BENGALURU, Karnataka—If you’re an ACT broadband customer, make sure you change the default password on your Wi-Fi router right away, because your entire connection may be at risk. Security researcher Karan Saini told HuffPost India that he found a flaw in the security settings for ACT issued routers, which can expose them to the open Internet. Since these routers come with the default administration password hardcoded, if a customer just uses it without making any changes, then anyone can log into the router and effectively take control of their Internet connection.
ACT is the third biggest wired broadband provider in India according to the Telecom Regulatory Authority of India (TRAI), behind only BSNL and Airtel, and it’s been growing fast, adding new cities and plans.
However, Saini found that the Bengaluru-based company has made some questionable choices when setting up the routers that it distributes to customers when installing new connections. At least two models of TP Link routers, TL-WR850N and Archer C5 AC1200, as well as D-Link routers issued by the company, are set up in such a way that someone could easily gain access to the router management portal, block websites, steal login credentials or monitor Internet traffic passing through the router, he said.
The router is the hub through which all your Internet traffic is passing, which your devices connect to. By gaining access to your router remotely, anyone can hijack your connection.
Saini found that the routers come with a password that’s hardcoded in (separate from your Wi-Fi password, that you use to connect your phone or laptop to the network) and unless the subscribers actively make changes—something that almost never happens—the password is common to thousands of devices.
Researchers at Ben-Gurion University found this to be a very widespread issue. Device manufacturers set these default passwords and then list them online for quick troubleshooting and setup; but that also means that these passwords can be found with a simple Google search.
“Getting a foothold into a home Wi-Fi network to infect devices with malware, all via a poorly-secured internet-enabled coffeemaker, might sound somewhat ludicrous, but it’s sadly entirely possible,” noted Maria Varmazis, writing for cybersecurity provider Sophos.
But Saini also discovered that ACT’s routers’ management portals are accessible through the open Internet, by anyone—leaving them vulnerable to attacks over the Internet.
“The reason behind this is unclear. My initial guess was that the routers that are publicly available must have explicitly changed settings to do so,” Saini said. “However, after traversing the Internet for public routers, this does not seem to be the case. Further, most routers I have come across in my search did not have any explicit settings enabled for allowing remote administration.”
Saini alerted ACT’s security team misconfiguration in December 2019, and HuffPost India has also contacted the company’s representatives, who acknowledged the report but did not respond further. HuffPost India has asked the company for a response, and will update this story if it does so.
UPDATE—The following response was received from the ACT Fibrenet Team:
ACT Fibernet has always taken customer internet security very seriously wherein we have built a highly robust and secure network to safeguard our customer’s devices, data and other equipment. In light of the recent incident regarding a flaw found in the security setting of our company issued routers, we had initiated a thorough investigation on this matter and identified a security gap on select router models that could potentially expose these routers to unauthorized access. We would like to clarify that this incident was confined to a small segment of our customers who had not primarily changed their default router password and the same had been rectified few days ago. Additionally, we have also implemented a vigorous round of customer education and outreach to assist affected customers change their router passwords.
The company also told HuffPost India that it has remotely locked access to the routers, so they can only be accessed by the customers directly, and that it has reminded all customers to reset their router management portal passwords.
Using the misconfiguration mentioned above, Saini was able to create a test script that can search through a list of Internet addresses and try to log in with the default credentials, and make a list of all the routers it’s able to track in this manner, along with the name of the network, and the computer-specific machine addresses connected to the network.
“Once in, an attacker could steal credentials which can be used to log into customers’ ACT accounts. This is particularly damaging since ACT does not allow users to change their account passwords,” Saini said. “Once compromised, an attacker will have persistent access to the victim’s ACT account. Alternatively, an attacker can configure their existing ACT Fibernet connection to instead use someone else’s credentials. This would allow an attacker to perform a DoS [Denial of Service, a common type of online attack], and/or exhaust the FUP [Fair Usage Policy, your data limit] on the victim’s connection.”
By doing this, they could use their own ACT line but be logged in with a victim’s ID, so the attacker could use the connection without paying.
“Cybersecurity firm Banbreach published research in 2018 showing that nearly 30,000 routers in India were infected with malware.”
That’s not all, though. The attacker could also “modify any given setting on the router, including DNS and firewall settings, parental and bandwidth controls, among other sensitive controls. An attacker could also forward connections to a server under their control, and start monitoring traffic that passes through,” Saini added. By doing this, an attacker would be able to track every site you’re visiting and build a detailed profile which could later be used to scam you.
According to the tests Saini ran, a total of 52,345 ACT connections were publicly accessible on the Internet. However, he noted that the test used to determine this number do not reveal the number of connections using the default password, and the actual number could in fact be higher, or lower—though it was likely to be in somewhere this benchmark.
However, this particular problem is just the tip of the iceberg. Cybersecurity firm Banbreach published research in 2018 showing that nearly 30,000 routers in India are infected with cryptojacking malware, which makes use of your network resources to mine Bitcoin and other crypto-currencies—essentially wearing out your computer, in order to make money for someone else. This number, Banbreach said, has more than doubled in a month, with the numbers in the top three cities growing by 500%.
Saini also warned that there’s no quick fix to this issue. “Since there may be no way of verifying customers whose routers might’ve been accessed by a potential bad actor, a reset would have to be performed for all users whose router management portals are—or were at any given time—publicly accessible.”
Saini added, “for mitigation, please immediately change your router management portal password, and block incoming connections on port 80.”