'Mirai bots' cyber-blitz 1m German broadband routers – and your ISP could be next A widespread attack on the maintenance interfaces of broadband routers over the weekend has affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany. The German Federal Office for Information Security (BSI) issued a statement indicating that the cyber-assault, which was …
"This appears to be a consequence of TR-069 – aka the Customer-Premises Equipment WAN Management Protocol – which makes TCP/IP port 7547 available. ISPs use this protocol to manage the modems on their network. But the server running on that port is a TR-064 server and thus accepts TR-064 commands."
This is confused. Port 7547 isn't mandated by TR069, although the only port that needs to listen on a router for TR069 iis often 7547, that is for connection requests and should do nothing else than "phone home" to its TR069 server when an authenticated request is made.
Despite the similar numbers, TR069 and TR064 have no connection, and any CPE vendor running a TR064 server on the TR069 connection request port is a) nuts and b) likely to get issues like this. But it's not a *consequence* of running TR069 so in particular, this:
"A Shodan search [login required] indicates that approximately five million devices offer TR-064 service over the internet. While not all of these devices are necessarily vulnerable, many of them are"
isn't true. Having 7547 open does NOT imply a TR064 service is offered. Probably just the TR069 connection request and that's harmless unless you can guess the credentials and near harmless even if you do have them.
Nah, the article's all good - you're just assuming ISPs and router firmware makers aren't nuts. The exploit works by connecting to a TR-064 server behind port 7547, which is opened by TR-069.
"What is not very well known is that the server on port 7457 is also a TR-064 server. This is another protocol related to TR-069. It is also known as 'LAN-Side CPE Configuration'"
[Source]
C.
Totally agreed. A proof of the ISPs nuttiness in the following paragraph from the link:
"Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable."
ISPs know -mostly- how to do things right, but they just don't bother, as any breach in the service will have little consequence in their baseline. This won't change till ISPs and router makers become legally liable for lack of due diligence regarding security of the products they sell/hire/install. Yeah, I know, pigs breaking the sound barrier over the snowy landscapes of hell in a month with six Sundays etcetera etcetera.
By the way, I tried to create a free Shodan account without success. My guess is that either your article "slashdotted" them or they are being DDOSed. :-D
Such a marvellous time to be alive!
Mr Hartley: That's Draytek. So do I - a 130 as a simple modem and pfSense behind it to do the real work.
If you have a 2820 or whatever, have you ensured the TR069 stuff is switched off and that you don't allow remote management? Have you verified that the built in DNS proxy thing is not susceptible to being poisoned or otherwise messed around with? Have you port scanned your external address? Anyway if you are in the UK and use FTTC make sure you get the latest firmware on it. Do that last anyway - good practice. BTOR are/have been making changes ...
Maybe ElReg could follow up at 9AM and get the more reassuring answer of "we haven't been affected by this issue yet so do not need to comment" or just rely on the Twitter update in two weeks time of "we are looking into the unexpected security issue that is affecting a large number of our (soon to be ex) customers".
To be fair, this isn't about the customers' security per se*, but only about potentially not providing them with a service, based on what the article says happened with Deutsche Telekom - and why would TalkTalk need to worry about that? They'll undoubtedly have the customer money for each billing period in advance. It will therefore only matter if and when it happens to them, and they have to ensure they'll get the customer money for the next billing period.
* Although technically, it is: If this equipment can be hijacked and crashed, then it can be hijacked to create a way into other devices on the LAN - but just based on the issue reported in the article, it's effectively about being denied a service.
Many companies resell their DSL and add their own router which they'd like to manage from outside the Telekom network. So you may have an IP telephony company renting you a CPE which turnes the DSL they buy from Deutsche Telekom to 4 ISDN T0 lines. That equipment needs to be remotely managed from outside the Telekom network.
Obviously the smart thing would be for vendors and deployers to restrict the IP-Ranges the connection requests are accepted from. Essentially a little ACL in the router would do... unfortunately despite that being a really powerful and easy to implement feature, hardware vendors tend to not use it.
BTW, Deutsche Telekom could have just used a rather decently secure alternative from a German vendor which wouldn't have been much more expensive. They chose the cheaper route and they chose to not test it properly.
that Deutsche Telekom now poses as a victim, even though it's their fault.
Like many security problems their problem comes from risky behaviour, in this case a cheap, badly implemented router they didn't even bother to test properly.
A simple ACL on the box, which would prevent it from talking to anybody else than Deutsche Telekom, would have completely eliminated this problem at virtually no cost. After all they already get their custom firmware and custom cases from the vendors.
Well, legally they are a victim of a malicious attack. As to whether they were negligent, well, that's another matter.
Fritz boxes are not immune either: a a couple of months ago there was an exploit that finally galvanised Unitymedia and AVM into a firmware update for their 6360s.
I have a router from French ISP Orange (France Telecom). It comes with standard credentials for LAN-side management of admin/admin (d'oh!). As part of my initial setup I changed the password, and locked it down as best I could. A few months ago I was irritated, to say the least, when I connected to the management interface to find a mesage syaing that for "improved" security they had reset the password ro be a variant of the serial number. I set it back to my own password, of course.
I wasn't so much annoyed that they had changed it to a less secure password than the one I had already set, but by the fact that they could change my customer-side password without my knowledge. Now I wonder who else can do that...
Well, Be glad you don't have some routers of Netgear.
Theirs allow a "Password Recovery" via WAN side if you know the Serial number.
You would think that's secure (why would anyone have their serial number when not at home?) but There is actually a crafted URL you can pass to most Netgears that will tell you - The serial number!
Major hole (fixed now) but anyone who patched when the hole was made still has it open!..
Netgear told me about 3 years ago that they had no intention on fixing this as they have had no reports of it being exploited in the wild!
You can disable remote administration on Telekom routers, at least on the Speedport W 723V Type B under Verwaltung > Hilfsmittel > EasySupport. First thing to look for when installing a router IMO. Yes you have to install firmware manually, and so isn't for everyone but it does seem to have been a wise move.
Mama Merkel isn't 100% sure, but apparently Russia is involved somehow and tries to undermine democracy by wrecking Freedom Country People's routers!
German leaders angry at cyberattack, hint at Russian involvement: German politicians say action must follow a hack that paralyzed some 900,000 internet connections. Berlin stopped short of blaming Russia, but fears are growing Moscow could try to influence the 2017 German election.
No word about ISPs going full retard with the material they foist on customers and that this could have been done by Trump's 400-pounder in the basement.
Instead we get this pap:
Landefeld says that one of the major problems is that the public at large uses IT technology without sufficient awareness of the risks involved. That's one reason, he says, that there are limits to what politicians can do to minimize the threat of cyberattacks in the short term.
If implemented as per the standard the only "listening port" on the router for TR-069 should be there to handle a CONNECTION REQUEST. Its a capability that allows the TR-069 management server to "wake up" a router and tell it to "go and talk to YOUR designated management server" - note its not "talk to me because I want to manage you" - that would totally break security.
A well implemented solution will randomise the URL used for connection requests and will set a connection request authentication using a username and password.
TR-064 is a totally separate protocol designed to allow automated LAN side configuration of broadband routers - it was never intended to be used over a WAN connection, if someone were to choose to do so this would present all sorts of nasty security implications - qed.
It looks like in this instance the router manufacturer went down the route of combining TR-069 and TR-064 into a single service with no real separation of interface and function.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
