An Auckland man has discovered a security hole in two Dynalink DSL modem models that has allowed him to collect user names and passwords of more than 1000 JetStream subscribers.
Palmerston North modem importer Dynalink may have to contact as many as 3500 customers to warn them of a security flaw in their DSL modems. Computerworld reader Andrew Connell discovered the vulnerability late last week and has been working with Dynalink and its Taiwanese production partner to solve the problem. The flaw exposes the user name and password of JetStream subscribers with RTA020 and RTA210 Dynalink models to discovery by SNMP (simple network monitoring protocol) scans. Anyone with the log-in details could potentially use them to access the customer's account without their consent. Dynalink head Ian Ferry warns customers to upgrade to the latest firmware version to disable the flaw. "We've put a link to it from our website and we're going to talk to Xtra and maybe some of the other ISPs about how to contact the customers who may be using an insecure modem." Ferry says the solution isn't the easiest of installations. "The only real problem is if there's a power cut while you're doing it; there's nothing you can do to recover that. You'll have to contact us to sort it out for you." The latest version of the firmware, 126.96.36.199, will protect users of the RTA020. RTA210 users who have remote access enabled manually should either switch it off or upgrade to the latest firmware as well. Having remote access enabled will allow external users to see the user name and password as well. Connell, an Auckland software developer, discovered the flaw while setting up a Dynalink RTA020 modem on his home PC. As he monitored data throughput on the device using SNMP, he was surprised when it reported back his user name and password. Knowing that such details should not be so readily accessible, Connell wrote a script that scanned blocks of IP addresses to see whether other Dynalink modems on the internet were similarly open to inspection. According to Connell, user names and passwords for about 1000 DSL subscribers of a number of ISPs, and using Dynalink RTA020 and RTA210 modems, were returned to him. "It's a small script that just asks if they're running this modem and if it doesn't hear anything it goes on to the next one. If it does it asks to see the user name and password and that's what it gets." Computerworld contacted two organisations that appeared on Connell’s list and both were dismayed that their details had been discovered. Air Vanuatu's Auckland office is one of those Connell stumbled on. Consultant Jonas George confirms he uses a Dynalink modem to access his Xtra DSL account. "We weren't aware. I thought these things were supposed to be secure." Queenstown car sales company Alpine Motors also has one of the modems. Told that Connell had uncovered his log-in details, owner Jimmy Allen said “that's fantastic, isn't it? Bloody marvellous." Connell says he had no malicious intent in searching out the user names and passwords, and had not made any attempt to use the details for fear of falling foul of hacking laws. He says he doesn't know how deep the access goes. "I'm not sure if the ISP would allow two simultaneous connections from different places or not. I haven't tried it, but you could potentially pretend to be the subscriber, check their email, send email and use their traffic allowance."