SDSC: Alcatel modem has security flaws
San Diego Supercomputer Center researchers say they've found security flaws in Alcatel's Seed Touch ADSL modem.
In an alert, researchers, part of a University of California at San Diego division, note the modem actually is an ADSL-Ethernet router/bridge and the flaws "allow intruders to take complete control of the device, including changing its configuration, uploading new firmware, and disrupting the communications between the telephone central office providing ADSL service and the device."
Not enough? The report also says the flaws allow such "malicious actions" as changing configurations so it can't be accessed, disabling it temporarily or permanently, and allowing installation of malicious code, such as network sniffers.
"One of the more interesting discoveries was a cryptographic challenge-response back door that completely bypasses any password that a user may have set on the device," the alert says.
"In addition, the Alcatel documentation is silent on several interesting points, and ADSL providers have been known to set the user mode password from its default … but refusing to disclose this password to the owner/user of the device (which SDSC calls a 'bad thing')," the report says.
A second alert, from the Computer Emergency Response Team, details the flaws.
Alcatel had no comment yet, spokesman Brian Murphy told CEDaily, but the company was working with CERT and has an address on CERT's site that users can follow to find advice, he says.
Researchers say all testing was done in LLC/SNAP bridge mode, and routing mode was not tested.