UPC network problems
--------------------

Platforms / Firmware confirmed affected:
- UPC Hungary network

Problems
--------
Network and device configuration problems
Administration password is sent to the device in plain in the
configuration file
Administration password, which is used also for the telnet service, is
sent in plain in the configuration file downloaded by the device via
TFTP from the location specified by the DHCP response. The TFTP server
is accessible only from the internal UPCas network.

Administration password is the same for ALL devices
Every kind of device uses the same administration password, which
provides administrative and telnet access in most of the cases form the
internal UPCas network. The actual access method and possibilities are
depends on the device type.

Telnet service is enabled on Ubee devices by default
Telnet service is enabled on Ubee devices at interfaces accessible from
LAN. Since, the password is the same and sent in plaintext, any user
from the LAN can connect to the router with root privileges. Users can
not disable telnet service and it is accessible even if the device is in
bridge mode.

Other CPE devices can be accessed in the internal UPCas network
>From within the router, the 10.x.x.x range is accessible and the router
can access other UPC costumersa devices. Using the administration
password, which is the same in every device, the attacker can take over
control of masses of devices.

Timeline
--------
- 2015.06.24: Presenting the Ubee router problems to the CTO of UPC
Magyarorszag
- 2015.07.16: UPC contacted Ubee and required some more proof about some
specific problems
- 2015.07.16: Proofs, that the default passphrase calculation of the
Ubee router was broken, were sent to UPC
- 2015.07.20: UPC requested the POC code
- 2015.07.21: POC code was sent to UPC
- 2015.07.30: We sent some new issues affecting the Ubee router and
other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC
- Between 2015.07.31 and 08.12 there were several e-mail and phone
communications between technical persons from Liberty Global to clarify
the findings
- 2015.08.19: UPC sent out advisory emails to its end users to change
the default WiFi passphrase
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end
users about the importance of the change of the default passphrases.
- 2016.02.16: Face to face meeting with Liberty Global security
personnel in Amsterdam headquarters
- 2016.02.18: A proposal was sent to Liberty Global suggesting a
wardriving experiment in Budapest, Hungary to measure the rate of end
users who are still using the default passphrases.

Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)

References
----------
[1] http://www.search-lab.hu/advisories/secadv-20150720