After a year, I can say that I have no complaints about the quality itself - for all the time I used the Internet and television, the TV did not work only one day, and the Internet worked all the time. The speed is excellent, the quality is decent, in general, I’m satisfied. Pah-pah so as not to squawk. But that's not what we're talking about. And about the fact that somewhere a couple of months later, in August 2013, an article appeared on Habré, which described the downright horror-horror consequences of switching to GPON, and this article concerned me directly, since I had exactly the described there is a “leaky” ZTE ZXA10 F660 router.

But I didn’t notice this article, and lived quietly, without particularly worrying about anything, for almost a year. Suddenly, in May 2014, a book appeared describing the same horrors. Which I, too, would have missed in the same way (since I knew nothing about him), if he, in turn, had not been quoted in his note by Alex Axler, whom I already read almost on a daily basis. One way or another, the issue raised was important, since it directly concerns security, and therefore such widespread coverage of the problem is completely justified. On the other hand, MGTS’s responses, and indeed their reaction to what was happening, gave reason to assume that someone was simply muddying the waters, and respected bloggers were simply quoting information without checking it. As well as the absence of other references on the Internet, which represent individual studies, and not copy-pasting of these articles, they were simply absent. Therefore, armed with all the knowledge available to me, I sat down to hack my own ZTE ZXA10 F660 GPON router, provided for free use by MGTS, via its WPS pin.

I won’t explain what WPS is here, because in my opinion it is a) generally a leaky and unnecessary technology, since it is much easier to just enter the default Wi-Fi password indicated on the bottom of the router and b ) this has been described perfectly for a long time, and more than once.

But we have a purely academic interest, we break our own router (well, in general, it’s MGTS’s, but in this case that’s not the point, since there is no interference in its settings). First I tried to find the PIN code on the router itself, there should have been a sticker like

There was everything on the router - from the WiFi password to the MAC address, but there was no pin. Then I climbed onto the mezzanine to get the box from the router. There was no pin on it either. Maybe in the instructions? I took out the manual and it’s not there either. It struck a chord with me, I went online and downloaded the instructions for the ZTE ZXA10 F660 - both the MGTS one and the factory one in general. I didn’t find it in them either.

Well, okay, in the article on Habré it was written that you can Google a pin code in 10 minutes. I sat down to google. First I googled zte zxa10 f660 wps pin, crap. Nothing on 10-15 pages. Then - zte zxa10 f660 pin-code - again nothing. I looked into images on Google - I think maybe there’s a sticker there? Also horseradish. I suffered for half an hour, but it turned out to be much simpler - I just had to enter f660 wps pin in Google, without starting about zte, so that the third and fourth link would come up with the pin code for the ZTE ZXA10 F660 - 13419622.

If we omit all the bla-bla-bla in Sergei’s article about speed, the default password and the 6th channel (which in my case is not such - and the channel is automatically selected for me, and the speed is quite normal, and the password was set for me - what I asked for, and not just a phone number), then there is something very useful in it. Namely, an indication that the WPS pin code for the ZTE ZXA10 F660 router starts with 1341. So now I was sure that I had found what was necessary, since I had to raise Linux, install Reaver and other crap in order to find a pin, and do in 10 hours what, as written on Habré, can be done in 5 seconds:

Thus, the “lucky” owners of this particular model of equipment (and the operator has only 2 of them, so the chance is 50/50), even if they set an impossible-to-crack password for the wireless network, will still be hacked in less than 5 seconds due to the imperfection of the technology.

Naturally, I had no desire.

It is clear that if we consider the subject from a general point of view, the question is not even whether the pin is known or not, but whether the WPS function is turned on at all or not, and whether the user can turn it off independently or not. In other words, the problem with WPS is divided into several subsections:

1. If WPS is available, the pins are different for each device, and the user can disable it - this is not so scary, because In this case, it will not be possible to connect from Windows so easily; you will first have to brute force the PIN code from Linux, and this is only available to those who have nothing else to do. Although there are plenty of those too. So, even in this case, it is better to disable it rather than change it.
2. There is WPS, the pins are the same for each device, but the user can disable it - in this case it is necessary to disable it without fail, since it will be possible to connect using software for Windows. The leaky, non-MGTS ZTE F660, or rather, not only it, all D-Link DSL 2640NRU have a completely similar problem, with pin 76229909 or 46264848 it connects with a bang, people just don’t know that it’s better to disable WPS. Yes, there are other examples.
3. In the specific case under consideration, the pin does not change in the router settings, but what’s worse is what both Sergey and Habré tried to shout about - WPS cannot be disabled by the user independently. And the question arises: was it disabled during one of the remote firmware updates by MGTS. Because otherwise - as already written, the question comes down to whether it is possible, without any hassle at all with selecting a pin, to simply hack Wi-Fi from Windows 7 in 5 seconds and connect to wi-fi from MGTS.

This is what I wanted to check.

After the pin was found, the second known ambush was that in Windows 7 PIN code authorization is used only for setting up an access point :

If, when you try to connect, Windows determines that the device is using standard factory settings, it will offer to configure the router.

If the wireless network settings have already been configured ( and this is exactly the case with all MGTS routers), then it is necessary (without considering the above Linux installation):

• or press a button on the router, which is impossible for attackers - since the router, to put it mildly, is not freely accessible

• or enter the WPA2-PSK key set at the setup stage
• or use third-party utilities to transfer the pin to the router

Naturally, if we enter our PIN code 13419622 from the ZTE ZXA10 F660 into the Windows “Security Key” window, then Windows considers that this is not a PIN code, but a password to Wi-Fi, and of course, it does not connect. Therefore, download and try to connect via

I used Jumpstart because it comes with a very handy Dumpper utility. Its two disadvantages are that a) it is in Portuguese (but everything is clear as it is), and b) that it also carries with it an unwanted update that forces Chrome and other browsers to open the google.ru page by default. , and search through the page trovi.com or trovigo.com, showing a bunch of advertising. In this case, you cannot simply change it back, and you will need to reset all browser settings. However, it is necessary to clearly understand that Trovi Search is not a virus, not a hijacker or malware, as they write in some places, but simply unwanted software installed as part of other free software that will show advertisements and sponsored links in search results , on the home page, and will also collect and send search queries to its servers to collect statistics. Therefore, antiviruses do not see it. However, keeping extra crap, even this kind, on a computer is also not ice, and therefore, details on how to remove trovi.com (a matter for one minute) are said and shown in this video instruction:

I don't know if QSS includes this same crap, because... I haven’t tried it - if anyone decides to try it with its help, please post.

To connect, it is better (although not necessary) to disconnect from all networks, because... If, for example, your phone still distributes the Internet, and your laptop connects to it, then until you disconnect, it may not be possible to connect to anything else using the pin.

So, the most important result - really disappointing - I was able, without any WPA2 passwords, by simply downloading and installing Jumpstart, and entering the pin code 13419622 to connect to my router via pin in 5 seconds:

after which I went to the network properties and looked at the WPA2-PSK password there.

Even easier than I once did.

A little later, I found a link on one of the hacker sites, which stated that PIN 13419622 is only suitable for routers with a BSSID (Mac Address) starting with 34:4B:50 and 2C:26:C5, and on DC:02: 8E (just my case) - updated ZTE, possibly with different firmware, in which WPS is blocked.

So, I can say with confidence (since I got my neighbors involved in this matter and checked it on their devices) that several DC:02:8E:B3 model number: 123456, model name: broadcom, including mine — all also full of holes; but DC:02:8E:D2 and DC:02:8E:D5 model number: EV-2012 model name: onu are fixed, and they are no longer connected to with this pin. So there is an opinion that someone was lucky, since MGTS either remotely disabled the enabled WPS on routers by downloading new firmware for them, or corrected this bug in some other way, or did not fix it, but only made the selection a little more difficult by simply changing the pin (as I already said, I have neither the desire nor the time to check for 10 hours while picking it up). And someone, like me, had the fate of being left with a completely leaky Wi-Fi that could be hacked in 5 seconds just from under Windows. By the way, the firmware on mine is 2.21, although I know for sure that there is already 2.3 - and maybe a later one.

Therefore, I have a big request - if you managed to connect to your router using the specified method, please write in the comments. And of course - let's contact MGTS with a link to this article - let them correct it (which I will do in the near future, I will inform you about the results). In the meantime, you can either live with a leaky Wi-Fi (in the days of ADSL there was a theme with FON, when users even provided free access via Wi-Fi), or, as a last resort, put filtering by Mac address for all their devices (also not a panacea). Well, or install an additional access point on the wire without/with switchable WPS.

And further. I didn’t come up with anything special, but simply collected and structured the information available on the Internet. Because the kul-hackers already know this, but ordinary people treat security issues with unforgivable carelessness. All files and descriptions are posted not to answer the question “how to hack Wi-Fi,” but for the sole purpose of allowing everyone to check how secure their own network is. Remember that if you are going to hack someone else's Wi-Fi using this method, then this, like any other unauthorized entry into someone else's network, entails criminal liability. Based on the router log, you will still be identified. If you want to help a neighbor, first ask his consent. Use this article as a weapon of self-defense - for defense, not attack.

And remember, if you do not have the goal of distributing the Internet to everyone, and your router allows this, be sure to disable WPS. Even if you are not on MGTS GPON.

The MGTS GPON zte f660 router is a new generation of equipment used to connect to the worldwide Internet. GPON technology indicates that the router is designed for fiber optic connections. The device can exchange data both via cable and using a Wi-Fi signal. The uniqueness of the equipment lies in the fact that in addition to access to the Internet, the router is capable of providing its owner with IP telephony and allows you to create a local web server.

Today we will look at the features of the router, simultaneously discussing how to configure the MGTS GPON zte f660 Router in order to use the stated functions.

Characteristics, features of the device

If we consider the main characteristics of the f660, it should be noted that the transmitter operates at an operating frequency of 2.4 gigahertz. The Wi-Fi signal can be transmitted at speeds of up to 300 megabits/second, and the equipment supports up to 4 network IDs, which can support the connection of about 120 users simultaneously. The router is also designed to increase the range of signals from nearby routers.

If we talk about the design of the device, it provides the following connectors:

• LAN – 4 pcs. Designed to connect other devices using a standard Internet cable;
• USB – 2 pcs. Allows you to manipulate electronic media (for example, when you need to update the firmware);
• POTS – 2 pcs. Connectors involve the use of a telephone cable to connect telephony.
• Power – 1 connector. With its help, the device is connected to the power adapter;

Also, the back side of the router is equipped with on/off buttons for the device, buttons for resetting all settings and adjusting Wps/Wlan functions, plus a GPON connector for connecting to a fiber optic line. As you can see, the functionality of the device is quite high.

How to connect and configure a router

In order to start using the device, you need to properly connect it to the equipment and ensure its connection to the fiber optic lines. We present you a step-by-step connection guide:

• Find the device's power supply inside the box with the router. Insert the plug into the corresponding connector on the rear panel of the unit, and the unit itself into an outlet with an operating voltage of at least 220 volts.
• Prepare the fiber optic cable by identically connecting one end to the outlet and the other to the router socket.
• Attach the plug of the Internet cable to the connector of the computer or laptop intended for the network card, and the other end of the cable to any of the LAN ports. Make sure the cord is securely seated in the device you plan to tune from.
• Look for activity lights on your router; the one that shows the LAN connection should be lit.

If the light does not light, make sure the network card is working, and then try again. If you encounter additional difficulties, contact your provider's technical service; specialists will help you connect and test the connection with detailed instructions.

After the equipment is operational and access to the World Wide Web is possible through a home, wired network, you need to set up data exchange via the Internet via Wi-Fi.

Step-by-step setup of the MGTS GPON zte f660 router:

• Open the address bar of any active browser on your computer and enter the command “http://192.168.1.1.” into it. The system will redirect you to a page in the active lines of which you will need to enter your login/password (in both cases the word “admin”). The steps will take you to the main menu with settings for your router.

• Before you are tabs in English, select the “network” section, then “wlan” and “basic”. Proceed to fill out the forms, strictly following the instructions. The first line called “wireless RF mode” allows you to select one of the drop-down filling options. Commit the "enabled" version. In the “mode” line, the data “mixed(802.11b+802.11g+802.11n)” should be selected. In the field with the region/country – Russia. Then fill in the following lines: Channel – auto, Transmitting Power – 100 percent, Qos Type – disabled, RTS Threshold and Fragment Threshold – digital value 2346. Complete the setup of this page by pressing the “submit” button.
• Go to the next tab in the left menu “Multi SSID settings”. Also configure the fields that open according to the instructions: Choose SSID – SSID 1, a bird in the Enable SSID column, an arbitrary network name in the SSID name. Confirm your actions with the “submit” button.
• The next step is the Security tab, here you need to configure the security of your network. To do this, you need to fill in the following lines: choose SSID – SSID 1, authentication type – WPA/WPA2-PSK. The final step is to create a custom password. The requirements for the code are simple - it must be composed of at least 8 characters in the Latin alphabet, it is recommended to use both letters and numbers with symbols. The maximum number of characters is 63. Once the password is entered and you are sure that you will not forget it, you can complete the setup with the “submit” save button.

If you want to change administrative access to your router settings, go to the user management section. A window will open asking you to confirm your username and old password, after which you can capture and save your new administration access code. The described steps will help you secure your Wi-Fi network and avoid unauthorized connections (video below).

We looked at how to connect and configure the MGTS GPON zte f660 router. If your devices are operational and ready for use, the described manipulations should not cause difficulties.

Watch the video - how to change the password on Wifi (zte F660v3).

The ZTE ZXA10 F660 router is modern network equipment necessary for connecting to the worldwide information network via a fiber optic line (GPON technology). In terms of its functionality, it is both an ONT terminal and a Wi-Fi router, capable of distributing the Internet both via an Ethernet cable and using a wireless connection with the end device.

In addition to the standard capabilities of the zxa10 f660 router, it also provides IP telephony functionality and the ability to create a local Web server based on the router.

And this article provides step-by-step instructions for setting up the zte zxa10 f660 router from MGTS, and also discusses some of the subtleties of connecting this device.

ZTE zxa10 f660 router: technical specifications and design features

The gpon ont zxhn f660 router is an economical mobile Wi-Fi transmitter with a main operating frequency of 2.4 GHz.

The router's functionality provides data transfer speeds via Wi-Fi up to 300 Mbit/s, while the device supports up to 4 SSIDs with simultaneous connections of 128 users to each network.

The zte f660 router also supports WPS mode, so the device can be used to expand the WiFi zone of another router.

On the back of the router are located:

• - standard LAN connectors for connecting devices to the zxa10 f660 via an Ethernet cable;
• - two POTS connectors for implementing the IP telephony function (for connecting an RJ-11 telephone cable);
• - two USB connectors for connecting external media (including for updating the device firmware and organizing a local Web server);
• - POWER connector for connecting a power adapter;
• - buttons to turn on/off the WLAN and WPS functions;
• - RESET button to reset the router settings to factory settings;
• - router on/off button.

The GPON connector for connecting the fiber optic cable provided by the provider can be located either on the back or on the side panel of the zte f660 router.

Connecting a zte f660 modem

1. Connect the power supply (supplied with the device) into a 220V electrical outlet, and its plug into the socket provided for it on the rear panel.

2. Connect the optical cable with the green plug to the intended port, and its other end to the socket.

3. Insert the plug of the patch cord (Ethernet cable) into one of the four LAN sockets, and its other end into the network card connector of the computer from which you will enter the settings of the MGTS gpon zte zxa10 f660 router.

When you connect the router to the PC, the indicator corresponding to the active LAN connector should light up on the front panel of the device. If this does not happen, it is recommended on this computer.

How to configure zxa10 f660 router?

Connection, testing and configuration of optical communications are usually carried out by specialists from the communications service provider.

If you install the zte f660 optical modem yourself, then call the provider’s service department, ask to set up the equipment and follow the specialist’s instructions.

Router zte zxa10 f660: WiFi setup

1. Launch any Internet browser installed on your computer and enter http://192.168.1.1 in the address bar.

In the field that appears, enter the login: admin, password: admin and enter the configuration interface of your device.

2. A menu with tabs will appear in the window that opens: “Status”, “Network”, “Security”, “Application”, “Administration”.

3. Go to the “network” tab, the “WLAN” submenu and its “Basic” submenu.

In the “Wireless RF Mode” column, select the “Enabled” option.

• - Next, “Mode” must be set to “Mixed802.11b+g+n” mode.
• - “Country/Region” - “Russia”.
• - “Chanel” - “Auto”.
• - “Transmitting power” - “100%”.

4. Click the “Submit” button, then go to the “Multi-SSID Settings” subsection.

In the “Choose SSID” column, select “SSID1”.

• - Check the “Enable SSID” checkbox (Check that this checkbox is unchecked in other SSIDs).
• - Come up with a name for your network and enter it in the “SSID Name” field.

5. Click the “Submit” button again and go to the “Security” subsection.

- Here in “Choose SSID” select the first option.

• - Set “Authentication type” to WPA2-PSK.
• - Create a Wi-Fi network password and enter it in the “WPA Passphrase” field.

The password must be unique and contain at least 8 Latin characters. It is not recommended to set standard and easy-to-guess passwords (for example, your home address) to avoid unauthorized connections to your WiFi network.

How to change the password for the MGTS zte f660 router?

To set a unique administrator password used to enter the settings of the MGTS gpon zte zxa10 f660 router, go to the “Administration” menu and the “User Management” submenu.

- Switch “User Right” to “Administrator”.

Enter the old password in the “Old Password” field, and the new password in the “New Password” and “Confirm Password” fields.

It is also recommended to disable the WPS function before using the zte f660 router. To do this, press the corresponding button on the back of the device.

MGTS GPon subscribers are under threat of hacking, new networks - new problems

• Information Security ,
• Development of communication systems

1. Introduction

In the capital of our vast Motherland, an unprecedented in scale project is underway to introduce Gpon technology from the MGTS company under the auspices of the fight against copper wires and for affordable Internetization of the population. The number of MGTS subscribers in the city of Moscow exceeds 3.5 million people, it is assumed that everyone will be covered.
The idea is wonderful - optics to every apartment, high-speed Internet, free connection and a Wi-Fi router as a gift (though officially without the right to reconfigure it, but more on that later). The implementation of such a large-scale project (a similar device is installed in every apartment where there is at least a landline telephone from MGTS), as usual, was not without holes in the planning, which could be costly for the end user. Our company became interested in the information security issues of clients of such a large-scale project and conducted an express study, the results of which we offer to the public to inform the public about existing threats and measures to combat them at home.

2. Life in the palm of your hand

The threats turned out to be not at all illusory and insignificant, but systemic and the risk potential is difficult to overestimate. I want to warn happy MGTS subscribers against the threat to their privacy hidden not only in the ZTE ZXA10 F660 router, kindly forcibly donated by the provider (however, the less vulnerable Huawei HG8245, also installed for subscribers, is still in no way protected from “default settings”), but and in the organization of connecting subscribers to new communication lines.
This is what the operator-installed equipment options look like:

Less dangerous Huawei HG8245

Much more “holey” ZTE ZXA10 F660

There are several problems here of varying degrees of danger, some you can solve on your own, others you can only pay attention to. Let's list the main points that will help an attacker hack your home network (provided that you are an MGTS Internet subscriber):

• The WiFi password is your phone number (during the study, we encountered lazy installers who left the router’s MAC address without the first 4 characters as the password).
  This means that hacking Wi-Fi using the brute force handshake technique using the mask 495?d?d?d?d?d?d?d will not take much time, we are talking about a matter of minutes and for this it is not at all necessary to be near the target of hacking all the time . It is enough to intercept the moment of connection between the subscriber’s wireless device (smartphone, tablet, laptop) and the router, and the rest can be easily done on your home computer. This operator's miscalculation at the connection level is a gaping hole that opens the home networks of millions of subscribers to attack by intruders. This problem can only be solved locally - by independently changing the access point password to a more secure one, but the next vulnerability is much more serious, since the subscriber simply cannot effectively influence it on his own.
• We are talking about a vulnerability in the WPS wireless configuration technology, which is enabled by default on ZTE ZXA 10 F660 routers. And if in the case of an organizational miscalculation that compromised user networks at the password level, an attacker cannot hack subscribers en masse, dealing with each one separately, then by exploiting the WPS vulnerability of a router of this model, network hacking can be put on stream. The technology works as follows: for a WPS connection, a PIN code consisting of 8 digits is used. When the correct PIN code is received, the router gives the real Wi-Fi password. Not only can this PIN code be hacked using the well-known Reaver tool much more efficiently and faster than a complex WPA2 password, but the main problem is that it is the same for all ZTE ZXA10 F660 routers! Moreover, it can be easily found in 10 minutes on the Internet. I repeat - knowing this PIN code (which cannot be changed or turned off), within 3 seconds a real Wi-Fi password of any complexity and type of encryption is obtained, or a direct connection to the subscriber’s network is made. Thus, the “lucky” owners of this particular model of equipment (and the operator has only 2 of them, so the chance is 50/50), even if they set an impossible-to-crack password for the wireless network, will still be hacked in less than 5 seconds due to the imperfection of the technology.

3. What are the consequences for the owner of WiFi hacking?

Let’s leave aside platitudes like “free Internet”, this is not the 90s and people with gadgets usually have enough access to the Internet. So what are the threats? Let's list the most obvious ones:

• Interception of subscriber traffic, theft of passwords from email services, social networks, messaging programs and other confidential data
• An attack on the computers of the owner of the point of sale in order to gain access to the user’s files, view web cameras, install viruses and spyware (as a rule, home PCs are much more vulnerable to attacks from within than corporate machines, here are traditionally weak passwords and irregular updates and open resources )
• Wiretapping of telephone conversations. (Yes, with the switch to unsecured sip this is easier than ever). Now not only intelligence agencies, but also a curious neighbor (or maybe not a neighbor) can record your conversations on a city number due to the fact that the new telephony technology works using the unprotected SIP protocol. For the rapid interception and recording of conversations, all the necessary tools have long been publicly available.
• Theft of a telephone number - by slightly changing the router software, an attacker can find out the password for a SIP account and use it to make calls on behalf of the hacked subscriber. This is not only the potential for direct loss to the owner of the number, but also the possibility of causing much more serious damage by using the number of an unsuspecting citizen for blackmail, terrorist contacts, or in order to frame the owner - for example, using this number to report a bomb to the police
• Creation of a large botnet (the number of MGTS subscribers in Moscow is 3,504,874) with the potential of each connection being 100 Mbit/s. Yes, this will require an army of lemmings, but as everyone knows, hordes of biological bots constantly live on various kinds of “vats”, which are regularly attracted by interested parties to various Internet actions, usually of a sabotage nature.
• Using a random (or non-random) network to anonymously upload prohibited materials to the Internet (Can you guess whose door they'll knock on?).

4. Protective measures

What can you do to protect your privacy in such a situation? There is little you can do yourself, but these are mandatory steps for anyone who does not want to become a victim of a poorly thought out operator campaign.
We will need router passwords that are easy to Google on the Internet, write down:

• Access to the web interface of the ZTE ZXA10 F660 router – login: mgts,Password: mtsoao
• Access to the console via Telnet protocol – login: root, password: root
• for Huawei HG8245:
  default address - 192.168.100.1
  login: telecomadmin, password: admintelecom
• Through the web interface, be sure to change the password for the access point and its name (the MAC address will still indicate that it belongs to MGTS clients, but renaming the point will reduce the likelihood of matching a specific Wi-Fi signal to a specific apartment)
• Owners of ZTE ZXA F660 should disable Wi-Fi functionality using the button on the device. At the moment, this is the only way to protect against WPS hacking.

Unfortunately, at best, only a few percent of the 3.5 million users will use these measures, the majority will never know about this article and will remain vulnerable to a real threat for a long time, until something or someone forces the operator to spend a lot money and take centralized measures to correct the technical and organizational shortcomings of the project.

5. Conclusion

What conclusions can be drawn from all of the above? The most disappointing ones are that the largest GPON implementation project (I repeat – we are talking about 3.5 million subscribers!) was carried out without consultation with information security specialists, or these consultations were completely ignored during the implementation itself. Phone passwords, non-disabled WPS with a single key, unprotected SIP telephony, passwords extracted from the WEB interface - are the result of a weak organizational component and complete disregard for basic information security standards. I am sure that MGTS is far from unique in such miscalculations; many smaller network service operators find themselves in the same situations in the field of protecting the data of their subscribers, but the scale of the problem this time exceeds all imaginable boundaries

6. Official reaction of OJSC MGTS

We, as ethical security researchers, are interested in quickly solving the problems raised above. Unfortunately, our concern did not find a response in the hearts of the press service of OJSC MGTS, whom we tried to reach using all available channels. We received only one review - through Facebook, a press service employee assured us that we can publish the existing material with a clear conscience, and then, when answering questions from the press, they will assure everyone that subscribers are safe and their data is confidential.