Hi Members -
We want to let you know that we’ve recently been informed of a security problem that could affect the BE Box, among other routers.
Essentially, the problem could allow somebody to change your router settings, and nobody wants that.
For you tech savvies, we’ve included more details at the bottom of this email.
Here’s what we’re doing:
We want everyone to be protected – even the people who don’t read this. So we’ve decided to automatically update the password for everyone.
It will be unique to each user: we are running a script to change the password to the individual serial number on your BE Box (found on the bottom of the router). If you want to change it after that, click here for a guide.
Just to be clear, we aren’t changing the wireless key – it’s the password to the administrator web interface. That’s the only change we will…or would…make.
We will be starting to run this script first thing Monday 7th September, if you don’t want us to do it (although we do recommend it), you can stop us by either:
a) Downloading and running the tool here.
b) Following the manual guide here.
All the best -
Everyone @BE
The Techie Stuff
The BE Box is vulnerable to an XSS (cross-site scripting) combined with a CRSF (cross-site request forgery) that allows a remote attacker to perform actions on the Web UI (user interface), via the use of JavaScript – and without the user’s knowledge or consent.
In the short term, in order to stop this from occurring we are going to set the password on everyone’s BE Box.
After we’ve done this, if someone tries to attack your router, you will be prompted to enter your Administrator Password. Don’t do it, otherwise the attack will be successful. … (We’d like to think that most people wouldn’t enter their username and password for a random unexpected login prompt)
In the long run we’re working with Thomson to improve the firmware’s resilience to such attacks.
04 September 2009
Subscribe to:
Post Comments (Atom)
Posts
38 comments:
Hi, So all this does is to set an administrator password? If so, can't you alter your script so that routers with a password already set are left unchanged?
"So we’ve decided to automatically update the password for everyone."
how are you going to do this? How do you know what my admin password is?!
What if we're not using the BeBox ?!
Anonymous, Then your password will not be changed.
Loz, They can roll this, as they have allowed certain IP's (Be* Offices) to connect to your BeBox.
I am using windows 7, How will this affect me?
I do not want mine changed.
Anonymous: This affects the router, not your computer. Basically, Be have a remote access interface to help with troubleshooting, to which only they have access. However, a design flaw in the router means that certain things on the router are not safe, so Be are disabling the entire interface and adding a password to the local interface as well.
Well if you disable the superuser account then I am not sure quite how they are going to access ones router! - Will be intersted to see as I disabled the various superuser accounts a while back! :)
with any luck someone will hack the new be website as well. lets pray it goes back to the old one
From what I have read, the script will only select a random password for your BE box where the password field is blank - so if you don't want the password set by BE, set it yourself.
In the long run we’re working with Thomson to improve the firmware’s resilience to such attacks. << Tell them to allow running of a REAL firmware image such as OpenWRT :).
We have already had our router hacked 6 months ago and the tech team at BE said that it couldn't be the router's fault... not impressed
surely if BE can find the BE box number from each box, so can someone else too? surely most people put their own password in due to the publicity of people jumping on to ones broadband account. If the password is already changed would that not stop the hacker?
I did not get an email about this. I only found out via the Guardian online article. Had i not read it I would never have known.
Horray for the comments page
From a very unhappy user - this unilateral behaviour is not acceptable. You are risking losing otherwise loyal customer goodwill ... and that way losing customers lies.
Well I had a password already set and now I can't log on as Administrator. That's to be expected (now I've found out they changed my password... just took 24 hours of wasted effort to track down the cause) but I still can't log on using the Serial number of my box as Be suggest so God only knows what they've changed my password to!
Well, congratulations Be for pissing around with my router and then making sod-all effort to let me know. You manage to text and e-mail me every month about my bill, but can't be bothered to e-mail me to let me know that you're going to change the password on my router. Did you guys not even contemplate what people might think if they tried to log into their router before checking the Be site? I spent ages trying to work out what the hell had gone wrong with my router and my password and why I could no longer access it. Your communicational handling of this has been frankly appalling Be and to say that I'm incensed about all the time I've wasted because of this is an understatement. Absolutely pathetic Be.
DaveK has summed up my experiance perfectly. I have spent a good hour dicking around with my router. Fortunately I cam across this post.
I AM ABSOLUTELY LIVID! No contact by email or SMS. Funny how your bill reminders never fail to get though. What an absolute shower of s... you lot are!
So we all spent hours trying to figure out what has gone wrong with our routers...Happy I am to know my pwd has been changed..but for God's sake WHERE IS THE EMAIL WITH MY NEW Login and PWD??????
That's totally ridiculous. As others says you managed to send 10 sms in a row for a billing notice and THAT hasn't even been documented...really pathetic
I'm NOT a happy bunny!
Mail? What email?
Ive just spent 45 mins wondering WTF after noticing that MRTG had stopped logging.
Thanks Be for making me waste time looking into stuff only to find out I couldnt even log into my router. Then wasting even more time wondering what the hell had gone on
MAD!
------
BTW..
May be an idea to cater for your many Be users that dont have a TG585v7 too, because the instructions arent the same for those with older Be Boxes.
--------
Someone needs a kick up the backside for doing this without notifying your users.
If you could take time to run the script why the hell werent the emails sent out.
There are no technical or communication issues when I pay my bill every month, why did I have to waste an hour figuring this out this morning??
Same as everyone else Be, i've got an older router so I now can't access any of the settings, i'd switched my wireless setting off and now can't get access to switch them on.. And yes you should have emailed your customers before you altered anything.
Well, I think i share many of the same sentiments, XSS attacks are nothing new and pose little threat and while I chose to leave remote access to BE on my TG585 (concerned that removing this would be breach of my terms) I have had to modify my config on countless occasions to work around the buggy firmware.
I was left this afternoon after the script had run, with a crashed router and no idea what the password was. I have just wasted 30 minutes of my time thinking ive been hacked (and in a way I have, by my own ISP) until I reset my router and found this post! I shall be replacing BE's router with one belonging to me, in the hope that it is no longer meddled with.
I have my own private PW, then BE will change it to a box serial number, I will the have to read the box number to get in to my router and change it back to my private number. BIG DEAL.How does this merry go round exercises help security? I wonder. Will I be able to get into the router?
Wonderful! Now I can't access my router. I've tried "Administrator" as the username but the serial number on the box doesn't work as a password or leaving it blank. Now what?
Well thanks for the Email BE. One minute I could get into the Router, and the next I couldn't. I thought "WTF is going?!", and thought I had my security compromised. So I did a factory reset on the router. What if I didn't enter a password for logging in, bad practice perhaps, but how are others to know there was an exploit due to the router? You think we're psychic? We dont' read tea leaves, and it's not in the stars so wtf did you think you ought to do to get the message out ASAP?
How do you know routers have not been compromised already? No one would be the wiser without a password protected router. They may do the same thing I did and do a factory reset.
No warning, no email. I only came here to check the status of the service only to find you a*******s could not be bothered to send out a message that you were compromised, or that you planned to change the passwords.
F*****g disgusting.
A BIG WORRY!!! How the hell did BE get into my box without my PRIVATE PASSWORD? If you can then anyone can. Help us on this PLEASE.
what is a matter with u all i had no problem with the log in changes and had on screen messages saying why the changes where taking place and i really dont even bother with computers although i dont like the fact my password is automatic
Dear BE,
I am very unhappy with the way you have handled this situation. So first off all I did *not* receive any emails about you messing with the admin password on my router. I didn't get any blank email, it didn't go to my spam folder, I simply did not get any email. Instead I had to waste my time searching through your forums to find out why my admin password had stopped working. And why did I need my admin password - oh yes it was because my connection had gone down and I wanted to log in to the router to see what was going on. Searching your forums on a mobile phone is not fun.
Secondly, I had already set a secure password on my router, so why did you need to override that with a new password? Why couldn't you have detected where the default had not been changed and leave things alone otherwise? Are there any other settings changes that you've been making "for my own good" that I should know about?
And finally, you use *telnet* to administer these boxes remotely? Seriously? And you have the same remote admin passwords set on all these boxes? really? Can you guarantee 100% that your remote admin password has never leaked and that I won't find my settings being changed randomly by some bored 13 year old?
In BE's defence, yes they may be using telnet (an unencrypted remote shell protocol) however this is not over the public Internet. Providing these accounts are locked down to BE IP networks, this does somewhat alleviate security concerns while not entirely precluding them.
I imagine that the scripts are written using Expect and as such could have tested for the presence of an administrator password with relative ease; it’s a shame their author didn’t go the extra distance. As a former (and as of Wednesday, once again current) BE customer, I’m extremely satisfied with their overall performance. Let’s hope this represents a one off instance of them dropping the ball.
Thanks for that...
I have wasted god knows how many hours trying to work out why I had been locked out of my router.
Did you not think you should not have told people [ adding a post to a blog does not count - you love to mail us and txt us teh rest of the time so WTF ]
Couldnt you have had your script check if the password was still blank - you have not enhanced my security you have reduced it !!
can I presume that if I remove the hidden tech and BeTech accounts from my router this sort of unacceptable intrusion will be prevented in future
Adam,
I think you've missed my point. Sure their telnet connection doesn't go over the *public* internet, but they're still sending the password in the clear to devices residing on the edge of their network, without any guarantee that they are really connecting to one of their bebox router devices and not, say, a linux box setup to look like a bebox while logging the credentials supplied on any telnet connection.
It would be trivial for me to obtain the remote admin passwords, and then using something like source IP routing I could masquerade as BE tech support and do what I want to the routers belonging to other BE customers. My initial tests show that source routing has not been disabled on BE's network making this all too easy.
*sigh*
Only 13 days has passed before the arrival of the email informing of all this ... way to go Be! One cock-up after another *sigh*
I did not recieve a message about this at all, only found out about this when I tried accessing my settings today, I disabled the wireless part of the box as soon as I got it, I don't trust wireless at all, I never wanted to use the crappy be box but was unable to configure my quality linksys router to work with be so I'm contacting linksys for help on setting it up correctly, gotta say I really don't like the idea of anyone other than me being able to change my settings.
Also had no idea there was a security flaw with this bebox, this is annoying.
I am surprised noone has mentioned the wide open security hole that a lot of the older BE routers (Thompson Speedtouch) have. I noticed this only by chance after looking through the router logs and noticing several *successful* admin logins from IPs in the US.
If you backup up your router configuration you will see a section called [ mlpuser.ini ]. There you should find a few lines like this:
add name=BeTech password=_CYP_d8b5399c8b961eca15a56b659c2ee622 role=TechnicalSupport hash2=cd4f202f8e92f7c11f40bc86fe66443a
add name=bebox password=_CYP_0fbd2e7e6dc947c44def9053fb79e8c8 role=root hash2=90960596e9eec3d017b31f6efb8892ea
Which if you use google you'll find out that the password for BeTech is RemAcc and password for bebox is bestar. Nice.
The default config also allows telnet/http access from everyone on the internet directly into your router. Nice feature hey!?
I would imagine that is what BEthere are finally getting around to fixing.
Have a look through your config if you can actually log into your router...
Seriously, an email would've been nice, but this really isn't that bad.
I couldn't log in to my router, I googled "BeBox password unexpected change" I landed here in about two clicks, problem solved.
It's better than inaction.
Hi there,
I heard about that - but the problem is I cant log into my be box right now - beacuse Administrator as a login and serial number of my box wont work!!!!
How I can fix that??
Hi,
I tried to login to my box with the ip you gave on the previous page, however it says page not found, any help please?
Thanks
Post a Comment