At least 28 backdoor accounts and several other vulnerabilities have been discovered in the firmware of a popular FTTH ONT router, widely deployed across South America and Southeast Asia.
FTTH ONT stands for Fiber-to-the-Home Optical Network Terminal. These are special devices fitted at the end of optical fiber cables. Their role is to convert optical signals sent via fiber optics cables into classic Ethernet or wireless (WiFi) connections.
FTTH ONT routers are usually installed in apartment buildings or inside the homes or businesses that opt for gigabit-type subscriptions.
In a report published last week, security researcher Pierre Kim said he identified a large collection of security issues with FiberHome HG6245D and FiberHome RP2602, two FTTH ONT router models developed by Chinese company FiberHome Networks.
The report describes both positive and negative issues with the two router models and their firmware.
For example, the positive issues are that both devices do not expose their management panel via the IPv4 external interface, making attacks against its web panel impossible via the internet. Furthermore, the Telnet management feature, which is often abused by botnets, is also disabled by default.
However, Kim says that FiberHome engineers have apparently failed to activate these same protections for the routers' IPv6 interface. Kim notes that the device firewall is only active on the IPv4 interface and not on IPv6, allowing threat actors direct access to all of the router's internal services, as long as they know the IPv6 address to access the device.
Starting with this issue, Kim detailed a long list of backdoors and vulnerabilities he discovered on the device, which he claims attackers could abuse to take over ISP infrastructure. These issues include the likes of:
Based on the number and nature of the hardcoded backdoor accounts he discovered inside the device's firmware, Kim said that he believes "that some backdoors have been intentionally placed by the vendor."
Requests for comment sent by ZDNet to FiberHome via email and its official website last Thursday, January 14, remained unanswered at the time of writing.
Kim said he found these issues in January 2020 and had notified the vendor. The researcher couldn't determine if any bugs have been patched as he hasn't tested newer versions of the firmware since then.
Furthermore, the researcher also warns that the same backdoor/vulnerability issues could also affect other FiberHome models due to the fact that most vendors tend to reuse or slightly edit firmware between different production series.
It is of utmost urgency that device owners secure FiberHome routers. In late 2019, security researchers from Qihoo 360 reported that threat actors had been already abusing FiberHome systems to assemble botnets, most used as proxy networks.
In May 2020, the US Department of Commerce added FiberHome and eight other Chinese tech companies to a blacklist restricting its access to US companies, exports, and technology.
In a press release, US officials claimed the nine companies were "complicit in human rights violations and abuses committed in China's campaign of repression, mass arbitrary detention, forced labor and high-technology surveillance against Uighurs, ethnic Kazakhs, and other members of Muslim minority groups in the Xinjiang Uighur Autonomous Region (XUAR)."