Security vulnerability reporting experience

On the 5th of May, 2014, I have discovered a security vulnerability in the Ubee EVW320b Wi-Fi DOCSIS modem used by a major Dutch ISP.

I have reported this vulnerability directly to the ISP in the Netherlands that uses them, as the modem I currently have is their property.

This blog serves as a short overview of the issue I found and my experience with the ISP's security operations center regarding this issue.

The issue

The issue that I found (and reported) is triggered by sending a specially crafted UDP SIP packet to the modem.
When you would send a UDP SIP packet to the modem's WAN interface on port 5060, it would do a spontanious restart.

Well, I hear you say, a restart is not that big of a deal, is it, and I would totally agree with you.
The main problem is that if you trigger this enough times (my tests indicated about 5 times) in a row, the router would do a full factory reset.
This means that also the web interface of the modem would get the default (well-known) admin password back it had when you unbox the modem.

This would mean that even people that setup the modem correctly and for example disabled the built-in Wi-Fi or UPnP, configured the built-in firewall, MAC filter or other security features, would be at risk of having all these settings reset by someone just sending a single packet from the internet.

This is a lot worse to me, as how often do you actually check your modem configuration if all those security features you setup are still in place?
Well, I certainly did not before finding this issue.

So I decided to report it to my ISP.

Reporting the issue

So after I decided to report the issue, the next step was to figure out where to send it, and under which conditions.

In the Netherlands, we have a document called the "Leidraad om te komen tot een praktijk van Responsible Disclosure" (in English: "Guidelines to establish a practice of Responsible Disclosure"), which is a document published by the Dutch government.

The problem with this document is that it limits the person that found the vulnerability, in return for basically nothing (basically, it says the researcher cannot contact the media but it also says that the company that has received the report COULD promise that they will not sue the researcher).

I had heard about some disaster stories, and wanted to be sure that I would not get into any problems by reporting the issue (given that the modem is owned by the ISP), so I tried to find information on the policy of my ISP.

Well, I was very nicely surprised when I found a page on their website including guidelines of how they handle Responsible Disclosure.
Especially the fact that their guidelines explicitely says that if the researcher does not abuse the vulnerability, they will not be sued, was a very nice surprise to me.
They even have a GPG key on an https site that can be used to encrypt reports!

So then I decided to at least give it a try, and send them an email with the information and a script to reproduce the vulnerability.
I had not really expected to receive a reply from them, but thought I would at least take the effort to report the issue to them.
This email was sent at late May 6th.

A response!

Given the fact I had not expected a reply, I was again surpised when on early May 8th, I actually got a serious reply!
Sure, it only thanked my for reporting the issue and promised they would look into the issue, but it was more than I had expected at first.

Of course, their replies were also GPG-encrypted.

On May 9th, they again replied thanking me for the reproduce information and script, and notified me that they were able to produce it on the Ubee EVW320 and ECW321 (the two modems they have in use), and sent the information to the manufacturer.

Then, again totally unexpected, at May 15th I got an email telling me they got a fixed firmware and if I would agree with it being pushed to my modem to check if it solved the issue.
I agreed, and two days later I sent them an email back confirming that this release fixed the bug.
That means that from reporting (May 6th), until working fix (May 15th) was just 9 days!

At that point, I asked them if it was okay to publish about it on my blog, but they asked me to wait just a little bit with publishing details on the vulnerability, because they still needed to schedule updates for modems of customers etc.

Rounding up

Well, today I received a letter from them in which they thank me for reporting the issue to them and the way I reported it to them.
The letter said that all modems have been updated, so are no longer vulnerable to the vulnerability I had discovered.
It also came with a small present (a Bluetooth speaker with their logo), which was a nice surprise as well.

So all in all, I have to say that I was surprised in a very nice way in how they handled it and the speed by which it has been resolved.

If only all, or at least more, companies would respond like this, the digital world might become a much more secure place!

I have so far refrained from using the name of the ISP to prevent quotes from being taken out of context, but I would hereby like to thank Ziggo for the perfect way in which they handle reported security issues, and would hope that more companies follow the same openness and transparancy that they have shown.

Ipsilon and FedOAuth merge complete, FedOAuth deprecation

Fixing OpenID Covert Redirect in Flask-OpenID