In mid-June of this year, I attempted to login to the (non-internet facing) management UI of my TM-AC1900 and my pw wasn't working. I took the router offline, checked out my box, which seems to be fine.
The next morning, I turned on the router (not connected to internet) and noticed that my two SSIDs (one of 2.4 and one for 5.0) were gone. In their place was a single SSID with the cryptic name "on" (minus the quotes).
At this point, my dilema was this: I could hard reset the router and be back in business but without knowing what happened, and the attack vector (if indeed there *is* one), a similar event could happen again, possibly with more serious consequences.
Some more details:
My management UI's PW was 10 alpha-numeric characters, with no discernable pattern or words, while my wireless login PWs were 16 character alpha-numeric and special characters. I realize the former could have been stronger.
I'm running the most current version of T-Mobile's firmware - I know there's been at least one forced update that happened near the end of last year / begining of this year., which was noticeable due to the sudden disappearance of the SSH server. I'm not able to provide an exact version number, since without being logged in, I have severely limited access.
So - since that time, with the router not connected to the internet, and the wireless access turned off, I have been mapping the application and doing lots of testing. At this point, I'd like to be clear regarding vulnerabilities (most of which I've reviewed) / potential vulnerabilities - I'm all about responsible disclosure, so I am not wishing to discuss or inquire about nonpublished vulns or exploits.
I've been doing quite a bit of reading here since joining about a week after the "event", and from what I understand, the resources on this router are the same as an RT-AC68U, except for a bit of code that is a device profile specifically for T-Mobile. I'm wanting to find the source for the backend asp pages, which I'm assuming I'd find in asuswrt source. I've browsed through the git pages of both mikewadsten and pjotrligthart, and much of what I've seen maps to the application on my router but when a generic GET request is made to either the IP or of the router or "cellspot.router", the first response (I realize that most of the content is dynamically generated) has a title of "T-Mobile Mobile QIS", but there is no file name in the address bar. It also requests resources such as /iui/onoff.css that don't appear in the lists of resources on either mikewadsten's or pjotrligthart's git pages, so I'm not sure if I'm on the right track.
Best,
yabai
The next morning, I turned on the router (not connected to internet) and noticed that my two SSIDs (one of 2.4 and one for 5.0) were gone. In their place was a single SSID with the cryptic name "on" (minus the quotes).
At this point, my dilema was this: I could hard reset the router and be back in business but without knowing what happened, and the attack vector (if indeed there *is* one), a similar event could happen again, possibly with more serious consequences.
Some more details:
My management UI's PW was 10 alpha-numeric characters, with no discernable pattern or words, while my wireless login PWs were 16 character alpha-numeric and special characters. I realize the former could have been stronger.
I'm running the most current version of T-Mobile's firmware - I know there's been at least one forced update that happened near the end of last year / begining of this year., which was noticeable due to the sudden disappearance of the SSH server. I'm not able to provide an exact version number, since without being logged in, I have severely limited access.
So - since that time, with the router not connected to the internet, and the wireless access turned off, I have been mapping the application and doing lots of testing. At this point, I'd like to be clear regarding vulnerabilities (most of which I've reviewed) / potential vulnerabilities - I'm all about responsible disclosure, so I am not wishing to discuss or inquire about nonpublished vulns or exploits.
I've been doing quite a bit of reading here since joining about a week after the "event", and from what I understand, the resources on this router are the same as an RT-AC68U, except for a bit of code that is a device profile specifically for T-Mobile. I'm wanting to find the source for the backend asp pages, which I'm assuming I'd find in asuswrt source. I've browsed through the git pages of both mikewadsten and pjotrligthart, and much of what I've seen maps to the application on my router but when a generic GET request is made to either the IP or of the router or "cellspot.router", the first response (I realize that most of the content is dynamically generated) has a title of "T-Mobile Mobile QIS", but there is no file name in the address bar. It also requests resources such as /iui/onoff.css that don't appear in the lists of resources on either mikewadsten's or pjotrligthart's git pages, so I'm not sure if I'm on the right track.
Best,
yabai
