Last weekend about 900.000 customers of Deutsche Telekom found themselves without a working internet connection. An attack against the ISP’s customer routers was the root cause for this. We have compiled the most important facts and information for you in this article.
Motivation
Attacks on routers and similar hardware are a lucrative business. If attackers can successfully exploit weaknesses in, say, a remote maintenance protocol, they can take full control of the device and manipulate it. Changing the DNS settings is one possible manipulation which would make it possible to divert all network traffic to a server which is controlled by the attackers. This in turn would allow an attacker to steal personal data on a massive scale, such as access data for company networks as well as logins for social media platforms, online shops or email accounts.
Attacks against specific router models are not new, though. Organizations have fallen victim to attacks against their routers and VoIP hardware. The same is possible in a home user setting. Back in 2014 an installed malware on home routers dialed premium numbers without the knowledge or consent of the connection’s owner. This has incurred very high costs for the victims.
What happened and who is affected?
Attackers tried to take over specific router models by exploiting a weakness in a maintenance protocol. This protocol is normally used by ISPs to configure their customers’ routers remotely. Subsequently, the devices then downloaded an installation file from a specific web address which is designed for their specific CPU architectures.
The attack affects customers of Deutsche Telekom who are using a Speedport router. The affected devices are made by Taiwan-based manufacturer Arcadyan and are sold/rented to customers. According to officials of Deutsche Telekom, no customer data was at risk at any point during the attack.
Why were routers attacked?
During the attack, an attempt was made to install a software on the attacked devices which would have made them clients of the Mirai botnet. This botnet recently was responsible for a major DDoS attack which used compromised webcams.
In theory, a botnet can be used for a variety of purposes, from performing DDoS attacks to sending spam emails.
How can I protect myself?
Deutsche Telekom has already released a firmware update for affected devices. This update is installed automatically as soon as the router connects to the ISP. After the update, the remote configuration port 7547 is not reachable anymore. The update can be forced by removing power from the router for 30 seconds and then reconnecting it.
To make sure that routers are protected from unauthorized access, any default passwords should always be changed. If firmware updates are not installed automatically, the user needs to take action: Check the manufacturer’s website for recent updated firmware installation files.
Update
According to further analyses by several international researchers (such as Comsecuris), a Denial of Service (DoS) vulnerability in the affected devices is to blame for the outage. The weakness was triggered through repeated requests on port 7547 from the Mirai botnet which was probing for vulnerable devices at the time. As discussed, the port is used by ISPs to remotely configure routers. Devices which are part of the Mirai botnet's attempt to exploit a security weakness that allows remote code injection/execution. This weakness has been known for quite a while. Should a device be vulnerable, an installer is downloaded which adds the it to the botnet. While the Speedport devices are very likely using a type of operating system which does not allow the installation of additional software, it still might have other vulnerabilities.
Further details are sparse at this point, but so far there is evidence that that this DoS attack was performed unintentionally. Whoever is behind it made a fundamental mistake which resulted in the Speedport devices being queried repeatedly up to the point when the routers stalled and the users were unable to connect to the internet.
The real objective was reconnaissance and infection of vulnerable devices, but the actual outcome was not the successful exploitation of a protocol security flaw but an unintended overload of the targeted devices.
However, this does not change the recommended mitigation strategies. Our recommendation to change default passwords still stands. The ISP has reacted quickly by making sure that the port in question is not reachable anymore which makes the security flaw unexploitable for attackers.
One can say that looking at the potential consequences of a more successful attack, we all got away this time with no more than a black eye.