[ale] Hawking Technologies HAR11A router considered insecure

Charles Shapiro charles.shapiro at nubridges.com
Fri Oct 22 09:41:41 EDT 2004


The Hawking Technologies HAR11A modem//router is shipped insecure.  It
suffers from the infamous Conexant security hole (
http://www.chiark.greenend.org.uk/~theom/security/origo.html ). You can
find lots of references to this in a google search for "conexant port
254". This is the router which Speedfactory.net currently ships to new
residential customers who buy a router as part of their service.

You can see the Hawking Technologies HAR11A (picture:
http://www.hawkingtech.com/images/productlg/HAR11%20View.jpg ) security
hole by using telnet(1) to connect to port 254 on it. When you do, you
will find an undocumented management interface which allows you to see
connection statistics without a password. Visible menu choices on the
interface also allegedly allow  you to change parameters on the router,
but I don't know if they actually work without a password, or if the
password used here is the same as  the one assigned to the modem's
browser interface. I suspect that the same hole exists on the HAR14A,
but I don't have a sample to test. If you have this model (picture: 
http://www.hawkingtech.com/images/productlg/HAR14%20View.jpg), I'd love
to know if it has the same Troubles as the HAR11A.

You can close the security hole from the internet side by using the
"Virtual Host" feature in the modem's browser interface to forward ports
254, 255, and 23 to a nonexistent host (such as "10.0.209.5").  This
still allows access from the firewall side of the modem, however.
The safest thing to do is to put the modem into 'bridge mode' and do 
all your NAT, PPPOE, and security from your linux firewall.

I found out about this hole shortly after getting broadband networking
into my house. When I ran nmap(1) against my home IP address, I
discovered that ports 254,255,and 23 were open, and when I used
telnet(1) to connect to them, I found the management interface described
above. After I doused the fire in my hair, I found that this was unknown
to Speedfactory's tech support folks.  Hawking Technologies has promised
a patch for 20 October, but I haven't seen it yet on their site. 
You can keep an eye out for it  at http://www.hawkingtech.com. 

If you own one of these modems, you should at least make sure that the
security fix described above is in place. Without it, you could lose
your broadband connection without warning when the modem's power
cycles.  If you do not have got good records of what settings were in
the modem when it was working, you may find it difficult to fix the
problem. 

-- CHS 






More information about the Ale mailing list