UPC Hungary Administrative Password / Insecure Transit

`UPC network problems  
--------------------  
  
Platforms / Firmware confirmed affected:  
- UPC Hungary network  
  
Problems  
--------  
Network and device configuration problems  
Administration password is sent to the device in plain in the  
configuration file  
Administration password, which is used also for the telnet service, is  
sent in plain in the configuration file downloaded by the device via  
TFTP from the location specified by the DHCP response. The TFTP server  
is accessible only from the internal UPCas network.  
  
Administration password is the same for ALL devices  
Every kind of device uses the same administration password, which  
provides administrative and telnet access in most of the cases form the  
internal UPCas network. The actual access method and possibilities are  
depends on the device type.  
  
Telnet service is enabled on Ubee devices by default  
Telnet service is enabled on Ubee devices at interfaces accessible from  
LAN. Since, the password is the same and sent in plaintext, any user  
from the LAN can connect to the router with root privileges. Users can  
not disable telnet service and it is accessible even if the device is in  
bridge mode.  
  
Other CPE devices can be accessed in the internal UPCas network  
>From within the router, the 10.x.x.x range is accessible and the router  
can access other UPC costumersa devices. Using the administration  
password, which is the same in every device, the attacker can take over  
control of masses of devices.  
  
Timeline  
--------  
- 2015.06.24: Presenting the Ubee router problems to the CTO of UPC  
Magyarorszag  
- 2015.07.16: UPC contacted Ubee and required some more proof about some  
specific problems  
- 2015.07.16: Proofs, that the default passphrase calculation of the  
Ubee router was broken, were sent to UPC  
- 2015.07.20: UPC requested the POC code  
- 2015.07.21: POC code was sent to UPC  
- 2015.07.30: We sent some new issues affecting the Ubee router and  
other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC  
- Between 2015.07.31 and 08.12 there were several e-mail and phone  
communications between technical persons from Liberty Global to clarify  
the findings  
- 2015.08.19: UPC sent out advisory emails to its end users to change  
the default WiFi passphrase  
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end  
users about the importance of the change of the default passphrases.  
- 2016.02.16: Face to face meeting with Liberty Global security  
personnel in Amsterdam headquarters  
- 2016.02.18: A proposal was sent to Liberty Global suggesting a  
wardriving experiment in Budapest, Hungary to measure the rate of end  
users who are still using the default passphrases.  
  
Credits  
-------  
This vulnerability was discovered and researched by Gergely Eberhardt  
from SEARCH-LAB Ltd. (www.search-lab.hu)  
  
References  
----------  
[1] http://www.search-lab.hu/advisories/secadv-20150720  
`