Multiple backdoors found in FTTH devices made by Chinese manufacturer C-Data


Researchers find multiple intentional backdoors in Fiber-To-The-Home (FTTH) OLT devices made by Chinese manufacturer Shenzhen C-Data Technology Co

Security researchers, Pierre Kim and Alexandre Torres have discovered that the 29 different models of FTTH OLTs made by the Chinese firm, Shenzhen C-Data Technology Co., ltd aka C-Data containing backdoors and other vulnerabilities. During the research, the researchers found undocumented Telnet admin account accounts in 29 FTTH OLT devices that are made by C-Data that pretty much allowed the makers universal access to the complete Internet grid connected through this OLTs.

These Telnet admin backdoors can give complete access to any FTTH OLT device made by C-Data and sold under different brand names across the world. And the researchers say that the backdoors are intentional.

What is FTTH?

FTTH or Fibre-To-The-Home is the delivery of a communications signal over optical fiber from the operator’s switching equipment all the way to a home or business. Earlier, the Internet used to be delivered through existing telephone lines or coaxial cable. However, more and more countries are moving to the FTTH technology which provides a hi-speed Internet network with less latency and data loss compared to copper telephone wires and coaxial cable.

What is FTTH OLT?

If your building or apartment has Internet, you might have noticed an Internet hub situated in the lobby or back alley. This is the LT or Line terminal. FTTH or Fibre-To-The-Home have similar terminals that are called Optical Line Terminal or OLT. These pretty much control the Internet services within the premises/company/industry or government buildings. The OLTs are installed according to the number of users. Some of the devices support multiple 10-gigabit uplinks and provide Internet connectivity to up to 1024 clients.

Backdoors in Chinese C-Data made FTTH OLT

According to the researchers, they tested two C-Data made FTTH OLTs – FD1104B and FD1108SN but infer that in all 29 FTTH OLTs or optical line terminals made by Chinese company C-Data have intentional backdoors. According to the researchers, these OLTs are manufactured by Shenzhen C-Data Technology Co., ltd or C-Data which is located in Shenzhen, China. These FTTH OLTs are sold all over the world under different brand names like Cdata, OptiLink, V-SOL CN, BLIY. 

Vulnerable C-Data FTTH OLTs:

The researchers state that the following models of C-Data made FTTH OLTs have backdoors. These models are being sold and installed all across the world under different brands mentioned above.

  • 72408A
  • 9008A
  • 9016A
  • 92408A
  • 92416A
  • 9288
  • 97016
  • 97024P
  • 97028P
  • 97042P
  • 97084P
  • 97168P
  • FD1002S
  • FD1104
  • FD1104B
  • FD1104S
  • FD1104SN
  • FD1108S
  • FD1204S-R2
  • FD1204SN
  • FD1204SN-R2
  • FD1208S-R2
  • FD1216S-R1
  • FD1608GS
  • FD1608SN
  • FD1616GS
  • FD1616SN
  • FD8000

C-Data FTTH OLT Backdoor

The 29 FTTH OLT models made by C-Data have following Telnet backdoors which could be used for pretty much anything right from spying/espionage, Denial of Service(DoS), uploading malware/ransomware, etc.

Previous and old versions can be abused with:

login: suma123
password: panger123

New recent versions can be abused with:

login: debug
password: debug124

login: root
password: root126

login: guest
password: [empty]

The researchers found that the Telnet backdoor accounts were hardcoded in the firmware which means that they were intentionally made available to the makers of the above OLTs.

A telnet server is running in the appliance and is reachable from the WAN interface and from the FTTH LAN interface (from the ONTs(Clients)).“Depending on the firmware, the backdoor credentials may change. You can find below a complete list of backdoor (undocumented) credentials, giving an attacker a complete administrator CLI access.

Kim and Torres

The researchers say that these initial backdoor CLI access could be used by the makers or potential hackers to extract confidential information, implant malware, trojans, or simply snoop by running a command in the CLI.

In addition to the snooping and implanting malware, the CLI access allows the makers or potential hackers to execute shell commands with root privileges. It can also be used for Denial of Service (DoS) attacks by making the FTTH OLT shut down or reboot remotely using the following command

$ for i in $(seq 1 10); do cat /dev/urandom | nc 23 | hexdump -C;done

The researchers also say that the makers/hackers could exfiltrate data including credentials in plain text. “Without authentication, an attacker can extract web, telnet credentials, and SNMP communities (read and write) by fetching these files”

The C-Data made FTTH OLTs were also found to use extremely weak encryption algorithms and insecure management interfaces which could be easily hacked according to researchers.

The researchers discovered the backdoors and vulnerabilities in December 2019 and made them public on 7th July 2020 as they believe that the backdoors were intentionally implemented in the firmware of the devices by the manufacturer. “Full-disclosure is applied as we believe some backdoors are intentionally placed by the vendor,” their report says.

You can read their full researcher here. Shenzhen C-Data Technology Co. Ltd. has not yet commented on this news.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments