Today, the details on a major authentication flaw in the Auto Configuration Server (ACS) of the German ISP O2 (Telefónica) were released. A tl;dr could be “Tell me your IPv4 address and I may place and accept phone calls on your behalf!”. The good news is that the most severe part of this flaw has already been fixed. While the details are covered by heise Security, the c’t magazine (02/2016) and RedTeam Pentesting, this blog entry is meant to provide some background information on how this vulnerability was unintentionally identified by me.
During fall 2014 someone notified me, that a stock FRITZ!Box 7490 is able to automatically download VoIP credentials from the Telefónica / O2 ACS. This behavior was pretty much unexpected as O2 has a long history of keeping the VoIP credentials a secret in order to enforce the use the CPE they provide. I tried to reproduce this on my own DSL connection and was finally able to man-in-the-middle the whole TR-069 provisioning process.
It turned out that for the initial connection to the ACS a generic set of credentials suffices to kick off the provisioning process during which the secret VoIP credentials are transferred to the FRITZ!Box 7490 CPE. This technique would have been an ideal replacement for the other VoIP credentials extraction techniques that existed at that time (see my other blog posts). Firstly, it does not include any tampering with leased O2 hardware. Secondly, I believe that it would cost O2 quite an effort to mitigate this extraction vector without disrupting the provisioning service for all customers. Thus, I was eager to turn the findings into code.
However, after I had coded a rudimentary TR-069 client which resembles a FRITZ!Box 7490, I encountered another surprise: The ACS “authenticates” the CPE (or my client) merely based on its WAN IP address and that address could spoofed as I found out later. In other words, I was able to retrieve VoIP credentials of arbitrary O2 customers only by knowing their IPv4 address. With these credentials at hand, attackers could have used the victim’s telephone line for malicious purposes.
How could that happen? Technically, TR-069 is just a couple of HTTP(S) POST requests and replies which are used to exchange SOAP messages between the ACS and the CPE. The IP address which was used for authentication resides in the field with the lengthy name
of a so-called CWMP Inform message. It should be emphasized that this field is simply part of an HTTP POST body. As a result, the ACS was relying on the fact that the CPE (or my client) only transmits one’s own IP address in that field. However, I once forgot to update my own WAN IP address in that field. Thus, the ACS delivered the VoIP account data of another customer who was then using my previous WAN IP address.