Default password is explicit threat

A long time ago this letter sent to local internet provider which didn’t care about default password on GPON modem they deployed on the client side.
EchoLife HG8326R GPON Terminal, as other network devices has default passwords.

So the threats that appeared during using this device are :

1) Internet provider which deploy GPON transmission on the client side give this modem without default password changes.
2) Another bad side that is this model of modes didn’t have “password change” option as is.

Let’s look into my modem logs, such interesting things may happen (or happened) on every modem of this model :

2016-06-11 00:43:45 [Critical][Config-Log] Terminal:CLI(76.4.120.77),Result:Fail,Type:Login,Username:root
2016-06-12 00:11:47 [Critical][Config-Log] Terminal:CLI(59.125.135.108),Result:Success,Type:Login,Username:root
2016-06-11 14:30:42 [Critical][Config-Log] Terminal:WEB(188.0.236.137),Result:Success,Type:Logout,Username:telecomadmin

Riping shows

ice@osuse:~> whois -h riswhois.ripe.net 76.4.120.77
route:        76.4.96.0/19
origin:       AS209
descr:        CENTURYLINK-US-LEGACY-QWEST - Qwest Communications Company, LLC, US
lastupd-frst: 2016-06-08 11:26Z 193.150.22.1@rrc00
lastupd-last: 2016-06-11 08:31Z 187.16.220.193@rrc15
seen-at:      rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15,rrc16
num-rispeers: 114
source:       RISWHOIS
ice@osuse:~>

ice@osuse:~> whois -h riswhois.ripe.net 59.125.135.108
route:        59.125.0.0/16
origin:       AS3462
descr:        HINET Data Communication Business Group, TW
lastupd-frst: 2016-06-08 11:26Z 212.25.27.44@rrc00
lastupd-last: 2016-06-11 08:31Z 187.16.220.193@rrc15
seen-at:      rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15,rrc16
num-rispeers: 115
source:       RISWHOIS
ice@osuse:~>

There is no any need to bruteforce.Why ?
Because login and password of this modem is default from factory as

login : telecomadmin
password : admintelecom

Let’s take security by own hands.

1) Dump XML config of modem.Create backup copy.

2) Find in original XML these lines

<X_HW_WebUserInfoInstance InstanceID="1" UserName="root"
Password="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserLevel="1" Enable="1"
PassMode="2"/>

<X_HW_WebUserInfoInstance InstanceID="2" UserName="telecomadmin"
Password="402931e04c03e24d360477a9f90b9eb15777e154360f06228be15c37679016ef" UserLevel="0" Enable="1"
PassMode="2"/>

3) After brainstorming I found that password generation function is hash function and is :

sha256sum(md5sum(x))

and password hash is equal

PASSWORD_HASH = sha256sum(md5sum(PASSWORD_CLEAR))

As shown above default password “admintelecom” hash is

md5sum(admintelecom) = a016b28a2669f876cc24e9b3dac1bd73 => sha256(a016b28a2669f876cc24e9b3dac1bd73) = 402931e04c03e24d360477a9f90b9eb15777e154360f06228be15c37679016ef

Look

Password="402931e04c03e24d360477a9f90b9eb15777e154360f06228be15c37679016ef"

in XML config above.

4) Type your clear password in function and generate password hash

PASSWORD_CLEAR = "xytkiYoJyWB5r9YkxyP4"
PASSWORD_HASH = sha256sum(md5sum(xytkiYoJyWB5r9YkxyP4)) = sha256sum(448e5f225c7783f3c059046d3b41600e) = 24ea5244ffd586be3c5243714251b43e95e7a825d62f095fabf009aaceba74bb

Replace Password variable value in XML, result must be so

<X_HW_WebUserInfoInstance InstanceID="2" UserName="telecomadmin"
Password="24ea5244ffd586be3c5243714251b43e95e7a825d62f095fabf009aaceba74bb" UserLevel="0" Enable="1"
PassMode="2"/>

5) Save XML config and upload to modem.

After that you modem login password will be

login : telecomadmin
password : xytkiYoJyWB5r9YkxyP4

Thank you for attention and take care of yourself.