In a report published this week, security researchers Pierre Kim and Alexandre Torres have discovered seven critical vulnerabilities in 29 FTTH devices of C-Data, a popular Chinese OLT maker. Researchers claim the bugs to be available in 27 different models of C-Data’s OLT devices, where backdoors were seemed to be set intentionally to access devices!
C-Data Intentionally Set Backdoors in OLT Devices?
To begin with, FTTH (Fiber-to-the-Home) and OLT (Optical Line Termination) are two important technologies that help ISPs provide internet connections to home consumers. The optical cable lines drawn from ISP to users home are converted to ethernet connections by FTTH OLT devices, like C-Data’s. And here’s the catch.
Security researchers Pierre Kim and Alexandre Torres have disclosed several vulnerabilities in 27 firmware models of a popular Chinese OLT vendor, C-Data. While the researchers have discovered these vulnerabilities in two latest firmware of C-Data’s OLT devices, they expect other 27 models of the same maker to be affected too, since they all share the same firmware version.
Out of many findings, researchers say that seven are so critical that, it makes them believe the maker, C-Data has intentionally planted backdoors into those OLT devices to control them! Researchers found four username-password combinations and backdoors that would let hackers access the Telnet server running device’s WAN interface.
That’s not all, hackers with that access could exploit yet another bug, that would let them see the plaintext passwords of all admins of that device. This can help hackers to access the device at a later stage if being detected and disconnected. Researchers have published the report without informing the C-Data, as they believe it’s intentionally made.
Models in question are C-Data OLT 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1108SN, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN and FD8000. It’s now hard for ISPs to cope up with this, since many have sold those said FTTH OLT devices as legitimate goods under various names like OptiLink, V-SOL CN, BLIY etc.