User comments on ISPs
>> EE (Everything Everywhere) and Orange

Pages in this thread: 1 | 2 | (show all)

Print Thread

deleted
(deleted) Mon 13-Feb-12 15:24:32

Spy in The Router AKA TR069

[link to this post]

Hi All,

Looking at the data in the fields of the TR069
http://192.168.1.1/yds32u872vld.htm

I can see that the UserName is the MAC address of my router.
The password is BrightBox-aaaaa where aaaaa is a "random" string
The request Url is the internet IP Address of my router's connection, using port 8085.
i.e. http://1.2.3.4:8085/cpe/cpe.cgi?id=nnnnnnnn where nnnnnnn is a random hex string.

This smells very much like a "Spy In The Router"

In reply to a post by glossywhite:
Hi guys. Okay, I have found four *hidden* config pages, whilst trawling the firmware

http://192.168.1.1/u132xzp32aai.htm

http://192.168.1.1/xc324m12sdlo.htm

http://192.168.1.1/yds32u872vld.htm

http://192.168.1.1/z983erv3210ba.htm

Here are some screenshots, minus my personal data:

http://www.flickr.com/photos/22008695@N03/sets/72157...

NOTE: Login *first*, then visit these URLs. If you are logged out and click one, it will just ask you to login, but won't re-direct you to these URLs.

Have fun!

XRaySpeX
(eat-sleep-adslguide) Mon 13-Feb-12 18:25:13

Re: Spy in The Router AKA TR069

[re: deleted] [link to this post]

Have you tried disabling it?

Still there's no way of telling if it takes effect, just like Bandwidth Control doesn't.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC

UKDoc
(newbie) Mon 13-Feb-12 23:09:34

Re: Spy in The Router AKA TR069

[re: deleted] [link to this post]

The Tr069 thing is what helps set up your router automatically.

glossywhite
(learned) Mon 13-Feb-12 23:24:12

Re: Spy in The Router AKA TR069

[re: UKDoc] [link to this post]

I am not one for conspiracy theories - they are the distraction of paranoia. If Orange wish to "spy" on me, through a module which allows them to configure customer's routers efficiently, I am hardly going to lose any sleep over it.

deleted
(deleted) Wed 15-Feb-12 08:28:32

Re: Spy in The Router AKA TR069

[re: XRaySpeX] [link to this post]

In reply to a post by XRaySpeX:
Have you tried disabling it?

Yes I have, but checking using http://www.yougetsignal.com/tools/open-ports/ shows that even when it's disabled the port 8085 is still open. Even after a re-boot.

I have enabled the log to see if it shows anything...
Interval is set to 86400 {seconds in a day} so I am not expecting anything till tomorrow (if anything)
Currently clicking on the view log generates a 404 error.

Edited by deleted (Wed 15-Feb-12 08:29:24)

UKDoc
(newbie) Wed 15-Feb-12 17:08:40

Re: Spy in The Router AKA TR069

[re: deleted] [link to this post]

The periodic inform is nothing more than a heartbeat to let the ISP know your router is healthy, nothing clandestine.

deleted
(deleted) Wed 15-Feb-12 20:37:44

Re: Spy in The Router AKA TR069

[re: UKDoc] [link to this post]

In reply to a post by UKDoc:
The periodic inform is nothing more than a heartbeat to let the ISP know your router is healthy, nothing clandestine.

How can we be sure of this?

deleted
(deleted) Wed 15-Feb-12 20:46:01

Re: Spy in The Router AKA TR069

[re: deleted] [link to this post]

Hi Folks,

Here is a TR69 log file downloaded a few minutes ago.
I enabled logging then re-booted the router this morning...
Personal information has been replaced with *

Tr69Rpcmethod_Inform: 1 BOOT
--------------Dump packet OUT--------------
Packet length = 3380
SOAP-ENV:Envelope
SOAP-ENV:Header
cwmp:ID = *******
SOAP-ENV:Body
cwmp:Inform
DeviceId
Manufacturer = Arcadyan
OUI = ******
ProductClass = BrightBox
SerialNumber = **********
Event
EventStruct
EventCode = 1 BOOT
CommandKey
MaxEnvelopes = 2
CurrentTime = 2012-02-15T07:12:59
RetryCount = 0
ParameterList
ParameterValueStruct
Name = InternetGatewayDevice.DeviceSummary
Value = InternetGatewayDevice:1.0[](Baseline:1,EthernetLAN:1,WiFiLAN:1,ADSLWAN:1,Time:1)
ParameterValueStruct
Name = InternetGatewayDevice.DeviceInfo.HardwareVersion
Value = 01
ParameterValueStruct
Name = InternetGatewayDevice.DeviceInfo.SoftwareVersion
Value = v0.09.82.0001
ParameterValueStruct
Name = InternetGatewayDevice.DeviceInfo.SpecVersion
Value = 1.0
ParameterValueStruct
Name = InternetGatewayDevice.DeviceInfo.ProvisioningCode
Value
ParameterValueStruct
Name = InternetGatewayDevice.ManagementServer.ParameterKey
Value
ParameterValueStruct
Name = InternetGatewayDevice.ManagementServer.ConnectionRequestURL
Value = http://*.*.*.*:8085/cpe/cpe.cgi?id=********
ParameterValueStruct
Name = InternetGatewayDevice.LANDevice.1.LANEthernetInterfaceNumberOfEntries
Value = 1
ParameterValueStruct
Name = InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.ExternalIPAddress
Value = 1.2.3.4
++++++++++++++Dump packet OUT++++++++++++++
Tr69Rpcmethod_Inform: Sending reponse!!
--------------Dump packet IN--------------
cwmp:InformResponse
MaxEnvelopes = 1
++++++++++++++Dump packet IN++++++++++++++
Tr69Rpcmethod_InformResponse: tr69hasInformed=1
Allocate length = 4
Tr69SoapOutput: OutLen = 0
--------------Dump packet OUT--------------
Packet length = 0
++++++++++++++Dump packet OUT++++++++++++++
Tr69SoapOutput: Null response.
Tr69SoapOutput: Sending null Post.
Tr69SoapOutput: End of session.

XRaySpeX
(eat-sleep-adslguide) Wed 15-Feb-12 21:25:29

Re: Spy in The Router AKA TR069

[re: deleted] [link to this post]

Well, at least you found out the Manufacturer ("whoever they are" grin

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC

deleted
(deleted) Wed 15-Feb-12 22:28:48

Re: Spy in The Router AKA TR069

[re: XRaySpeX] [link to this post]

We already knew that smile

Pages in this thread: 1 | 2 | (show all)

Print Thread

Jump to