EuroTel ETL3100 - Transmitter Default Credentials
#Exploit Title: EuroTel ETL3100 Transmitter Default Credentials
# Exploit Author: LiquidWorm
Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L
Product web page: https://www.eurotel.it | https://www.siel.fm
Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter)
v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)
Summary: RF Technology For Television Broadcasting Applications.
The Series ETL3100 Radio Transmitter provides all the necessary
features defined by the FM and DAB standards. Two bands are provided
to easily complain with analog and digital DAB standard. The Series
ETL3100 Television Transmitter provides all the necessary features
defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as
well as the analog TV standards. Three band are provided to easily
complain with all standard channels, and switch softly from analog-TV
'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.
Desc: The TV and FM transmitter uses a weak set of default administrative
credentials that can be guessed in remote password attacks and gain full
control of the system.
Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)
lighttpd/1.4.26
PHP/5.4.3
Xilinx Virtex Machine
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5782
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php
29.04.2023
--
Using Username "user" and Password "etl3100rt1234" the operator will enter in the WEB interface in a read-only mode.
Using Username "operator" and Password "2euro21234" the operator will be able also to modify some parameters in the WEB pages.EuroTel ETL3100 Transmitter Default Credentials: A Critical Security Flaw in Broadcast Infrastructure
Recent findings by cybersecurity researcher Gjoko "LiquidWorm" Krstic have exposed a significant vulnerability in the EuroTel ETL3100 series of radio transmitters—critical devices used in television and FM broadcasting. The flaw lies in the use of weak, hardcoded default credentials that can be exploited remotely, allowing unauthorized access to system control interfaces. This poses a serious threat to broadcast integrity, signal security, and operational continuity.
Overview of the Affected Product
The EuroTel ETL3100 is a high-performance transmitter designed for both analog and digital broadcasting standards. It supports a wide range of transmission protocols including:
- DVB-T, DVB-H, DVB-T2 (Digital Video Broadcasting)
- ATSC (Advanced Television Systems Committee)
- ISDB-T (Integrated Services Digital Broadcasting – Japan)
- FM and DAB (Digital Audio Broadcasting)
Available in two primary variants:
| Model | Microprocessor | Version |
|---|---|---|
| ETL3100 Exciter | socs0t10/ats01s01 | v01c01 |
| ETL3100RT Exciter | socs0t08/socs0s08 | v01x37 |
These devices are deployed in broadcast stations worldwide, often serving as the backbone of signal transmission. Their remote accessibility via web interfaces, while convenient for maintenance, introduces a critical attack surface when default credentials remain unchanged.
The Vulnerability: Default Credentials Exploitation
According to the advisory ZSL-2023-5782, two sets of default credentials are hardcoded into the firmware:
- Username:
user
Password:etl3100rt1234→ Grants read-only access to the web interface. - Username:
operator
Password:2euro21234→ Allows full parameter modification and operational control.
These credentials are not only predictable but also easily guessable in automated attacks. Attackers can leverage brute-force or credential guessing tools to gain access without prior knowledge of the system configuration.
Exploitation Scenario: Remote Access via Web Interface
Consider a broadcast station using an ETL3100RT transmitter. If the default credentials are never changed, an attacker can:
- Access the web management interface via HTTP (typically port 80 or 443).
- Authenticate using the known credentials.
- Modify transmission parameters such as frequency, power output, modulation settings, or even disable the transmitter remotely.
This could result in:
- Signal interference or blackout.
- Unauthorized broadcasting of content (e.g., propaganda or malicious data).
- Disruption of emergency communications.
Such attacks could be executed from anywhere in the world, making the device highly vulnerable to remote exploitation.
Technical Details: Authentication Mechanism
The web interface of the ETL3100 relies on a basic HTTP authentication scheme, typically implemented via Basic Authentication or custom login forms. The following is a simplified example of how such an attack might be performed using curl:
curl -u "operator:2euro21234" http://192.168.1.100/admin/login
Explanation: This command uses curl to send an HTTP request to the transmitter’s management endpoint with the default credentials. If the system accepts the credentials, it returns a successful response (e.g., a session token or redirect to the admin dashboard). This demonstrates how easily an attacker can gain access without needing to exploit a software vulnerability—just by knowing the default password.
For improved security, the use of HTTP Basic Auth should be replaced with token-based authentication or multi-factor authentication (MFA). However, in this case, the device's firmware lacks such mechanisms.
Impact and Risk Assessment
Given the critical nature of broadcast systems, the risk posed by this vulnerability is high. The following factors contribute to the severity:
- Remote accessibility: The web interface is accessible over the network, even from the internet if exposed.
- High privilege access: The
operatoraccount can alter transmission parameters—potentially disrupting entire broadcast regions. - Low detection: Unauthorized changes may go unnoticed until signal anomalies are reported.
- Long-term exposure: Many devices may remain unpatched for years, especially in legacy broadcast infrastructure.
Recommendations for Mitigation
Operators and system administrators must take immediate action to secure these devices:
- Change default credentials immediately: Replace the default username and password with strong, unique credentials.
- Disable remote access: Restrict web interface access to local network or use a VPN for remote management.
- Implement network segmentation: Place transmitters in isolated zones with firewalls and access control lists.
- Regular firmware updates: Monitor vendor announcements for patches or updates to address known vulnerabilities.
- Log monitoring: Enable audit logs for login attempts and configuration changes to detect unauthorized access.
Additionally, organizations should conduct regular security assessments of broadcast infrastructure to identify and remediate similar flaws.
Vendor Response and Public Advisory
The vulnerability was reported to EuroTel S.p.A. and SIEL, Sistemi Elettronici S.R.L and has been documented in the public advisory ZSL-2023-5782. As of April 29, 2023, no official patch has been released. This underscores the importance of proactive security measures by end-users.
Security researchers emphasize that default credentials are a persistent threat across industrial control systems (ICS), IoT devices, and broadcast equipment. The ETL3100 case exemplifies how a simple oversight in design can lead to catastrophic operational risks.
Conclusion
The EuroTel ETL3100 transmitter’s default credentials vulnerability is a stark reminder of the need for robust security practices in critical infrastructure. While the device offers advanced broadcasting capabilities, its security foundation remains weak. Organizations must treat this as a high-priority issue—changing credentials, securing access, and monitoring system integrity to prevent unauthorized interference.
Security is not just about encryption or firewalls; it’s about designing systems with defense-in-depth from the ground up. The ETL3100 case shows that even the most sophisticated hardware can be compromised by a predictable password.