The big tech (and privacy !) news of yesterday was the exposure of a second super administrator access to Telekom Malaysia’s Unifi (HSBB) service. First discovered by rizvanrp, and posted to lowyatt.net, it exposes the existence of a second level of access, and how to trivially guess the username and password used to access it.
As expected, there was an outcry from Unifi users (all 1,700 of them) about this possible invasion of privacy. While TM must be commended for responding quickly to this with a solution which seems fair, it highlights the lack of care when it comes to security by service providers.
It is highly irresponsible to deploy edge and access networking equipment in a customer premise, with a direct connection to their internal LANs, and allow this backdoor to exist. Especially since the authentication credentials are default across all installations and easy to guess.
Remote access definitely simplifies remote management and maintenance, but this flexibility must be limited by secure policies which protects both the Unifi network and the customer’s data infrastructure.
However, this policy of having a second super administrator account which is hidden from users is not exclusive to TMNet alone. Packet One does the same thing for the CPE WiMAX modems they deploy in homes and offices too.
In my private email correspondence with them, I’ve asked for this access to be given to me. Their initial response was to stall and refuse, but after mutiple complaints about their service quality (or lack thereof !), they finally relented and instead created a specialized access profile for me. However, this in no way is as complete and comprehensive as the super administrator access which they have refused to give up.
One wonders of the real reasons why they keep this hidden from users, and their refusal to allow users access into a device which sits on a private LAN infrastructure. Does Packet One also claim this for maintenance reasons ? If so, why not use monitoring solutions which are SNMP or agent based instead of directly logging in ? Isnt the very existence of this super administrator account a security loophole, both from personnel within Packet One and anyone else ?
For the record, this super administrator access is possible with some rudimentary technical manipulation of the boot process of the CPE WiMAX modem by technically savvy individuals, so in essence it really doesnt do much to prevent ordinary users from getting to it.
Perhaps it would do Packet One some good to take a leaf out of TMNet’s handling of this issue and come clean, before this situation blows up into a full fledged security incident.
Dare we hold our breath in waiting for them to respond ?
4,187 Responses to “Packet One has a backdoor too”
Trackbacks/Pingbacks
- Tweets that mention Packet One has a backdoor too | Alphaque. Anytime. Anywhere. -- Topsy.com - [...] This post was mentioned on Twitter by ShaolinTiger, Geminianeyes, Geminianeyes, icednyior, Medufsaid and others. Medufsaid said: Ok... Now I ...
- Matilde - really... Fat women and girls always worried because of their ugly shaped bodies. They want to wear expensive and stylish outfits ...
- Hehmer - Greate... It's such a great site! http://www.kamusta.ph/topic/harriswwpearce/104479 Great post, I just bookmarked it on Digg....
- Alexander6 - ...... Need cheap generic VIAGRA?...
- Cenzing - Great One... I must say, its worth it! My link, http://blog.sandiegotown.com/constance,thanks haha...
- Vehmer - Great One... I must say, its worth it! My link, http://www.freeblog.com.br/cinderella/,thanks haha...
- sander - very helpful... I preferred to thank you for this good article. http://pcltld.blog.cd/2011/08/31/2-be-social-bridesmaid-gowns/ I by all odds liked every little bit of ...
- Frederic - Great... love your blog, http://reginac.blogsdiario.com/ ,Thanks again....
- Dehmer - Great... Everyday I use my computer/laptop in computer school and im worried about having a bad back after using the computer ...
Personally, I think people should worry more about what they put on Facebook!
at least that’s voluntary information disclosed. the existence of these super administrator accounts on Unifi and P1 WiMAX allow ISP personnel and perhaps the general public to spy on all traffic from users, be it to Facebook or anything else like emails. It’s not the same, mate.