I think it’s worth mentioning that this vulnerability really exists when the ISP has not separated duties of the physical devices well. Most PON networks do not use the ONU as a method of deciding which service the user should receive. This is instead usually defined by the PPPOE session and the characteristics sent by the RADIUS server. Having zero upstream authentication beyond an ONU serial number, if that, is poor and unusual network design.
If you’d like to understand more about good Ethernet based broadband network design, you should read the reference standard TR-101. This evolved from TR-099 which was the old ATM/ADSL standard.
The article reminds me this Github project, which using 3rd party SFP ONU connecting internet with SLID, Model, SN and other parameters.
RockRobotRock 4 days ago [-]
If I shined a laser pointer through the fiber in my house, would I DOS my neighbors?
simonjgreen 3 days ago [-]
Yes, this can happen with cheap/poor splitters upstream and/or high power lasers of the correct frequency. Sending a regular red laser up the fibre will likely do nothing, however I have encountered ONUs that do not have particularly selective receive optics. Sending a laser at 1310nm or 1490nm can cause havoc.
Faaak 3 days ago [-]
No
userbinator 4 days ago [-]
I've always thought access should be controlled on the ISP side, similar to how the telco can connect or disconnect your local loop from their property.
sleepy_keita 4 days ago [-]
PON uses passive splitters to allow multiple access -- you can't disconnect a fibre at the office without also taking down the neighborhood you're sharing the physical fibre with. The article, as I understand it, is how it's trivial to bruteforce other sessions once you have root in the ONU.
moe4joey 4 days ago [-]
Fiber can be connected at the PON usually, a lot of FTTH providers use splitters that are in a neighborhood. This is never done, for obvious reasons (usually the ONT is just set to a "locked" state if someone doesn't pay).
I'm not sure about how well these exploits would work on the fiber ISP I used to work - most of the protections for "bad" ONT behavior is related to the light (a laser being stuck on or something else) in which case the ONT will throw an alarm and be disconnected automatically and a technician usually goes out and replaces it, restarts it, or they fix the fiber itself.
There were some protections against malicious behavior as well, but you could certainly tell the vendor designed much more for physical issues with the ONT that could harm other customers rather than someone hacking the ONT.
(AFAIK our ONTs didn't have an HTTP interface, but they were a lot different than the ones mentioned in this write up and were controlled via proprietary vendor software - still interested to know if they were able to be owned like this)
matt-p 3 days ago [-]
You have to assume an ont is rooted/third party when designing pon, this is pure bad design nothing more.
OLT should inject vlans based on Mac/ID of the ONT+pon port, the only real vulnerability in ones I've designed is if someone on the same pon knows someone else's SN and thier service was subscribed but ont unplugged.
simonjgreen 3 days ago [-]
This is a fair observation, however practicalities get in the way. It’s labour intensive to disconnect and connect at Layer 0. The way Access is usually controlled is the user will be unable to authenticate their PPPOE session/receive a DHCP assignment. Some ISPs will also authenticate but send them to a walled garden. Most PON networks are deployed using connectorised terminals so if there was a malicious or faulty user that was not a paying customer, they could physically disconnect them if they needed to without getting out the splicing tools.
RockRobotRock 3 days ago [-]
>Most PON networks are deployed using connectorised terminals so if there was a malicious or faulty user that was not a paying customer, they could physically disconnect them if they needed to without getting out the splicing tools.
In other words, they would send out a tech to disconnect the fiber between my house and the splitter on a utility pole somewhere in the neighborhood?
simonjgreen 2 days ago [-]
Exactly that, yes.
zokier 3 days ago [-]
Doesn't that depend on where the network is demarcated, i.e. is ONT/ONU considered to be on "ISP side"?
chaz6 3 days ago [-]
In the UK, we are tending towards separating the FNO (fiber network owner) and the ISP. The larger FNO's will provide wholesale access to multiple ISP's. There are some smaller operators that are both FNO and ISP, but I am not aware of any provider that combines the ONT and CPE, so they could wholesale without having to replace hardware.
simonjgreen 3 days ago [-]
I know of a few, they are using Ubiquiti, TP Link, and Calix. They are however all small.
BTW, if you’re in UK altnet scene are you in… the Slack?
Rendered at 20:32:38 GMT+0000 (UTC) with Wasmer Edge.
If you’d like to understand more about good Ethernet based broadband network design, you should read the reference standard TR-101. This evolved from TR-099 which was the old ATM/ADSL standard.
The article reminds me this Github project, which using 3rd party SFP ONU connecting internet with SLID, Model, SN and other parameters.
I'm not sure about how well these exploits would work on the fiber ISP I used to work - most of the protections for "bad" ONT behavior is related to the light (a laser being stuck on or something else) in which case the ONT will throw an alarm and be disconnected automatically and a technician usually goes out and replaces it, restarts it, or they fix the fiber itself.
There were some protections against malicious behavior as well, but you could certainly tell the vendor designed much more for physical issues with the ONT that could harm other customers rather than someone hacking the ONT.
(AFAIK our ONTs didn't have an HTTP interface, but they were a lot different than the ones mentioned in this write up and were controlled via proprietary vendor software - still interested to know if they were able to be owned like this)
OLT should inject vlans based on Mac/ID of the ONT+pon port, the only real vulnerability in ones I've designed is if someone on the same pon knows someone else's SN and thier service was subscribed but ont unplugged.
In other words, they would send out a tech to disconnect the fiber between my house and the splitter on a utility pole somewhere in the neighborhood?
BTW, if you’re in UK altnet scene are you in… the Slack?