Update: ACT has remotely locked access to the routers, so they can only be accessed by the customers directly.
If you are an ACT broadband user, your connection may be under risk. You need to change the default password on your WiFi router immediately. A security researcher Karan Saini told HuffPost India that he has found a flaw in the security settings in ACT-issued routers what can expose them to open Internet.
Saini explained that since these routers come with a default administration password hardcoded, if a user does not change this before starting to use it then anyone can log in through the router and take control of their Internet connection.
Going by Telecom Regulatory Authority of India (TRAI) data, ACT is the third biggest wired broadband provider in the country, behind just Airtel and BSNL. And while ACT’s coverage area keeps growing, this security flaw has exposed the fact that some “questionable choices” were made by ACT while setting up routers for new connections.
According to the HuffPost report, “at least two models of TP Link routers, TL-WR850N and Archer C5 AC1200, as well as D-Link routers issued by the company, are set up in such a way that someone could easily gain access to the router management portal, block websites, steal login credentials or monitor Internet traffic passing through the router”.
The security flaw
Your router is basically the hub through which all your Internet traffic passes through and all your devices connect to the Internet through the router. If someone gains access to your router, he/she can highjack your connection.
Saini found that these ACT routers come with a hardcoded password. This password is separate from your WiFi password, mind you. And unless you, the user, have manually not changed that hardcoded password, you are using one that is common to thousands of routers. Saini also discovered that ACT’s routers’ management portals are accessible through the open Internet, by anyone.
This hardcoded password issue is not unique to ACT routers, this something most device manufacturers do. They also list there default passwords online for quick troubleshooting and setup. All you need to do is Google to find them. Research from Ben-Gurion University (Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices) found this “issue” to be rather “widespread”.
“Getting a foothold into a home Wi-Fi network to infect devices with malware, all via a poorly-secured internet-enabled coffeemaker, might sound somewhat ludicrous, but it’s sadly entirely possible,” Maria Varmazis, writing for cybersecurity provider Sophos, told HuffPost.
It’s that easy to hack it
“The reason behind this is unclear. My initial guess was that the routers that are publicly available must have explicitly changed settings to do so. However, after traversing the Internet for public routers, this does not seem to be the case. Further, most routers I have come across in my search did not have any explicit settings enabled for allowing remote administration,” Saini said.
Using this misconfiguration, Saini was able to “create a test script that can search through a list of Internet addresses and try to log in with the default credentials, and make a list of all the routers it’s able to track in this manner, along with the name of the network, and the computer-specific machine addresses connected to the network”.
“Once in, an attacker could steal credentials which can be used to log into customers’ ACT accounts. This is particularly damaging since ACT does not allow users to change their account passwords,” Saini said.
“Once compromised, an attacker will have persistent access to the victim’s ACT account. Alternatively, an attacker can configure their existing ACT Fibernet connection to instead use someone else’s credentials. This would allow an attacker to perform a DoS [Denial of Service, a common type of online attack], and/or exhaust the FUP [Fair Usage Policy, your data limit] on the victim’s connection,” he added.
By doing this, they could use their own ACT line but be logged in with a victim’s ID, so the attacker could use the connection without paying.
The bigger issue
Someone piggybacking on an Internet connection you pay for is the least of the issues. One he/she breaks in, the attacker can also “modify any given setting on the router, including DNS and firewall settings, parental and bandwidth controls, among other sensitive controls. An attacker could also forward connections to a server under their control, and start monitoring traffic that passes through,” Saini explained.
With this information an attacker can track every site you’re visiting and build a detailed profile which can later be used to scam you.
HuffPost reports that according to the tests Saini ran, a total of 52,345 ACT connections were publicly accessible on the Internet. Saini also noted that “the test used to determine this number do not reveal the number of connections using the default password, and the actual number could in fact be higher, or lower – though it was likely to be in somewhere this benchmark”.
Saini also warned that there are no quick fixes to this issue.
So, how do you ‘fix’ this?
“Since there may be no way of verifying customers whose routers might’ve been accessed by a potential bad actor, a reset would have to be performed for all users whose router management portals are—or were at any given time—publicly accessible,” he said.
“For mitigation, please immediately change your router management portal, and block incoming connections on port 80,” he added.
Saini had alerted ACT’s security team misconfiguration in December 2019 and HuffPost India has also contacted ACT representatives. ACT has acknowledged the issue.
“ACT Fibernet has always taken customer internet security very seriously wherein we have built a highly robust and secure network to safeguard our customer’s devices, data and other equipment. In light of the recent incident regarding a flaw found in the security setting of our company issued routers, we had initiated a thorough investigation on this matter and identified a security gap on select router models that could potentially expose these routers to unauthorised access,” said ACT in a statement when we reached out to the company.
“We would like to clarify that this incident was confined to a small segment of our customers who had not primarily changed their default router password and the same had been rectified few days ago. Additionally, we have also implemented a vigorous round of customer education and outreach to assist affected customers change their router passwords,” ACT added.
Responding rather promptly to this, ACT has remotely locked access to the routers, so they can only be accessed by the customers directly.