SOHOpeless routers offer hard-coded credentials and command injection bugs
Researcher says Zyxel and Billion kit in Thailand, and probably beyond, are rotten
Yet again, home routers are the home of SOHOpelessness: Zyxel and Billion units distributed in Thailand by TrueOnline have backdoors, and the researcher who found the flaw says the vendors have ignored his attempts to notify them.
Long-time router-popper Pablo Ribeiro went public with the pwnage – default admin accounts and command injection vulnerabilities – because the vendors didn't respond to his contacts in July 2016.
The three devices in question are the ZyXEL P660HN-T v1 (distributed up to 2013); the ZyXEL P660HN-T v2; and the Billion 5200W-T, which is TrueOnline's current default unit for new customers.
The units all use the MIPS-based TC3162U system-on-chip, manufactured by TrendChip (which has been acquired by Mediatek). The vulnerable firmware is either the ZynOS-based “ras” (for low-power, small-memory units), or tclinux; and they use the BOA or Goahead Web server.
Ribeiro warns that his tests are specific to the Thai versions of the boxes, but it's not likely to end there.
About the hard-coded admin accounts, he writes: “It should be noted that tclinux contains files and configuration settings in other languages (for example in Turkish). Therefore it is likely that these firmware versions are not specific to TrueOnline, and other ISP customised routers in other countries might also be vulnerable.”
Similarly, the command injection vulnerabilities probably affect units other than those sold in Thailand.
At this point, he writes, there is no fix: the only defence is that users block any untrusted client to connect to the routers.
Securiteam has published a vulnerability summary here. ®