Alcatel Speed Touch ADSL Insecure Administration Interface Vulnerability

In the factory shipped state, no password is set for the device's administration interface. This could permit a user to reconfigure the unit, or set the password and prevent the device from being reconfigured.

Once a password has been set, the device remains vulnerable to attack in two ways.

- TFTP: The device's TFTP service can be used to overwrite configuration files. This approach may allow an attacker to set or modify the administration password even if it has been previously set.

- Cryptographic attack: by connecting to the "EXPERT" account, a challenge-response sequence is initiated which
is reportedly vulnerable to cryptographic attack. Details of the challenge-response algorithm were not made publicly available.

The device's configuration settings are accessible through FTP, HTTP and Telnet interfaces. In addition, the device's file structure is exposed through FTP. All of these services allow the modification of configuration information.

By default, no password is set for any of these services, so no authentication is required for access.

*** NOTE: Shortly after this advisory was published, the vendor, Alcatel, posted their response to the reported vulnerabilities in their modems.

In addition to providing general mitigating strategies designed to lessen the impact of these isses (such as firewall software and/or a dedicated firewall device or the Alcatel Speed Touch modem with Firewall capabilities), the vendor response indicates that only the Speed Touch Pro is vulnerable to remote changes to firmware code and configuration settings, and that this model can be made secure from such interference by the activation of an inbuilt security feature disabling remote access from the WAN/DSL interface. Therefore, while the discoverer's initial advisory states that the entire family of devices may be vulnerable, the vendor limits the scope of this vulnerability to a single, misconfigured model of the Speed Touch line.

This discussion will be updated regularly as further details and clarification emerge.


Privacy Statement
Copyright 2010, SecurityFocus