yongkailoon.com
Just another average weblog
Tech Talk
TM UniFi: Security Threat of the Router
Jul 28th
You know, the first day I got Unifi, I asked you guys (TMnet) if I would be able to use my own router. Well you said no. When I discovered the SSH daemon running on the router (which used a different password than the web user interface), you said you couldn’t disclose the password. An hour ago, I discovered that password and the reason why you won’t give it out.
TM basically planted a backdoor in everyone’s DIR-615 router.
What is this? What are all these hidden options in this special account you neglected to tell us about? You mean to say I could have used my own router all along? You mean people spent >RM1000 on Cisco grade equipment just because you didn’t want to tell them about this?
You mean in a sample group of 900 nodes, 600 of them who think their networks are ‘secure’ are actually completely open? Even those companies on Unifibiz which use the same router? WOW..
That’s right guys, TM named the “administrator” account on the DIR-615 as “admin” when there was actually a secondary administrator account with a higher access level. The VLAN settings were never locked out, that account which we all assumed was the admin (because they told us so) was actually a noob piece of shit with <60% access to the router. This account has the same user/pass across every Unifi router that has been given out so far and cannot be changed or even seen with the default ‘admin’ account.
—-
What’s the fix?
Untick remote management. If you have a firewall on it, block all the ports (TCP 22/23/80/8080/443) from WAN access.
UPDATE : If you’re a Unifi user on firmware 7.05, if you read everything in the management page you can find the username for this account. The pass is the same, once you get access log in and reconfigure your router security properly. I can’t believe not a single technician set this account up properly.
—-
FAQs
Some less tech-savvy people have asked me what this all means, so here goes:
Q: What is this and how is this possible?
A: Every consumer router has a username/password combination to access it. This is a basic security feature to ensure that only you (the owner) can access it. This Unifi router however, has two accounts by default. When TM installed Unifi in your home/office, they only configured the first account. The second account — which has a higher level of access was left configured with its default username/password. They also neglected to inform the customers (you) and their own technicians who did the install about this second account. As every Unifi user is ‘forced’ to use this router and this account has not been configured properly, every Unifi user is also vulnerable to have their routers accessed by unauthorized users simply by using this default account user/password combination.
Q: So what if outsiders can access my router? What does this mean?
A: The Unifi router is not just a simple box that sits on your network. It can be considered to be a full computer system and has the capability to run any executable that’s made for it. Since an outsider can access your router, he can also do the following:
- Turn your router into a proxy, if he commits any crimes online it will be traced back to you instead and you will take the fall for it
- Use your 10/20mbps Unifi account so he doesn’t have to pay for his
- Use up your bandwidth quota (once quotas are implemented) as much as he wants and you will pay for it
- ‘Spy’ on your Internet connection and view every site you are visiting
- Forward all connections to your home PC using DMZ, making your home PC completely vulnerable to Internet attacks.. if you have an open NAS (network attached storage) on your home network, he will be able to access all your files
And the list goes on and on..
Q: So how can I fix this?!
A: Make sure remote management is disabled (as it is enabled by default). With this enabled, anybody with this default user/pass combination can access your home router and perform the attacks I mentioned above. This fix however, doesn’t prevent people on your own LAN network from accessing the router. If you are running an open Unifi hotspot (shop wifi, etc) and you are using the default DIR-615 router, the only fix is to access this second account and change the password.
For an uploaded Router Security guide and VLAN bridging guide (to use your own hardware with Unifi), find it at http://unifi.athena.my
*All the findings on this matter are credited to rizvanrp
DiGi Slashed iPhone Plan Pricing
Jul 8th
Few days back, the DiGi iPhone site was seen to have slashed the iPhone monthly plan pricing making it look like an irresistible deal at the moment.
The price slash however did not apply to the price of the device but only to the monthly voice + data package, or rather known as the iDiGi plan. The iDiGi is now as low as RM60 per month, even cheaper compared to their current DG Smart Plan.
As you can see from the above image, the former iDiGi 88, iDiGi 138 and iDiGi 238 are now priced at RM60, RM90 and RM160 respectively. From the looks of it, this is definitely a plan which will attract potential iPhone customers for sure, even I myself was shocked to see how cheap it is at the moment! Could this be a sign of DiGi trying to clear off as many 3GS stocks as possible to make way for the iPhone 4? Maybe. 
BUT WAIT, this is actually something that would blind a customer’s eyes. If you do the maths and compare with the previous charges, you only save about RM200 now. The price slash on the monthly fees is what seems to be a marketing gimmick to me. Pretty nice marketing strategy eh DiGi? 
UniFi IPTV to Charge for Selected Channels
Jul 5th
Just when most people think that the UniFi service from TM is expensive, a good argument to it is the triple play bundle which includes Video, Internet and Phone which in short is the reason behind the VIP names of their packages. The IPTV which broadcasts interesting channels such as LUXE.TV HD, Fashion TV HD, STAR Chinese Movies, Channel News Asia and many more including our local free stations. However, TM has announced that some channels will be chargeable after this year’s Independence Day.
This definitely will put TM and UniFi especially in a bad position since now quite a lot of stations will be charged and what remains free is of course our local free stations. If this is really going to be done after the 31st of August, I don’t think the IPTV will be a success and it might soon just be a service for display purposes. Furthermore, say the RM149 for 5mbps is going to be more like a double play service rather than a triple play. One question that comes to mind is of course how much are the charges going to be? The pricing will definitely be a matter of life or death to the IPTV service since most users are already Astro subscribers, even if it is just a couple of bucks, people will still think twice since they are mostly subscribed to the paid satellite TV service.
What do you think of this? Will this kill off the IPTV service?
Malaysia Holds Most Expensive Broadband Title in APAC
Jul 4th
That’s right! Most of you who actually said that broadband access in Malaysia is very expensive while other countries are getting more affordable and faster at the same time. A study showed that telecommunication operators in Malaysia paid the most for their ethernet broadband lines in the Asia-Pacific region. With that being said, I guess Malaysia still is “boleh” in the telecommunications industry. This doesn’t exactly pinpoints TM alone, it applies to all the Internet service providers in the country.
In my opinion, I think ISPs in Malaysia should at least improve the stability and reliability of our connections and also providing us more bandwidth considering the monthly fees we are paying. Even if they choose to not amend the monthly fees, at least give us a better and faster connection! Malaysians have been waiting for the day when ISPs could provide a stable yet fast connection. However, it seems so near yet so far.
Malaysia telecom operators paid the most for their Ethernet broadband lines in the Asia-Pacific region while their peers in Hong Kong enjoyed the lowest access bills, according to a recent study by the Asia-Pacific Carriers’ Coalition (APCC).
Released on Jun. 14, the survey revealed that Malaysia topped four out of five categories–differentiated by network speeds–covering Ethernet broadband monthly rental and installation costs. It was second highest in the fifth category, revealed the study.
For instance, the monthly rental and installation cost for 2Mbps circuit would cost an operator in Malaysia US$4,564 but only US$374 in Hong Kong.
Surpassing Thailand, which was ranked second in the study, Malaysia had the costliest local Internet access lines in the Asia-Pacific region.
Only countries with the top two most costly bills, as well as the country with the lowest access bill, were ranked.
The study showed that Singapore, which was the costliest for telecom providers when the survey was last conducted in 2006, dropped down the list this year. However, the Republic was still “two to three times” more expensive than the cheapest country, Hong Kong.
The report also stated that demand for Ethernet broadband access has not only “continued to rise” but the demand for higher bitrates is also increasing. This upward trend is reflected by the availability of information, compared to previous years, on carriers requesting for 10Gbps access circuits.
The study, which Telecommunications Research Project Corporate (TRPC) was commissioned to conduct, gathered information from seven international carriers and looked at three forms of access platforms: Ethernet, leased lines and DSL (digital subscriber line).
For Ethernet broadband cost, the survey covered 13 countries–in which the seven carriers offered Ethernet services–and assessed the monthly rental and installation costs of various Ethernet access speeds: 2Mbps, 10Mbps, 50Mbps, 10Mbps, 1Gbps and 10Gbps.
Leased lines were “the most widely used leased circuits across Asia-Pacific”, according to the APCC study.
Of the 14 regional countries surveyed for leased lines access, nine countries saw their costs reduced in real terms since 2006. The five countries that bucked the trend were Malaysia, India, the Philippines, Taiwan and Thailand.
“We are disappointed to note that local access charges have risen in real terms in five countries since 2006,” said APCC President Simon Smith. “Our members continue to experience challenges in obtaining competitive local access price charges, which are often disproportionate to charges for an end-to-end international service.”
Smith called for “fair” local access charges as these were a “critical requirement” for the creation of a competitive communications environment.
He also encouraged regulators in the markets reviewed to “take the necessary and appropriate regulatory action” to lower access pricing.
Source: ZDNet Asia
What are your thoughts on the broadband situation here in Malaysia?
Apple iPhone 4 for Malaysians in August
Jul 2nd
The long awaited improved version of the Apple iPhone is expected to be introduced to Malaysians as early as August 2010 by Maxis. This news was unveiled in one of the interviews with Van Overbeke conducted by The Star InTech. I wonder what the prices are going to be like though but I’m expecting it to be roughly the same as the current 3GS model.
This is straight from the horse’s mouth, the animal here being our local Star paper’s tech pull-out InTech. The report has the Maxis boss telling the paper’s reporter this: ‘Van Overbeke said the iPhone 4 could be available here by August, but declined to provide prices.’ This is only a ‘could’ scenario. It doesn’t confirm that Apple phone is actually going to sell here in that coming month.
The same reporter also wrote: ‘As for the iPad, he said it is possible that Maxis will be distributing the 3G version of the tablet computer.’
That word ‘possible’ can also be roped into the same familial ‘could’. But at least Van Overbeke is quoted to say, “But it’s really up to Apple at this point.” A lot of readers, in Star, and in here, genuinely hope Apple decides to let Maxis bring in the iPhone 4 and the iPad. Here’s keeping our fingers crossed.
Source: Mobile World
