _ _

That appears to be the only solution and is what FiOS tech support has suggested I do to prevent RA to my computers.
It must be designed that way for STB maintence I assume.

When the STB's are connected in the system, the firewall adds them as allowed under access control. They are connected on the coax wan side so I don't understand how they get LAN access.

Why does a broadband router need RA to your computer(s)? What software must you install to use FiOS?

Does (or can) FiOS store and/or cache video on your computer(s)? Or is this DRM to prevent that? Can you program the STBs from your computer(s)?

[Searching_ _ _]

Quote:

Originally Posted by hierophant

Why does a broadband router need RA to your computer(s)? What software must you install to use FiOS?

It is how they designed it. They want the ability to access your computer any time they want for purpose of their choosing. Spy or comply with LEO.

You don't have to install any software, but reading their TOS scares me and leads me to believe I agreed to allow them to do whatever they want with all connected to their service.
They give you a CD to help facilitate installation for the squeamish as well as provide some basic security tools. I did not install their CD.

Quote:

Originally Posted by hierophant

Does (or can) FiOS store and/or cache video on your computer(s)? Or is this DRM to prevent that?

Yes. This functionality is available but certain content, like Pay-Per-View, is restricted from being saved with their DRM.
They do provide the ability to watch on computer.

Quote:

Originally Posted by hierophant

Can you program the STBs from your computer(s)?

I can program the DVR remotely or from within the LAN, but think that feature is a negative benefit and a security risk.
The STB's are available to the WAN and the LAN simultaneously. Compromise the STB and ARP poising MITM is always possible as long as STB is connected.

[lotuseclat79]

It is a fallacy that without Remote Administration enabled, internet service is interupted!

After logging into my FiOS router for which I had requested a field laptop install instead of the standard method of booting up your Windows platform (my WinXP Pro SP2 stb'd in mid-June 2006 and I've been using Linux ever since), the Firewall>Remote Administration web page states: With Remote Administration, your network will be at risk from outside attacks.

The solution is to uncheck all the boxes on that web page which disables Remote Administration.

Since the default (ActionTec) router uses a Busybox Linux distribution setup with Verizon configuration and (modifications - I assume, rather than out of the box), Verizon also has never updated the firmware (even though Busybox has evolved) since I got FiOS service installed the day before Thanksgiving over a year ago. I assume that if you update to the latest Busybox firmware - you may be at risk because I do not know if you will inherit any Verizon modifications. There is a facility to save the router configuration, so, I assume one could attempt to replace the firmware given that it may be possible (I don't know for sure) to save the firemware or perhaps there is a link to the exact version of the firmware at Busybox (or Verizon), and then reset the configuration to what you want.

I posted a thread entitled: The word on Verizon FiOS and Linux here (which details using the information from the FiOS router documentation CD which Verizon provides the user upon installation) on how to stealth the ports and test from nmap-online.com your FiOS router. I also use a set of iptables/netfilter rules on my computer which by default drops all traffic that has not been requested. If you have nmap installed on your computer and run tests you will find that certain ports are open, but that test is only valid within your local network, whereas, the nmap-online.com test is valid as the test is run from the Internet which is where a real port scan would occur on your router's ip address that is assigned by DHCP anyway everytime you power up the router after powering down (given the computer has also been powered down and the lease on the ip address has been cleared).

BTW, there is no requirement to use Verizon's ActionTec router if you do not want to as they detail a procedure to replace it in the CD - I think the given example is a Linksys router.

-- Tom

P.S. I searched for STB in the Verizon CD and it does not appear. What does STB mean?

[hierophant]

Thank you for the great FiOS primer

Quote:

Originally Posted by lotuseclat79

P.S. I searched for STB in the Verizon CD and it does not appear. What does STB mean?

set top box

[lotuseclat79]

Hi hierophant,

I only have FiOS for Internet and phone service and not TV - so STB did not register. When FiOS is installed, Verizon uninstalls the existing copper wire to normal telephone service and it is necessary that to use any land line service after the FiOS install that the first hop is from your house over the FiOS to the Central Office to then hook up with the normal interface for the telephone exchange.

Note: The Verizon router, by default, has a lot of ports open for games, and since I am not a gamer did not address them in my link post at the other forum.

-- Tom

[Searching_ _ _]

I have found an Image installed on my router from the local LAN.
I didn't install one. It is a DD-WRT image, based on the file name.
I have replaced the corrupt router with a new router.

I had an undetermined MBR infection at the time the new image was uploaded.
I suspect, with the level of access the attacker had, may have corrupted the STB's as well. NMAP scans show some interesting tcp and udp ports.
http://www.wilderssecurity.com/showthread.php?t=263363

I have been playing with Wireshark in the hopes that I would learn something.
Running Wireshark while performing an NMAP basic scan triggered a lot of chatter on the network.

Code:

nmap 192.168.1.1-254

From STB > Computer
One packet "brutus > 54406".
Searching for brutus, it is a remote password cracker.
I changed my LAN address and ARP requests were looking for addresses one at a time.
Who has 192.168.1.15? Tell xx.xx.xx.xx
Who has 192.168.1.16? " "
Who has 192.168.1.17? " "
and so on.
Other interesting stuff:
appleqtmgr > 54406
sunclustermgr > 54406
windb > 54406
winfs > 54406
pcanywheredata > 54406
eyetv > 54406 a program to turn your Mac into a DVR
asterix > 54406 ,maybe a password recovery and data security tool, google
dnx > 54406 DNX is a modular extension of Nagios that offloads a significant portion of the work normally done by Nagios to a distributed network of remote hosts.
writesrv > 54406
amt-soap-http > 54406 Intel® AMT Open Source Drivers and Tools supporting local OS access to Intel hardware manageability features.
Packet size is 60 bytes are highlighted as both red, TCP RST; grey TCP SYN/FIN.

My fear is a compromised STB being used for a MITM or worse a switch outside the house between me and FiOS giving someone in the neighborhood access.

Can you remotely brick a switch?

[Searching_ _ _]

NMAP Online scan results

Nmap Options: -F -d -T5 -sSV xxx.xxx.xxx.xxx
Winpcap present, dynamic linked to: WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5

Starting Nmap 4.75 ( http://nmap.org ) at 2010-02-06 07:31 Central Europe Standard Time
PORTS: Using top 100 ports found open (TCP:100, UDP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 250, min 50, max 300
max-scan-delay: TCP 5, UDP 1000
parallelism: min 0, max 0
max-retries: 2, host-timeout: 900000
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 07:31
Scanning xxx.xxx.xxx.xxx [2 ports]
Packet capture filter (device eth0): dst host 192.168.1.201 and (icmp or ((tcp or udp) and (src host xxx.xxx.xxx.xxx)))
Completed Ping Scan at 07:31, 1.86s elapsed (1 total hosts)
Overall sending rates: 2.15 packets / s, 73.16 bytes / s.
mass_rdns: Using DNS server 208.67.222.222
mass_rdns: Using DNS server 217.11.246.1
Read from H:\Home\Servant\ProgRaw\nos\nmap: nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN

.....

Nmap Options: -F -d -T5 -sUV xxx.xxx.xxx.xxx
Winpcap present, dynamic linked to: WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5

Starting Nmap 4.75 ( http://nmap.org ) at 2010-02-06 08:34 St�edn� Evropa (b�n� �as)
PORTS: Using top 100 ports found open (TCP:0, UDP:100)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 250, min 50, max 300
max-scan-delay: TCP 5, UDP 1000
parallelism: min 0, max 0
max-retries: 2, host-timeout: 900000
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 08:34
Scanning xxx.xxx.xxx.xxx [2 ports]
Packet capture filter (device eth0): dst host 192.168.2.32 and (icmp or ((tcp or udp) and (src host xxx.xxx.xxx.xxx)))
Completed Ping Scan at 08:34, 2.08s elapsed (1 total hosts)
Overall sending rates: 1.92 packets / s, 65.29 bytes / s.
mass_rdns: Using DNS server 81.90.166.9
mass_rdns: Using DNS server 212.96.168.167
Read from C:\Util\nos\nmap: nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 2.47 seconds
Raw packets sent: 4 (136B) | Rcvd: 0 (0B)
Nmap done: 1 IP address (0 hosts up) scanned in 2.63 seconds
Raw packets sent: 4 (136B) | Rcvd: 0 (0B)

As far as I know, I use OpenDNS not CzechDNS.

[lotuseclat79]

Hi Searching_ _ _ ,

In my FiOS router, as I described in the link to my post entitled: The word on Verizon FiOS and Linux, I mention that there are several settings that need to be changed to override the default ISP DNS server settings. It appears that you have only one of two set to OpenDNS in your router. I would look for the other and reset to to the second OpenDNS server - i.e. I have both primary and secondary OpenDNS servers set to:
208.67.222.222 and
208.67.220.220

The mass_rdns: Using DNS server 217.11.246.1 is from the Czech Republic according to the Whois network tool lookup.

-- Tom

[Searching_ _ _]

@ lotuseclat79

I know of what you speak.

My Network>Home Network>Settings>Use the DNS Servers I specify
and
My Network>Wan Coax>Settings>Use the DNS Servers I specify

I have OpenDNS set at both locations since recieving the new router before it was ever connected to the internet. I had even begun its addition to the compromised router a few months ago when I discovered the second location.
Learning to access and use Busybox was fun and is how I discovered the router was compromised.

What is interesting is the uploaded image is from a specific time when I changed my LAN addresses to the area that is given to the STB's. STB's are usually given addresses starting in the 100's, 192.168.1.100. By giving the computers addresses in a similar range I thought I was camoflaging them, though I was deeply infected at that point and it didn't matter.

Here is the flash layout of the compromised router:

Flash layout:

Section 00 Type BOOT Range 0x00000000-0x0007FC00 MaxSize 0x0007FB6C
Size 0x00075E80 Name 'Downloaded at: Mon Jan 1 18:49:31 2007'
Checksum 0x00000000 Counter 0x000050A6 Start Offset 0x00000000

Section 01 Type LAYOUT Range 0x0007FC00-0x00080000 MaxSize 0x0000036C
Size 0x0000009C Name 'LAYOUT'
Checksum 0x00000000 Counter 0x00000002 Start Offset 0x00000000

Section 02 Type FACTORY Range 0x00080000-0x00090000 MaxSize 0x0000FF6C
Size 0x00000317 Name 'Image downloaded from: tftp://192.168.1.104/MI424WR3_b114/rg_factory3.cfg'
Checksum 0x00000000 Counter 0x000050BB Start Offset 0x00000000

Section 03 Type IMAGE Range 0x000A0000-0x00400000 MaxSize 0x0035FF6C
Size 0x00347620 Name 'MI424WR version 4.0.16.1.56.0.10.11.6 Downloaded at: Mon Mar 16 07:55:46 2009'
Checksum 0x00000000 Counter 0x00006670 Start Offset 0x00000000

Section 04 Type IMAGE Range 0x00400000-0x00760000 MaxSize 0x0035FF6C
Size 0x00347620 Name 'MI424WR version 4.0.16.1.56.0.10.11.6 Downloaded at: Thu Aug 27 14:57:59 2009'
Checksum 0x00000000 Counter 0x00006390 Start Offset 0x00000000

Section 05 Type BOOTCONF Range 0x00760000-0x00780000 MaxSize 0x0001FF6C
Size 0x000011D8 Name 'rg_conf'
Checksum 0x00000000 Counter 0x00006607 Start Offset 0x00000000

Section 06 Type BACKUP_CONF Range 0x00780000-0x007A0000 MaxSize 0x0001FF6C
Size 0x00005C90 Name 'rg_conf'
Checksum 0x00000000 Counter 0x00006672 Start Offset 0x00000000

Section 07 Type CONF Range 0x007A0000-0x007C0000 MaxSize 0x0001FF6C
Size 0x00005518 Name 'rg_conf'
Checksum 0x00000000 Counter 0x000066DA Start Offset 0x00000000

Section 08 Type CONF Range 0x007C0000-0x007E0000 MaxSize 0x0001FF6C
Size 0x0000597B Name 'rg_conf'
Checksum 0x00000000 Counter 0x000066F6 Start Offset 0x00000000


I do not modify routers to add functionality, like using Open-WRT or DD-WRT.
Since I did not add the file, highlighted in red, to the router, and Verizon said they have not updated the embedded OS, it is suspect. Combined with the infection on my system at the time, MBR/Sinowal/whatever, means a pretty thorough compromise.
Finding the router to be compromised I can only suspect that the STB's are also compromised. I have been trying to access the STB's to take a look like i did with the router, but it is a bit more difficult. The STB's use Minix and telnet isn't working.

Remote Administration

If you access the Firewall in the router.
Firewall>Access Control>Block
User Specified services/ports= large detail list of services to port

Adding all RA ports from the list, pcanywhere, rlogin, etc. After applying to Access Control Block list I lose internet service.

Contacting Tech support about the lost service they asked if I had made any recent changes. I told them that I had a problem with an infection and put all RA ports in the block list, and was the only thing I changed when I lost service. Tech Support suggested I set the Firewall to medium so they can run some tests after which I could return to Maximum but not to block the RA ports. They further suggested I use a hardware firewall between the computer and the router If I wanted to block Remote Administration.
In effect, telling me that RA is a part of the Verizon Service.

I was also hoping that someone with STB's would scan their network with nmap using both the TCP and UDP variations to see if there are similarities to my link above.