Re: Alcatel ADSL Backdoor

From: Cedric Blancher (blancher@CARTEL-INFO.FR)
Date: Fri Apr 13 2001 - 01:19:10 PDT

Next message: David Wagner: "Re: Format String Exploits"

Previous message: Nick: "Re: Ports vulnerability database"
Next in thread: Robert A. Seace: "Re: Alcatel ADSL Backdoor"
Next in thread: Thierry: "Re: Alcatel ADSL Backdoor"
Reply: Robert A. Seace: "Re: Alcatel ADSL Backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 12 Apr 2001 21:39:37 Spookah . wrote:

> The machine has an account with full priveledges with no password, so you
> just call that a vulnerability?  Give me a break.

When a telecom operator supplies you a leased line and has complete acces
to your access router, do you call that a backdoor ? If this access has
weak protection, do you call that a backdoor ?

> You say below the alcatel modems _can_ be accessed from the DSLAM via
> this
> passwordless account, so of course there is a concern over spying.  If
> you
> were to sell adsl modems, why would you setup no password and allow
> access
> from the DSLAM?  Can you think of any _real_ reason?  I can't.

Stop kidding me... Do you think someone who cain gain access over DSLAM
needs to get into your modem to spy your activity ? Do you think your
telecom operator needs to get into your access equipement to spy you ?!
As I do against access routers on which I do not have complete control, I
have a filtering ruleset to restrict access from my LAN to my modem and in
the over way.

> My question is, what is YOUR definition of a backdoor as apposed to a
> security problem.  Because an administrator account with no password
> accessably by the DSLAM sure as hell sounds like a backdoor to me.

A backdoor is for me a hidden access to an equipment for malicious
purposes, such as spying pruposes.
As my telecom operator, from which I rent my ADSL modem, is able to make
changes on it, I do know they have an access to it. What I did not know was
that access was protected like this, and I thank Shimomura and Perrine for
having raised that point.

I do agree that Alcatel should give acces restriction to network services
that provide ADSL modem (or provide user documentation for those features),
that Alcatel should enhance its security mecanism. I do agree there is a
major security issue there. But backdoor, to my definition of backdoor,
seems not be the appropriate term.

--
Cedric Blancher
Consultant securite systeme et reseau
Cartel Informatique
http://securite.cartel-info.fr/

Next message: David Wagner: "Re: Format String Exploits"
Previous message: Nick: "Re: Ports vulnerability database"
Next in thread: Robert A. Seace: "Re: Alcatel ADSL Backdoor"
Next in thread: Thierry: "Re: Alcatel ADSL Backdoor"
Reply: Robert A. Seace: "Re: Alcatel ADSL Backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 17:32:37 PDT