ZyXEL disputes Irish hacker’s claims about DSL modem exploits

9 Feb 2012

Broadband modem maker ZyXEL today hit out at claims by an Irish software programmer and amateur hacker that its P-660 router can be hacked by a “pwnage” exploit.

ZyXEL said today it disputes claims in a blog by Ross Capolet referring to an exploit called RouterPWN v:1.3.138 that allows several methods of hacking routers and modems, including its P-660 router.

Canpolet suggested that the exploits left a large number of modems in use by Eircom customers open to attack.

“ZyXEL would like to confirm that there is absolutely NO security issue with our P-660 router. The vast majority of our routers throughout the UK run an operating system called ZyNOS, our proprietary Network Operating System. 

“Our team of technical consultants have run a series of tests this morning using ZyNOS system and have shown that the claims made by Canpolet and ‘The Insanity Pop’ are not true and totally unfounded. All of ZyXEL’s products have robust security solutions in place to prevent against any security breaches.”

Siliconrepublic.com spoke to Alan Turner, a technical consultant for ZyXEL who performed a number of tests based on Canpolet’s claims.

Turner said the exploit is physically impossible. “You cannot do it from the internet side as he’s describing it. The links in Canpolet’s blog claim you can do it via the internet but you have to have access to the local area network in the first place. I would be surprised if any other vendor makes it possible to access the router’s software via the internet.”

Canpolet’s blog claimed he was able to test three different exploits on his own router that enabled prestige unauthorised reset, ZyNOS configuration disclosure and prestige privilege escalation.

“It is possible that Canpolet was able to change the settings on his own router because he had LAN access to it. But even after that you are still challenged for the password.”

Details of ZyXEL’s tests

ZyXEL submitted the following account of its tests:

The ZyXEL technical team this morning analysed how this supposed attack took place. In the first instance, the exploit attempts to access various web pages within the router’s Graphical User Interface, eg:

 –        Prestige Unauthorized Reset
·         ZyNOS Configuration Disclosure  
·         Prestige Privilege Escalation
·         Prestige Configuration Disclosure

With ZyXEL routers, this isn’t possible because all management interfaces are disabled from WAN (internet) side access. If you attempt to access these pages from the WAN side then the router doesn’t respond.

An end user is able to lower the security of their router by making configuration changes:

–        Set Remote MGMT to WAN & LAN/All
·       Disable firewall or make a firewall rule to permit WAN to WAN/Router access 

If an end user does go ahead and alter the router settings then that does leave them more at risk to a potential hack. Even so, in this event, a hacker will still be directed to the login process where they have to input the correct admin password. The end user is advised on the Graphical User Interface page where these changes are made that this password should be changed before enabling any remote access.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com