Fast Net News, DSL Prime, DOCSIS Report

ADSL gear is rarely a safety problem, but Deutsche Telekom is now recalling the power supplies for it's Speedport W 700V routers because of danger due to an electrical shock. The case could crack or the cover detach, exposing live elements. The unit is made by respected Taiwanese manufacturer Leader Electronics. Google doesn't show me any problems with other Leader products.

Important product safety warning regarding the SNG7-acc power supply unit for the Speedport W 700V

• SNG 7-acc power supply unit from LEADER ELECTRONICS INC. for the Speedport W 700V may have dangerous safety deficiency

• Telekom replacing relevant power supply units free of charge

As part of its regular quality assurance checks, Telekom has identified a significant safety deficiency with the SNG 7-acc power supply unit from LEADER ELECTRONICS INC. for the Speedport W 700V WLAN router. In individual cases the plastic housing may be brittle or the upper side of the housing may not be adequately attached. It cannot be ruled out that current-bearing elements may be exposed. Touching these elements may lead to an electrical shock. Telekom therefore urgently advises against using these power supply units. Safety advice: Turn the power off before checking or removing the power supply unit. The Speedport W 700V itself is not affected by this safety problem.

Telekom recommends affected customers have an unsafe power supply unit replaced with a safe one. Telekom will replace the SNG 7-acc power supply unit from LEADER ELECTRONICS INC. free of charge. Customers should first check whether they have a Speedport W 700V. This is written on the front of the unit and on the type label on the back.

If this is the case, customers should consult www.telekom.de/w700sicherheit or call the service number 0800 3306007 between 8 a.m. and 10 p.m. for further information. Power to the relevant socket must be turned off, for example at the fuse box, before checking the power supply unit. The units affected by the safety problem have the product designation "Netzgerät SNG 7-acc für Speedport W 700V" from LEADER ELECTRONICS INC on the type label.

There are various ways in which the housing of unsafe power supply units may be damaged.

These power supply units must be disconnected immediately, while the power is turned off. Customers can order a replacement unit free of charge via www.telekom.de/w700sicherheit, the toll-free service number 0800 3306007 (every day from 8 a.m. to 10 p.m.), in a Telekom Shop or from Telekom sales partners. Once the SNG 7-acc has been replaced, the Speedport W 700V will work the same as before; the settings will remain as they were. Customers can hand in old power supply units at a Telekom Shop free of charge or dispose of them via local recycling facilities.

In publishing this information, Deutsche Telekom is fulfilling its statutory requirements and acting in the interests of its customers, putting their safety first.

Design Flaw in Deutsche Telekom Speedport w700v broadband router May 11 2007 09:15PM
Michael Domberg (mdomberg gmx de) Hi,
I'd like to inform you about a vulnerability in the Deutsche Telekom Speedport w700v DSL router. Currently it's the standard device that is shipped with new DSL contracts.

I - TITLE

Security advisory: Weaknesses in the login process of the web interface
of the Speedport w700v DSL Router and Wireless LAN
Access Point

II - SUMMARY

Description: A design flaw exists in the login process of the web interface
of the Speedport w700v DLS Router and Wireless LAN Access Point
of Deutsche Telekom that might lead to unauthorized access.

Author: Michael Domberg (mdomberg at gmx dot li)

Date: May 11th 2007

Severity: Medium

References: http://www.devtarget.org/speedport700-advisory-05-2007.txt

III - OVERVIEW

The Speedport w700v is an ADSL/ADSL+ broadband router, Wireless LAN Access Point,
4-Port-Switch and telephone system with integrated firewall and advanced security
features.

More information about the product can be found online at
http://www.t-com.de

IV - DETAILS

The Speedport firmware consists of some CGI-Scripts that interact with the
hardware and some static html-pages as front-end. The login to the web
interface is designed the same way.
Upon submitting the system password (no username required...) the password
is sent to a cgi-script that verifies the password with internal sources. If
the verification is successful, the welcome screen of the interface is returned.
If the verification failed the login screen is returned. To avoid brute force
attacks, the login page contains some JavaScript that disables the input field
for a certain amount of seconds. The first attempt is one second delayed, the
second is two second delayed and any further attempt is delayed for the doubled
amount of time of the previous one. So the 8th attempt requires the attacker to
wait for about 4 minutes.
By submitting the request directly to the underlying cgi-script and verifying the
result page an attacker can circumvent this mechanism and perform multi-threaded
brute-force attacks.

V - ANALYSIS

The severity of this vulnerability is to be considered "medium". The default password
of the web interface is "0000". So users often choose a four-digit numeric password, too.
The Speedport 700 series is one of the most-sold DSL modems, because it is the standard
hardware for german DSL users of Deutsche Telekom.
Users can prevent their modems from being exploited this way by disabling remote
administration access (which is the default).

VI - EXPLOIT CODE

An PoC is available, but not published.

VII - WORKAROUND/FIX

Users have to disable remote administration access to prevent their routers from being
exploited.
The vendor doesn't seem to address this vulnerability.

VIII - DISCLOSURE TIMELINE

22. February 2007 - Notified vendor of affected software
28. February 2007 - Vulnerability confirmed
11. May 2007 - Public disclosure

Regards,
Michael Domberg,
www.devtarget.org