Dear Mauritius Telecom,
I am a pretty happy customer of your company for several years now. Spare the phone line, I also had the ADSL 512, which got upgraded to ADSL 1M, and I now have Fiber at Home. I am satisfied with the speed bumps with the bonus that I was upgraded automatically and thus no extra fee to my subscription. For that, a very low bow of thanks. Furthermore, your FTTH landing page said that Fiber would be deployed in 2018 in L’Escalier, but I got it in August ’17. 🙂
But, the same Fiber deployment, widely accepted by the public as an ouf de soulagement is now raising some eyebrows regarding the security flaws detected in the routers. You may have heard/read about them but for the record i’ll link them below:
The bottom line of all this is the open access to the world we can say [open telnet instance with default credentials], plus the default usernames and passwords [the famous telecomadmin], and the outdated packages running on the router [bftpd, CUPS, and the notorious dnsmasq – Bilaal’s compilation is quite a long one.. and the one Jochen found..] .
Well, I know that it is too easy to just point out flaws but not bring solutions to them. I will try to give some below:
We will take into consideration that all the ONT can be remotely controlled through the Huawei NMS and that contractors, not MT guys, are responsible for the deployments.
Solution No. 1:
- Prepare a script to be launched on the ONT devices network that will
— Disable telnet access completely on all interfaces
— Change the default telecomadmin password. [You can use the Wifi password under the boxes as they are pretty unique and hard-to-guess]
- Schedule the script to be launched at some off-peak time and inform your customers about it.
- Launch the script and get your users at least that first barrier up and running.
Solution No. 2:
I can understand that you may not have support from Huawei for the routers or that firmware upgrades are not coming soon.
Those boxes are simply mini-computers running some Linux-Unix OS but in the case of Huawei, its their own VSR but can be remotely upgraded too. So, we can upgrade the packages using the command lines.
- So, prepare another script that will upgrade those outdated packages and download them to the ONTs.
- Set them to run at startup and auto-delete after the installs.
- Again schedule a maintenance downtime at off-peak times and get the script running.
- Thanks again!
In my honest opinion, these two solutions can counter some of the flaws that surfaced since several days.
The FTTH deployment program can be called a success but now those issues need to addressed. All those customers are at heavy risk. Nowadays, those Wi-Fi antennas, scripts and OSes to break into networks are too easy to grab. Once on the network, the default credentials can be used to access the backend Web UI and God Forbid what can be done! I’m just thinking about grabbing the VoIP credentials and making premium international calls.. That would be quite awful. And not necessarily easy to trace back.
So, Dear MT,
I know simply talking behind a screen is easy. But I also gave solutions. I also know that in the corporate world, we have boards, decision makers, approvals etc etc.. Take the initiative as a responsible and respected ISP. Set the example. Work towards the true Cyber-Island of Mauritius and we will be forever grateful to you.
I Thank You and I wait for a positive action from you guys.