Telnet backdoor vulnerabilities impact over a million IoT radio devices

Devices can be remotely exploited as root without any need for user interaction.

Critical vulnerabilities have been discovered in Telestar Digital GmbH Internet of Things (IoT) radio devices that permit attackers to remotely hijack systems. 

On Monday, Vulnerability-Lab researcher Benjamin Kunz disclosed the firm's findings, of which two CVEs have been assigned, CVE-2019-13473 and CVE-2019-13474

Several weeks ago, the company found an anomaly on a private server linked to web radio terminals belonging to Telestar devices, alongside an undocumented telnetd server. 

The radios in question are from the company's Imperial & Dabman Series I and D product line, which include portable radios and DAB stereos.

See also: Malicious Android apps containing Joker malware set up shop on Google Play

These products are sold across Europe, utilize Bluetooth and Internet connectivity, and are based on BusyBox Linux Debian. 

An investigation into the radios revealed an undocumented Telnet service on Port 23, and as port forwarding was active, could be addressed externally. The video below shows how a port scan, the nmap tool, and ncrack could be used to infiltrate the system. 

The team was able to connect and brute-force the radio within only 10 minutes due to lax password security, granting them root access with full privileges. 

CNET: Defense Department wants Apple, Google to reveal names of gun scope app users, report says

"For testing we edited some of the folders, created files, and modified paths to see what we are able to change in the native source of the application," Kunz says. "Finally, we were able to edit and access everything on the box and had the ability to fully compromise the smart web radio device."

Possible attacks included changing device names, forcing a play stream, saving audio files as messages, and to transmit audio as commands both locally and remotely. 

On Facebook, the security researcher said over one million devices may be at risk. 

screenshot-2019-09-09-at-11-24-16.png

While the single compromise of an IoT radio may not seem like a big security issue, the disclosure highlights a problem that impacts all of us -- the enslavement of IoT devices to create larger threats. As an example, Mirai botnet variants specialize in hijacking IoT devices with open ports or weak security -- such as those using default credentials -- in order to launch powerful distributed denial-of-service (DDoS) attacks. 

TechRepublic: How to prevent a Corporate Account Takeover

It is also possible to harness these vulnerabilities to spread malware or to deface devices. 

Vulnerability-Lab notified Telestar Digital GmbH of its research on June 1. Within a week, the vendor responded to the report and a patch was ready by August 30, leading to the coordinated public disclosure. 

The telnetd service is being changed and the lax password use has been revised. Automatic updates via Wi-Fi are now available and can be implemented by setting impacted devices back to factory settings and accepting downloads of the latest firmware version. 

Telestar Digital GmbH is not aware of any examples of the vulnerabilities being exploited in the wild. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0