KDDI in Japan recently started to provide new routers to people who migrate. The main change when receiving the new router is the fact there is no longer a need for a PPPoE session, which means a larger bandwidth available on the line.
However the nice shiny router provided by KDDI has not enough CPU power to route that much traffic, so like anyone else why not use a small linux box (in this kase a Kurobox Pro) and have it do the routing stuff?
Easier said than done. Our friends at KDDI really want everyone to use their modems (a BL190HW) and have added a few ways to avoid people with normal routers to use their network.
The first thing anyone will notice is the fact the router will only talk to the device with the right MAC address. That’s a quite common protection, and changing the MAC address of a device is trivial. After doing this the network works fine for a few hours then… nothing.
I then connected the router they provided and had a look at the stuff that went through on the network… and I noticed something else.
Our friends at KDDI have decided to add an extra “layer” of security: the modem will login using EAP authentication over ethernet (protocol 0x888e) using the modem’s serial number as login and an unknown secret. Since I do not have access to the modem firmware, it’s difficult to know what the secret is, however I do not want internet to go down every X hours, so I wrote an “EAP relay” which receive EAP-over-ethernet frames on two interfaces and will relay them to the other interface. The program I wrote is ugly but works.
Now I’ll work to get a copy of the firmware (if the modem indeed checks for update, it should be trivial) and analyze it to see if I can either:
- Find how the secret is stored and/or generated
- Locate any security exploit that would allow root access on the box
- Crack/locate the password for the box
- Push a modified firmware update to the router that would allow access from outside
The router introduces itself as “NetBSD/ovismips” via telnet, however refuses root login over this kind of non-secure channel…