FiberHome Devices Has Backdoors, Could Make Up a New Botnet

FiberHome, a Chinese FTTH ONT maker is having several vulnerabilities in two of their device models. These devices are widely used in Southeast Asia and Southern America for internet connectivity. Besides the general vulnerabilities, there are about 28 backdoors found in the devices, which could help hackers add them to a botnet.

Chinese Router Maker Has Backdoors in Their Devices

Fiber-to-the-Home Optical Network Terminal (FTTH ONT) are special devices made to be connected at the user end of internet fiber cables and would transmit the optic signals into internet signals. These are called routers, in the more local languages, and are widely used by ISPs in Southern America and Southeast Asia.

Chinese FiberHome ONTs too fall in this category and are spotted to have critical problems in their devices. Last week, a security researcher named Pierre Kim has pointed out several vulnerabilities, including 28 backdoors in FiberHome HG6245D and FiberHome RP2602 models of FiberHome ONTs.

All these were hardcoded into the device’s firmware, making them hard to remove easily and blame the maker for making some intentionally. Also, the researcher’s balancing report tells that, it’s good that FiberHome has disabled the Telnet management feature by default and closing the management panel via the IPv4 external interface.

These are the main paths used by hackers to get into the device and add them into their botnet network. But, at the same time, he said that FiberHome hasn’t blocked access to these management panels via the IPv6 interface, which can let hackers get through the web panel by just knowing the IPv6 address of the device!

While some vulnerabilities were seen as bugs, some were said to be intentionally placed by the maker itself! He reported this in January last year to FiberHome and didn’t know whether the OEM has rectified any of these vulnerabilities or not, as he didn’t check the latest versions of these models. But, he listed out all the discovered vulnerabilities as below, in his blog;

1. Insecure IPv6 connectivity
2. HTTP Server – Passwords in HTTP logs
3. HTTP Server – Harcoded SSL certificates
4. HTTP server – Pre-auth InfoLeak
5. HTTP Server – Backdoor allowing telnet access
6. HTTP Server – Hardcoded credentials
7. HTTP Server – TR-069 hardcoded credentials
8. HTTP Server – Credentials decryption algorithm
9. Telnet server (Linux) – Hardcoded credentials
10. Telnet server (CLI) – Hardcoded credentials
11. Telnet server (CLI) – Privilege escalation
12. Telnet server (CLI) – Authentication bypass
13. Telnet server (CLI) – Authentication bypass to start the Linux telnetd
14. Telnet server (CLI) – DoS
15. System – Credentials stored in clear-text
16. System – Passwords stored in clear-text in nvram
17. Misc – Remote stack overflow in the HTTP server (AN5506-04-FA / RP2631)