MGTS Moscow City Telephone Network
Comment: I won’t be lazy and leave my review about the miracle employee from MGTS. The Internet did not work on all our devices. I loaded almost nothing at all. Speed - 1.92 MB/sec (I attach a screenshot). This went on all evening and for another half day. Then it jumped - then 20 MB, then again 1-3 MB. They called. We were politely told that the problem would be fixed. An employee was sent upon request. Actually, this employee himself is the company’s problem, even greater than the slow Internet. He calls on the phone and lazily says: what do you have there? Well, okay, I’ll get there and change the box, but keep in mind that nothing will work faster for you. It was clearly felt that he was simply too lazy to follow up on the request at all, but it’s easier to say that the speed from MGTS of 1.92 Mb/sec is, in principle, the norm :) This frame arrives singing a song. Our router is installed above the front door, where MGTS employees initially installed it (a couple of meters from the rooms, in the middle). And he says: “So what? Do you want something to catch in your rooms? You won't have any fishing anywhere. Only here, right under the router, in the corridor.” Everyone just laughed as I told it)))) There are only a few questions: 1) why do we need such a router that can only detect when standing directly under it? 2) and those MGTS employees who initially installed it there - what happened then? This “Vasya” could not answer any of these questions. But then the circus continued. He started asking me: “What wires are these?” Why, it’s not destiny to call to find out?” - that’s what he tells me. And there were their own wires hanging there, from MGTS TV, which, apparently, were installed as a package, but we don’t use them. And not only could he not distinguish them, he also rudely suggested that I call someone and find out. It’s not worth talking about the fact that also, even over the phone, just so as not to go through the application process, he tried to generally promote the purchase of new equipment. That is, he, apparently, also tried to try this version: to say that we probably have all the equipment (and we have 7 devices, 2 of which were purchased quite recently, and at a considerable cost) - all the equipment is simply not suitable for their Internet, therefore the speed is 1.97 MB. And simply, you need to change all the equipment. Me and my retired parents. And this despite the fact that last month my mother also bought herself a new phone at a cost of about 7,000 rubles. Of course, we ran to do it. Let's throw out all the equipment, in the hope that the new one will definitely be fine. And I will also emphasize (as I told him about) that with the same equipment, our Internet flies anywhere other than at home. In other apartments, with friends, relatives, anywhere. At home, and even standing under the router itself (which we also tried) - this was the speed of 1.97 MB. But that’s not what outraged me. And the employee himself. It was necessary to recruit such personnel into the staff. Moreover, the employees on the phone are adequate (at least with a basic culture of communication), just like those who came before. Also, this employee tried to run away as quickly as possible, he was so reluctant to do this work. He didn’t even bother to check anything on our devices, I literally tried to check it myself (until he ran away, standing at the door under the router) and show him the speed. I didn’t leave the box from the new router, just some kind of package, without a password, and the serial number, as it turned out, did not match what was written on paper. He said the password almost as he was leaving, and when I asked again, he said, “What’s unclear?” - That’s exactly what he said. That's why I'm writing this review. The person is inadequate, unprofessional, and apparently offended by life. Well, to top it all off, I’d also like to note that this employee, also over the phone (without even getting there and without checking anything, but simply because he was too lazy to follow up on the application) - directly suggested that we simply change the provider. That is, he says: well, if it worked well with the old one, go back to it. Thanks for the advice, we really will probably do just that))) This is how MGTS employees work. Not all, but just one of these is enough - and all desire to connect to them will disappear
MGTS GPon subscribers are under threat of hacking, new networks - new problems
Introduction
In the capital of our vast Motherland, an unprecedented in scale project is underway to introduce Gpon technology from the MGTS company under the auspices of the fight against copper wires and for affordable Internetization of the population. The number of MGTS subscribers in the city of Moscow exceeds 3.5 million people, it is assumed that everyone will be covered. The idea is wonderful - optics to every apartment, high-speed Internet, free connection and a Wi-Fi router as a gift (though officially without the right to reconfigure it, but more on that later). The implementation of such a large-scale project (a similar device is installed in every apartment where there is at least a landline telephone from MGTS), as usual, was not without holes in the planning, which could be costly for the end user. Our company became interested in the information security issues of clients of such a large-scale project and conducted an express study, the results of which we offer to the public to inform the public about existing threats and measures to combat them at home.
Life in the palm of your hand
The threats turned out to be not at all illusory and insignificant, but systemic and the risk potential is difficult to overestimate. I want to warn happy MGTS subscribers against the threat to their privacy hidden not only in the ZTE ZXA10 F660 router, kindly forcibly donated by the provider (however, the less vulnerable Huawei HG8245, also installed for subscribers, is still in no way protected from “default settings”), but and in the organization of connecting subscribers to new communication lines. This is what the operator-installed equipment options look like:
Less dangerous Huawei HG8245
Much more leaky ZTE ZXA10 F660
There are several problems here of varying degrees of danger, some you can solve on your own, others you can only pay attention to. Let's list the main points that will help an attacker hack your home network (provided that you are an MGTS Internet subscriber):
- The WiFi password is your phone number (during the study, we encountered lazy installers who left the router’s MAC address without the first 4 characters as the password). This means that hacking Wi-Fi using the brute force handshake technique using the mask 495?d?d?d?d?d?d?d will not take much time, we are talking about a matter of minutes and for this it is not at all necessary to be near the target of hacking all the time . It is enough to intercept the moment of connection between the subscriber’s wireless device (smartphone, tablet, laptop) and the router, and the rest can be easily done on your home computer. This operator’s miscalculation at the connection level is a gaping hole that opens the home networks of millions of subscribers to attack by intruders. This problem can only be solved locally - by independently changing the access point password to a more secure one, but the next vulnerability is much more serious, since the subscriber simply cannot effectively influence it on his own.
- We are talking about a vulnerability in the WPS wireless configuration technology, which is enabled by default on ZTE ZXA 10 F660 routers. And if in the case of an organizational miscalculation that compromised user networks at the password level, an attacker cannot hack subscribers en masse, dealing with each one separately, then by exploiting the WPS vulnerability of a router of this model, network hacking can be put on stream. The technology works as follows: for a WPS connection, a PIN code consisting of 8 digits is used. When the correct PIN code is received, the router gives the real Wi-Fi password. Not only can this PIN code be hacked using the well-known Reaver tool much more efficiently and faster than a complex WPA2 password, but the main problem is that it is the same for all ZTE ZXA10 F660 routers! Moreover, it can be easily found in 10 minutes on the Internet. I repeat - knowing this PIN code (which cannot be changed or turned off), within 3 seconds a real Wi-Fi password of any complexity and type of encryption is obtained, or a direct connection to the subscriber’s network is made. Thus, the “lucky” owners of this particular model of equipment (and the operator has only 2 of them, so the chance is 50/50), even if they set an impossible-to-crack password for the wireless network, will still be hacked in less than 5 seconds due to the imperfection of the technology.
What are the consequences for the owner of WiFi hacking?
Let’s leave aside platitudes like “free Internet”, this is not the 90s and people with gadgets usually have enough access to the Internet. So what are the threats? Let's list the most obvious ones:
- Interception of subscriber traffic, theft of passwords from email services, social networks, messaging programs and other confidential data
- An attack on the computer of the owner of the point of sale in order to gain access to the user’s files, view web cameras, install viruses and spyware (as a rule, home PCs are much more vulnerable to attacks from within than corporate machines, here are traditionally weak passwords and irregular updates and open resources )
- Wiretapping of telephone conversations. (Yes, with the switch to unsecured sip this is easier than ever). Now not only intelligence agencies, but also a curious neighbor (or maybe not a neighbor) can record your conversations on a city number due to the fact that the new telephony technology works using the unprotected SIP protocol. For the rapid interception and recording of conversations, all the necessary tools have long been publicly available.
- Theft of a telephone number - by slightly changing the router software, an attacker can find out the password for a SIP account and use it to make calls on behalf of the hacked subscriber. This is not only the potential for direct loss to the owner of the number, but also the possibility of causing much more serious damage by using the number of an unsuspecting citizen for blackmail, terrorist contacts, or in order to frame the owner - for example, using this number to report a bomb to the police
- Creation of a large botnet (the number of MGTS subscribers in Moscow is 3,504,874) with the potential of each connection being 100 Mbit/s. Yes, this will require an army of lemmings, but as everyone knows, hordes of biological bots constantly live on various kinds of “vats”, which are regularly attracted by interested parties to various Internet actions, usually of a sabotage nature.
- Using a random (or non-random) network to anonymously upload prohibited materials to the Internet (Can you guess whose door they'll knock on?).
Protection measures
What can you do to protect your privacy in such a situation? There is little you can do yourself, but these are mandatory steps for anyone who does not want to become a victim of a poorly thought out operator campaign. We will need router passwords that are easy to Google on the Internet, write down:
- Access to the web interface of the ZTE ZXA10 F660 router – login: mgts
, Password:
mtsoao - Access to the console via Telnet protocol – login: root
, password:
root - for Huawei HG8245: default address is 192.168.100.1
login:
telecomadmin
, password:
admintelecom - Through the web interface, be sure to change the password for the access point and its name (the MAC address will still indicate that it belongs to MGTS clients, but renaming the point will reduce the likelihood of matching a specific Wi-Fi signal to a specific apartment)
- Owners of ZTE ZXA F660 should disable Wi-Fi functionality using the button on the device. At the moment, this is the only way to protect against WPS hacking.
Unfortunately, at best, only a few percent of the 3.5 million users will use these measures, the majority will never know about this article and will remain vulnerable to a real threat for a long time, until something or someone forces the operator to spend a lot money and take centralized measures to correct the technical and organizational shortcomings of the project.
Conclusion
What conclusions can be drawn from all of the above? The most disappointing ones are that the largest GPON implementation project (I repeat – we are talking about 3.5 million subscribers!) was carried out without consultation with information security specialists, or these consultations were completely ignored during the implementation itself. Phone passwords, non-disabled WPS with a single key, unprotected SIP telephony, passwords extracted from the WEB interface are the result of a weak organizational component and complete disregard for basic information security standards. I am sure that MGTS is far from unique in such miscalculations; many smaller network service operators find themselves in the same situations in the field of protecting the data of their subscribers, but the scale of the problem this time exceeds all imaginable boundaries
Official reaction of OJSC MGTS
We, as ethical security researchers, are interested in quickly solving the problems raised above. Unfortunately, our concern did not find a response in the hearts of the press service of OJSC MGTS, whom we tried to reach using all available channels. We received only one review - through Facebook, the press service employee assured us that we can publish the existing material with a clear conscience, and then, when answering questions from the press, they will assure everyone that subscribers are safe and their data is confidential.