|
Q.
|
What models are affected by these vulnerabilities?
|
|
A.
|
The Alcatel "Speed Touch Home" and "1000 ADSL." We have not tested any other models.
|
|
|
Q.
|
Is the "Speed Touch Pro" the same as the "Speed Touch Home?"
|
|
A.
|
No. According to Alcatel, the "Speed Touch Pro" has routing and optional firewall capabilities. Alcatel has information on the Speed Touch Pro here and the Speed Touch Pro with Firewall here.
|
|
|
Q.
|
Is there a firewall in the Speed Touch Home or 1000 ADSL?
|
|
A.
|
No. See this FAQ from Alcatel.
|
|
|
Q.
|
My "Speed Touch Home" shows the configuration setting "Firewalling on." Am I safe?
|
|
A.
|
No. We have had this setting turned on during all of our tests. And Alcatel says that the product does not have a firewall.
|
|
|
Q.
|
How do I generate one of those nifty charts?
|
|
A.
|
That information will be forthcoming soon.
|
|
|
Q.
|
Can you help me configure my ADSL router/bridge/modem to be more secure or run faster?
|
|
A.
|
No.
|
|
|
Q.
|
I have a router/bridge/modem that has these vulnerabilities. Should I change equipment? If so, what do you recomment?
|
|
A.
|
We can't really answer that question. The only devices we have examined are the two mentioned above. We cannot say whether other devices have these same vulnerabilities, or other vulnerabilities.
|
|
|
Q.
|
Why didn't you notify Alcatel before releasing this advisory?
|
|
A.
|
We did.
|
|
|
Q.
|
Aren't you just dredging up old vulnerabilities? I heard that they had been found a couple of years ago!
|
|
A.
|
Only one of the vulnerabilities we announced (lack of a default password -- see www.nessus.org)) was previously known. All of the other vulnerabilities are newly discovered.
|
|
|
Q.
|
Why are you singling out Alcatel? There must be other vendors who ship vulnerable equipment.
|
|
A.
|
We did not "single out" Alcatel, we just happened to use their equipment. We're not saying that they are any better or worse than any other company selling similar products.
|
|
|
Q.
|
There are other vulnerabilities in this equipment. How come you didn't mention them?
|
|
A.
|
Because we got tired of typing.
|
|
|
Q.
|
These are just theoretical vulnerabilities. Nobody's actually done these things!
|
|
A.
|
We have actually successfully exploited every vulnerability described in our advisory.
|
|
|
Q.
|
It would take a really smart person to exploit these vulnerabilities, wouldn't it?
|
|
A.
|
It only takes one "smart" person to write an exploit, and then millions of script-kiddies can use the exploit. And we believe that a lot of this really isn't that difficult.
|
|
|
Q.
|
How do I make my DSL modem faster/more reliable/work?
|
|
A.
|
Ask your service provider.
|
|
|
Q.
|
What can I do to fix these vulnerabilities?
|
|
A.
|
Ask your service provider. If they won't help, you can look at our tools page, but we really don't recommend that you try this.
|
|
|
Q.
|
I just read your advisory. Who do I call to complain?
|
|
A.
|
Talk to your service provider.
|