Seriously Vulnerability In Telstra’s “Smart” NBN Modems

This is something I noticed a couple of months ago when investigating issues with a Telstra-supplied NBN modem, the Sagemcom F@ST5355-A. Current hardware version is FAST5355-A, software version SG7E10001332, GUI v. 1.57.53.3 and Datapump version A2pv6F039x6.d26r. FIrstly, the modem plain sucks; not being able to change DNS servers is a big reason why, but I’ll get into that later.

How, why do I so dislike this modem? Many reason, but I’ll get to the most pressing one: Telstra frequently use a protocol called CWMP, defined by the TR-069 protocol, to remotely interact with, modify, and control their end customer’s hardware, specifically the modems. They call them “Customer Premises Equipment” (CPE) in the business. Here is a link to Wikipedia’s very quick rundown. Looking though the maintenence ogs on Telstra’s modem, you can see the line “TR-069 connectivity to (58.162.32.33/cwmp/cwmp) has been initiated” crop up. “58.162.32.33” is the IP address access the modem, this one at least, and scanning it revealed an email address and more.

The biggest problem with this is that it often involves a reboot or reset of the modem, is usually performed on a monthly basis, although 15-25 times per month is quite common in my experience. This reboot does something VERY dangerous: it resets the default modem administrator password back to the default of “admin” along with the username to “admin”. That is one of the first automated combinations and attacker will fire off against equipment to attempt access.

Telstra did more; they removed configuration settings for the LAN (local area network), totally removed the dyanmic DNS updating settings, removed all custom port forwarding rules, and enabled automatic UPnP, allowing devices on the network, including compromised ones, to automatically configure and change the routing of traffic through the network. Firewall settings were also modified, IPv6 connectivity was enabled to the public internet rather than the user-set LAN only setting. Guest Wifi networks were also both disabled and renamed, passwords changed too.

The timezone was set to the ACT instead of where it belonged, NSW, and another grievous tech sin, they turned on the remote access settings to the modem enabling it for the entire public internet with default password of “admin”, and encryption turned off. Notably, if you try to force encryption to the modem, you get an error as the Sagemcom security certificate is invalid.

More to come.

Facebook Cloning (Facebook “hacking”)

Facebook cloning. It’s the process of a Facebook profile being created, cobbled together from the parts of a legitimate, real person’s Facebook account, using their information, photos, posts, whatever can be found. Often, it gets referred to as “Facebook hacking” or you’ll hear somebody say “my Facebook got hacked!” This is a misnomer, the attackers have not gained access to the genuine Facebook account, they’ve harvested information set to public display, or to friends of friends, and have already befriended some mutual friends in order to get that.

Once the profile is first up and running, one of the first thing the scammer does is to start to befriend the friends of their target. This way, when they send the friend request to their target, it’ll appear more genuine, as the fake profile seems to be ingrained in their real network of friends. Often times they’ll make more than one cloned profile, cloning multiple people whom are all friends, and that way, they get to have a whole faked “network of trust”.

They’ll use photos ripped from the real profile, may share photos of the person with mutual friends, as well as setting up other fake profiles and other non-facebook communication methods, though that is less common.

The more information is set to public on someone’s Facebook profile, the more information and photos can be gleaned by criminals, and the more genuine the imposter appears – at least at first glance. Often when you dig down into the cloned profile, however, it starts to feel shallow. To generate new content with the person’s image, they may use common Facebook photo framers and filters, for example, ones that place their photo inside a frame saying “I support team so-and-so”. Or, it may be a crown of flowers, a dogs’ nose superimposed over their own (while to women in their 20’s and teen girls do that?!)

Below is a screenshot from the Frame Creator Studio that anybody on Facebook can use:

What are the signs of a cloned profile? A major red flag is receiving a friend request from somebody whom you have not heard of or been in contact with for a long while, months, years, frequently it may be a past associate, workmate, or school friend. Naturally, they won’t be up to date on all your life’s comings and goings, and they may send you a Facebook message, saying hello, a few niceties, and after a brief exchange, you likely won’t hear more from them, at least for a while.

Other times, they’ll launch into telling you about something, or tell you something amazing that happened to them and they’ll send you a link through messenger to check it out for yourself. Whatever it is, it’s something that isn’t exactly amazing – it’s a scam, a scheme, or a downright malicious link/phishing link.

Protecting yourself? Keep public information to a minimum. Don’t indiscriminately add random people on Facebook. The more friends you have does NOT mean the longer your penis is, guys. And once in a while, check through your contacts list and make sure you haven’t had any clones slip through the gaps. If they aren’t targeting you, they’re using your friendship status to lend legitimacy to their fraud and trick your real friends.

What if it happened to you, and you’re the target, and they really have it in for you? That’ll be coming soon!

VPN To Avoid: Hotspot Shield by Anchorfree

I got a spam email today from Anchorfree, makers of the Hotspot Shield VPN service. It has a free variant, and a huge range of pricey plans. They state on their website, front and centre “We don’t store or save your IP address”.

They lie.

It’s been previously revealed that they do log user data, as well as interfere with traffic. I myself looked into it recently and saw clear as day that they are injecting advertising traffic into the data coming to my computer through their VPN (technically, my test computer.)

So, you don’t get anonymity, safety, or security from any of their VPN services, and the funny thing is (actually, alarming rather than funny), they’re the most popular VPN on Apple’s App Store, with the most users and a 4.5 star rating. Yikes.