Singtel's 5012NV-002 vulnerability

Type: Open port

Affects: Singtel's firmware on 2wire 5012NV-002

Version: (HW version: 2701-000808-004, SW version:

(Unable to ascertain if other versions are affected as I do not have access to the firmware)

Severity: High

Ease of exploit: Low

Impact: Allows an attacker to gain access to the admin page of the router.

Technical details:

The affected routers expose the admin page on port 2046 of the WAN interface. Of all the routers I have seen, none have required any form of authentication. Targets can be found very quickly by scanning port 2046 of IP addresses which Singtel issues to its subscribers. A quick scan of 1275 addresses found approximately 10 hosts which were vulnerable. Compromising the router is as simple as pointing your browser to

Potential exploits (in order of severity):

  1. Routing table poisoning - The attacker can add a static route to direct traffic from a certain subset of IP addresses to an address which he controls. Traffic can be sniffed or a man-in-the-middle attack can be executed, compromising the privacy of the victim.
  2. Rouge firmware upload - The attacker can upload a modified firmware with any type of exploit built-in for his use. e.g. a proxy server to redirect traffic. Note: There may be mechanisms in place to prevent it from occurring. e.g. firmware has to be signed by manufacturer's key. I have not tested it out.
  3. Denial-of-service - The attacker can change the wifi password thus locking out the victim's wireless devices. He could also repeatedly reboot the router.

Mitigation techniques:

  1. Setting admin password for web interface - May not work as password may be set only for web page exposed on port 80 of LAN interface. I have not come across any affected routers which have http basic auth enabled on port 2046 of WAN interface.
  2. Using a different router not affected by this vulnerability. However, this option may not be feasible for many subscribers as mio TV, an IPTV service offered by Singtel will not work on a different router without prior configuration.

This issue was brought to SingTel's attention on the 23 Oct 13. I received a call in Jan, informing me that investigations by the network team confirmed the existence of the vulnerability. A patch has since been released and rolled out to all affected subscribers.