Ethical hacker had access to internal network of KPN




Who had a business of KPN fiber optic connection, could come to a part of the internal network of the ISP. Equipment KPN that were to occur, it appeared to be. Bypass bar On the internal network could be found. Passwords of switches and routers

KPN-hack The fiber optic cable to connect KPN, KPN on equipment, could be considered on the internal network. Rather than directly to a switch to Then servers could be reached on the internal KPN network who have answered requests. Normally hear the internal management network for clients not available. This is evident from the report that the anonymous finder of the leak, which contains Tweakers received. from anonymous sources

In an internal FTP server that was accessible to anyone on the internal network, were those with outdated encryption methods were encrypted and therefore were in seconds to figure out. Finding passwords of thousands of routers, switches and network This would have been to listen. Away from Internet KPN customers theoretically possible Were also exploited for DDoS attacks the DNS servers of KPN and were “some IP addresses” on the network “clearly intended” for managing routers to customers. It is unclear whether these connections were to abuse, such as flashing modems customers.

KPN recognizes the security issue and has since improved security, says the company. It suggests that the company “has been the vital infrastructure no impact ‘and that’ no customer or personal data have been at stake.” The researcher has the problem in July by the National Cyber ​​Security Center at KPN reported by the responsible disclosure process of the company, since KPN is engaged in solving the problem. According to the researcher who found the problem, it is not so much a bug, but rather a security issue.

According to the survey had a malicious “substantial cause damage ‘to KPN’s infrastructure. It is not clear how far the impact would go thereof. KPN has several networks: in this case it was probably wholesale Ethernet access services which the researcher had access, but that’s not our network which most customers are connected.

Trivial to exploit the vulnerability was not: there was a business wholesale fiber optic connection is required. Renting equipment for such connection alone costs 2000 euros per month, apart from the cost of the actual connection.

The finder of the leak writes in the investigation that he is happy with the way KPN and the NCSC have responded. Reported on his At the same time the so-called “ethical hacking” is still a criminal offense, he emphasizes. Even if a company does not report hacking, the Prosecution received prosecute. “Then you’d better hope it ends well”, says the researcher.

KPN spokesman Maurice Piek says happy with the responsible disclosure program, which security issues can be reported without an ethical hacker risk of prosecution. “This shows that responsible disclosure works,” said Peak. “With this report we can secure the system further.”

Early last year showed that a time seventeen year old boy had broken on the KPN network, and thus had access to the core routers KPN Internet which could be intercepted. In June, the hacker sentenced to community service and a short prison sentence.


Tags: ,

In: Technology & Gadgets Asked By: [15464 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »