Menatelecom MyFi Router Security Risk



Today I decided to try out one of those sites that checks what ports you have open on your connection (GRC). At the time I performed the test I was on my Menatelecom MyFi connection (reviewed here). Unfortunately their device have two risky ports open. One of them I guess they left as a backdoor for their support team to access and fix (or break) stuff. The other I have no idea why they decided to leave open.

Port 23

The familiar telnet port. On the Seowon Intech (SWU-8000) router it is used for administrative purposes, which is why I guess they left open. I believe the majority of users will not change their device's admin password for two reasons: a) Securing the wifi network on the router seems enough, after all only those knowing the key has access to the router, b) because of (a) why bother changing something that still, only you theoretically will have access to? Unfortunately, the default username and password combination is the same on all of their routers… If someone access your router's shell prompt they can literally do anything.

Port 53

It's used for DNS, however you don't need it open to resolve queries on your network, but they left it open for no reason I can think of… So basically, the MyFi router is operating as a public recursive DNS resolver to the WHOLE Internet, assuming your IP is known (which is relatively easy to find). Apparently recursive DNS servers can cause DDOS attacks and have its cache poisoned.


Theoretically it is easy for someone to take advantage of these exploits. Just scan Menatelecom's IP ranges (easily obtainable), scan a single port (telnet). Try to login using the default authentication details, and you're in the router. Or log the IP as a known recursive DNS server. Since Menatelecom assign static IP addresses that IP is almost always guaranteed to be a recursive DNS. You can, right now, fix the telnet problem by at least changing the default password to the router's admin page. Once you log in to the admin interface (http://192.168.0.1) it is the last item on the menu bar titled "Admin".

 

I hope they fix this somehow. They could push an update, but I think they have not configured that part of the router correctly. They could announce a recall and update the routers of each customer at their outlets. They could create a software package with the update (sort of like TFTP update executables used by some routers). Or worse, and most likely, they will simply ignore the problem. I hope it's not the latter…


Leave a Reply