Thousands of O2 customers in the Czech Republic are at risk

We made a discovery that thousands of O2 customers in Czech Republic (specifically in Prague but most likely country-wide) are at risk.

Anyone who has a O2 internet connection can directly access the routers of any other O2 customer (including our own), and if the default password settings are enabled (which is the case with nearly all home installations), an attacker can control the router, upload malicious code, set DNS servers or IPv4 routes and therefore control the entire internet traffic, stealing sensitive data such as logins, bank transactions or place malware on the machines.

The reason is that Telefónica Czech Republic assigns all internet users internal IPs as WAN IP – which is wrong, broken and a big security issue. All customers are in one big virtual LAN and there is no security whatsoever (a firewall or defined routes) that prevent one from accessing directly the neighbors router and re-configuring it.

Unfortunately Telefónica Czech Republic makes a good job at hiding their contact details (email of CSO or anyone in charge of security), hence this public blog post.

Background info

In the Czech Republic we have an internet connection from O2. We could not get port forwarded working when we made an interesting discovery: O2 gives your router an internal (!) IP address as shown in the below images. In the setup of O2, this effectively prevents one from doing port forwarding. Only packets directly addressed to the internal IP are forwarded – however not the ones sent to the public IP.

O2 5

O2 6

Technically, Telefónica Czech Republic runs a big VLAN with the id 848 where all customers are attached.

Real life check

One person at the forum http://forum.mikrotik.com/viewtopic.php?f=13&t=78570 pasted his configuration and complained last week that port forwarding does not work. His WAN IP assigned O2 is 10.226.139.143.

He complains that his custom router is not accessible from the internet. What he does not know, however, is that it is accessible from within the O2 network:

o2 1

Attacking other Telefónica Czech Republic customers

There are many customers who have the default setup and their routers can be directly accessed:

o2 2

Using a port scanner it is a piece of cake finding the other O2 customers:

o2

Attacks on other customers are practical. As mentioned there are multiple possibilities:

  • Uploading a malicious firmware
  • Changing the DNS servers and therefore control the persons internet (similar to DNSChanger malware)
  • Setting hard-coded IPv4 routes and literally control the entire internet traffic of the persons

If you for example change the DNS server to your customer one (example below), you can show people who visit “google.com” your own site, return them fake results, advertisements or simply just proxy the traffic to the real sites and capture all logins and maybe replacing executables that are downloaded by the person behind the computer.

o2 7

The joke about this

The real joke about this is that every O2 customer can access directly the routers of the other customers, AND that O2 gives internal IP addresses where public ones should be given. Routers are generally (per default) enabled to only show their administrator panel to local IPs – not good if the ISP assigns a local one and allows your neighbor to connect to you.