TR-069 with Routers – Informing Isn’t Always Best

So I first came interested into “router hacking” in the past few weeks, I’m going to have future posts on my findings because it’s such an interesting area that I don’t think enough people look at. I first started getting interested in analysing routers and dissecting the inner workings of them when I was watching a DEFCON 22 talk on the TR-069 protocol. If anyone hasn’t seen it, I have it below. The TR-069 protocol allows your ISP to interact with your CPE (Customer Premises Equipment), essentially your router. One of the big things it’s used for is upgrading your firmware on your router, can we see something wrong with that?

What struck me was the silent update of firmware. I can tell all UK residents, all major ISP’s use TR-069 for firmware upgrades and most do not use SSL, straight up plain text. That’s right, on my ISP (which I will not name ;)), all TR-069 requests are done via HTTP. I had some fun with TR-069, but as the speaker says in the video, there isn’t too much on it. A lot of the content available for TR-069 on the internet is specification based, but misses vital information that users may need and so wasn’t the most forgiving thing. I got requests working from the TR-069 server from my ISP, but was unable to retrieve a firmware image from the ISP.

Winning at TR-069. TBH, this is what you see when you enter nothing.

The first reason I can think of why they do not wish anyone to view the firmware is security, there are a lot of vulnerabilities in various pieces of firmware, well documented around the internet. Routers are basically the father of the IoT, the opening of what seems to look like a security apocalypse in my view. Silently updating any machine is a scary thought, especially when it’s in conjunction with hardware, software on the other hand that silently updates has constant watch from AV’s or other security features of an operating system.

The TR-069 feature on my router has some very simple features such as login credentials, one thing to notice is that the password field is pre-filled out. The defense towards this thing is pretty trivial, you could just simply edit the HTML form to send the data to another site or just simply edit the URL that’s nicely pre-filled for you. The periodic inform was set to 24 hours, my ISP TR-069 server will have a callback from my router, among others informing back. The periodic inform is set to 1 minute as I was debugging it with my own make shift ACS server (totally not a single PHP script). I have TR-069 disabled on my router now, I don’t like the idea of informing my ISP.

That’s a scary thought when you look at what can be included in commands for TR-069. Looking at this document on page 95 you can see that the ACS can ask CPE’s (Customer Premises Equipment) to download firmware, you look further down the page and there’s various parameters, I’ve checked the document a few times but found no hash checking or any sort of validation that the file you received is the file you originally was asked to download. I think we can all understand where I’m coming from here, it’s not too far fetched either. I know, I know, it’s relatively easy for me to say SPY AGENCIES EVERYWHERE. But it has potential, routers are the gateway to our internet, every device we use that uses our internet will feed back to this single machine. To me, I see that as a great attack vector for agencies, especially when ISP’s give beta programs to firmware upgrades.

Looking at this page we can see potential targets for MiTM attacks, BT being the largest ISP. It seems with BT, they have implemented SSL (congrats, you are part of a select group of ISP’s who have a brain). Potentially SSLstrip could be used against this so that HTTPS would be reverted to HTTP, but even if HTTPS was forced upon the user with no option, why not just get the ISP to do it?

It seems like a few months back everyone was a bit paranoid like me and didn’t seem to like the idea of TR-069. And someone responded with this on reddit.

There’s a big difference between having functionality to download firmware for the increase of security and having functionality that downloads firmware which can decrease security. Not even being asked whether you would like CWMP enabled on your router is a start, in the UK you can be asked if you wish to have a parental lock on questionable material. This is something I’d like to see be implemented easily for when you first setup your router (not many people go into the router gateway), the ability to change the periodic inform would be nice too.

I thought I would have a further look into the protocol in question and decided to, much like the dude in the video, have a go at some requests. I didn’t get very far, but I got some basic information which I think is fairly important. The information obviously is different with every single device and the specification of the ISP, but I thought I’d look into it, I was genuinely interested to see what information was given away, at least, the initial part anyway. So from one of the previous pictures we saw I changed my CWMP URL from my ISP’s to an internal IP so that I could now read what my router was sending to my ISP (remember there’s more commands to pull more information, just an initial request.)

I used a simple PHP script to grab the headers and the data it would be sending. Here’s what it looked like:

$gets = $_SERVER[‘QUERY_STRING’];
foreach (getallheaders() as $name => $value) {
$fp = fopen(‘data.txt’, ‘a’);
fwrite($fp, $name.”-“.$value.”\r\n”);
fclose($fp);
}
$f = file_get_contents(“php://input”);
$fp = fopen(‘ivegotmydatazz.txt’, ‘a’);
fwrite($fp, $gets.”\r\n”);
fwrite($fp, $f.”\r\n”);
fclose($fp);

This will be basically grabbing anything that it will be trying to send, I would then log it down and review it later. The first things it would sent would be about your device.

<DeviceId>
<Manufacturer>Huawei Technologies Co., Ltd.</Manufacturer>
<ProductClass>REDACTED</ProductClass>
<SerialNumber>REDACTED</SerialNumber>
</DeviceId>

Pretty simple to see from this request. What manufacturer this device was from, the specific product model and the serial number. The serial number to me doesn’t really need to specified at all. The serial number can be a way of uniquely tracking you.  The next interesting part is what it sends in the device summary;so it gives a time (which is 2000, apparently to my router), your hardware version and your firmware version and then we get to the end of the device summary.

<Name>InternetGatewayDevice.ManagementServer.ConnectionRequestURL</Name>
<Value xsi:type=”xsd:string”>http://[IP]:7547/pinqobnfibxbs</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.ExternalIPAddress</Name>
<Value xsi:type=”xsd:string”>[IP]</Value>
</ParameterValueStruct>
</ParameterList>

Another great way we can track, correlating the external IP and the serial number will mean anything you access with your IP within 24 hours can be pointed to you. Something you may want to look at when you have CWMP enabled on your router. As well we have a connection request URL, which has the port and URI randomised everytime. In another post I’ll be looking into firmware of routers and other devices and wanted to show a protocol for routers first.

I personally have disabled CWMP and think many should too, while I understand the technical frustrations an ISP may of had when asking a user to update their firmware, that does not really excuse, for me some of the information provided back to the server and the amount of time it’s given. As a person interested in technology it’s easier for me to snub my nose at this feature of a router and many would defend it as a triumph. But I, as do many, will always feel paranoid of such a feature within a router.