Many operators who provide not only mobile but also fixed services to their subscribers are deploying FTTH (Fiber To The Home) services where the subscriber connects to the operator’s fiber network using an operator provided ONT (Optical Network Terminal). From a logical point of view, the ONT is similar to a DSL modem connected to a wireline network, and provides the customer with Internet access through the operator’s network, as well as optional additional services (such as IPTV).
In a recent engagement conducted for a North American carrier, a vulnerability assessment was conducted by The Telecom Defense Limited Company against the ONT device (manufactured by a mainstream vendor) deployed by the carrier at each subscriber’s residence.
A vulnerability was discovered in the ONT’s configuration which lead to the auditor accessing the entire management network of the carrier through the ONT. On the management network, management interfaces of several billing nodes and IP switching and routing nodes were reachable.
After further work, it was possible not only to access/compromise billing nodes (exposing billing records, customer CPNI, and possibly allowing for modification of billing records) but also to gain administrative access to the core IP router (again from a mainstream vendor) enabling a potential total DOS of the network as well as customer data traffic interception.
The above example illustrates how important it is for an operator not only to test the external interfaces of its network against vulnerabilities, but also to test any devices with privileged access to the network, such as ONT devices, DSL modems or Femtocells, to ensure that these cannot be used by an attacker as a bridge into a privileged area of the network where a wide ranging attacks can be executed.
The Telecom Defense Limited Company’s ONT vulnerability assessments are unique in the industry, because they used advanced hardware attack methods (such as physically extracting firmware from onboard EEPROMs) when necessary, in order to attempt and compromise ONT devices. This allows us to compromise devices that have been previously declared secure by traditional interface based tests.