Subscribers to Pacific Century CyberWorks' (PCCW's) Netvigator broadband Internet service could be vulnerable to hacker attacks due to security loopholes discovered by network security experts in certain models of modems made by France's Alcatel. Last week, researchers at the San Diego Supercomputer Centre, a unit of the University of California at San Diego, and the Computer Emergency Response Team (Cert), based at Carnegie Mellon University, published back-to-back reports and warnings on their findings about the apparent flaws. According to these organisations, the Alcatel Speed Touch Home ADSL modem and the Alcatel 1000 Network Termination Device - among the most widely-used broadband modems - could allow a hacker to remotely install new firmware, the software embedded in the modems. This could allow hackers to take complete control of the device, including changing its configuration, and disrupting the communications between the telephone central office providing ADSL service and the device, the UCSD centre said. Cert said exploiting the modems' vulnerabilities could bring 'unauthorised access, unauthorised monitoring, denial of service, information leaks', and disable the devices. Netvigator - the Internet retail service arm of PCCW - has an installed base of about 200,000 broadband users and supplies customers with a range of DSL modems including models from NEC, 3Com and Arescom. Not one of these have reported vulnerabilities similar to those of the Alcatel models. However, the company has also distributed the Speed Touch Home ADSL modem to about 2,000 subscribers. The company said it had not received any complaints from users, although it was looking into the problem. Of Hong Kong's Internet companies, Netvigator is the only one to use the Speed Touch Home modems. 'Our network provider, PCCW, is well aware of the concerns about the modem, and is working with Alcatel to address this,' said Netvigator's assistant corporate communications manager, Evelyn Leung. PCCW said many of its ISP customers, including Netvigator, had their own security measures in place. 'We will inform our IS customers about this, and will keep them updated about the developments,' said PCCW official Shirley Tam. She also said the company was waiting for Alcatel to come back with some answers. Meanwhile, Alcatel said it was fully aware of the 'reported security vulnerabilities' involving the Speed Touch Home ADSL modem and Alcatel 1000 ADSL network termination device and was working with Cert to ensure the concerns raised in its advisory were 'satisfactorily addressed'. The company said the security issues raised were actually 'well-known general vulnerability problems' when connected to the Internet, regardless of the type of software up-gradeable access equipment being used (cable or DSL modems), and that it was not aware of any instance where a Speed Touch modem user had been compromised due to the reported vulnerabilities. The company said its modems could have been shipped with their built-in firewalls deactivated. It said the firewalls could be deactivated to enable the service providers to remotely upgrade the software profile in their customers' modems. The security concern is worsened by the fact that Alcatel is the leading provider of ADSL equipment to telecoms and Internet service providers. In November, the company said that more than 1.3 million of its DSL modems were in use worldwide. Alcatel is the leader in DSL modems, with a 34.9 per cent market share, according to market research firm Dell'Oro Group. About 1.6 million people used Alcatel DSL modems worldwide, Dell'Oro said. In Asia, Alcatel is also one of the major players, supplying network and equipment to some of the region's largest service providers. Last week it extended its relationship with Shanghai Mobile - one of China's fastest-growing mobile operators - providing it with infrastructure, software and services in a contract worth more than US$80 million.
