CERT (the Computer Emergency Response Team at Carnegie-Mellon University), has discovered four security “holes” in the Alcatel Speed Touch ADSL modem and Alcatel’s 1000 ADSL network termination device. An intruder using Telnet, Trivial File Transfer Protocol (TFTP), normal FTP or http can exploit the hole to introduce his/her own password or modify the modem’s software or firmware. A remote attacker may be able to install custom firmware that operates as a DDoS (distributed denial of service) client or a network sniffer or disable the modem completely, CERT says. One problem relates to Alcatel’s decision to ship the modems without a default password. Alcatel says this is a human not a technical problem and can be fixed by introducing a password. The modem cannot be attacked from outside unless a Trojan horse such as Back Orifice has already been sneaked into the system says Alcatel. However, an unscrupulous employee may more easily be able to change the configuration of the modem, according to Renaud Deraison, principal developer of Nessus network security software. Ironically, other faults lessening protection arise from attempts to help users. The modems are accessible through a LAN for centralised management of software and firmware by the company’s IT team. If the LAN is in turn connected to the internet, the modem can become accessible to external users. Some modem users provide their internet service providers with access, to run upgrades. This opens the modem to the TFTP intrusion type, but only by someone with physical access to the wire on the WAN side of the modem, Alcatel says. The TFTP bug requires enablement of an “echo” facility. The default installation of most popular operating system does not include this facility. Alcatel enables “expert” access to the modem for maintenance engineers to make more fundamental changes. The password for this access is easily decrypted, Alcatel acknowledges. The solution to this could be to train technicians to install the modems with a password. Alcatel says it has remedies for the other faults under development. A spokeswoman for Alcatel in Sydney says none of these devices are in use in New Zealand, though there are some in Australia. Particulars of the faults may be read at here; the relevant index numbers are VU#211736, VU#243592, VU#212088 and VU#490344.