01.Potential threat to thousands of customers
Optus has fixed a security flaw that could have allowed hackers access to tens of thousands of customers’ modems, according to a Fairfax news report.
Concerningly, the flaw could allow access to customer call records, control the modem and compromise security of a customer’s local network.
Flaw found by customer
The flaw was discovered by an Optus customer, who posted it anonymously on the Optus community noticeboard. He didn’t want to reveal his identity, fearing legal repurcussions. The flaw was in the form of a “back door”, a secret password which could provide remote access for Optus technicians for troubleshooting and administration. However, in this case the password was the same as the default supplied by the modem manufacturer, and thus available to anybody. A hacker would not need to install any software or modify the equipment in any way.
While back door access for technicians is common practice, in this case the back door password was left as the manufacturer’s default password, which is the same for all users of that model. Optus doesn’t allow this password to be changed by users.
Optus repaired the flaw by remotely changing the access user name and password combinations of all affected modems. Optus reportedly said a security review is now underway and that the Privacy Commissioner
would be notified.
While the customer who discovered the security flaw stayed anonymous for fear of possible legal risk, Optus later thanked him for raising the security issue and said there would be no legal action as a result.