CVE-2016-6551
📋 TL;DR
This vulnerability allows remote attackers to gain elevated access to Intellian Satellite TV antennas using default credentials. Affected devices include t-Series and v-Series antennas running firmware version 1.07, which use non-random default credentials of ftp/ftp or intellian:12345678.
💻 Affected Systems
- Intellian Satellite TV antennas t-Series
- Intellian Satellite TV antennas v-Series
📦 What is this software?
T100q Firmware by Intelliantech
T100w Firmware by Intelliantech
T110q Firmware by Intelliantech
T110w Firmware by Intelliantech
T130q Firmware by Intelliantech
T130w Firmware by Intelliantech
T240ck Firmware by Intelliantech
T80q Firmware by Intelliantech
T80w Firmware by Intelliantech
V60 Firmware by Intelliantech
V60ka Firmware by Intelliantech
V65 Firmware by Intelliantech
V80g Firmware by Intelliantech
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the satellite antenna system, allowing attackers to modify configurations, intercept communications, or use the device as a pivot point into connected networks.
Likely Case
Unauthorized access to the device's management interface, enabling configuration changes, firmware modification, or service disruption.
If Mitigated
Limited impact if strong network segmentation and access controls prevent external access to the device's management interface.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials and network access to the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version newer than 1.07
Vendor Advisory: https://www.kb.cert.org/vuls/id/200907
Restart Required: Yes
Instructions:
1. Download latest firmware from Intellian support portal. 2. Access device management interface. 3. Upload and apply firmware update. 4. Reboot device.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks using firewalls or VLANs.
Credential Change
allChange default credentials if device allows credential modification.
🧯 If You Can't Patch
- Implement strict network access controls to prevent external access to device management interfaces.
- Monitor network traffic for authentication attempts using default credentials.
🔍 How to Verify
Check if Vulnerable:
Attempt FTP or web login using credentials ftp/ftp or intellian:12345678 to device management interface.Check Version:
Check device web interface or use SNMP query to determine firmware version.Verify Fix Applied:
Verify firmware version is newer than 1.07 and default credentials no longer work.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful login with default credentials
- Multiple FTP connection attempts from external IPs
Network Indicators:
- FTP traffic to satellite antenna devices on non-standard ports
- HTTP/HTTPS requests to device management interface from external networks
SIEM Query:
source_ip=external AND (username="ftp" OR username="intellian") AND action="authentication_success"