ONT hardware vulnerability assessment

More and more operators are deploying fiber to the customer’s premise, which allows them to offer their customers a combination of data, voice and content services in attractive bundles.
These services typically rely on an Optical Network Terminal, or ONT, deployed at the customer’s premise. The ONT device often plays a role in securing access to the various services that coexist on the fiber bearer, and a breach of the ONT device may allow an attacker to access network components responsible for one or more of these services. Many ONT devices have telephone ports, coax ports and USB ports or UART interfaces, besides ethernet ports, so that various attack surfaces exist.

The Telecom Defense Limited Compny’s methodology for testing vulnerabilities in ONT devices and related network interfaces, consists in the following:

Phase 1: obtaining privileged access on the ONT device

The first phase consists in attempting to obtain privileged access (ie root access) on the ONT device. This phase is conducted on the ONT devices physically in our lab in Las Vegas.

First all available interfaces on the ONT device are attacked. For example any HTTP, telnet or SSH administrative interface, and any user GUI or CLI, both via ethernet ports and the wifi interface (if any).
The automatic firmware update procedure, if present, and the physical USB port, are also targetted to attempt and install a modified firmware version to gain privileged access.

If the above methods fail to achieve privileged access to the ONT device, a hardware attack vector is used: the flash / EEPROM on the ONT is physically removed, and the firmware of the device is extracted from it. We then attempt to reinsert modified firmware into the flash / EEPROM to obtain privileged access.

Phase 2: service level vulnerability assessments

If privileged access is obtained on an ONT device in the lab, the second phase of the assessment focuses on breaching the actual services accessible from the ONT device into the operator’s network. This phase is conducted on a breached ONT device connected to the operator’s fiber network, which is accessed remotely via a laptop.

During this phase, attacks are conducted on:

– any VLANs carrying data payload or administrative data traffic
– any VLAN used for voice services
– the IPTV service layer, if there is one