back to article 'Mirai bots' cyber-blitz 1m German broadband routers – and your ISP could be next

A widespread attack on the maintenance interfaces of broadband routers over the weekend has affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany. The German Federal Office for Information Security (BSI) issued a statement indicating that the cyber-assault, which was …

  1. Soulhand

    "This appears to be a consequence of TR-069 – aka the Customer-Premises Equipment WAN Management Protocol – which makes TCP/IP port 7547 available. ISPs use this protocol to manage the modems on their network. But the server running on that port is a TR-064 server and thus accepts TR-064 commands."

    This is confused. Port 7547 isn't mandated by TR069, although the only port that needs to listen on a router for TR069 iis often 7547, that is for connection requests and should do nothing else than "phone home" to its TR069 server when an authenticated request is made.

    Despite the similar numbers, TR069 and TR064 have no connection, and any CPE vendor running a TR064 server on the TR069 connection request port is a) nuts and b) likely to get issues like this. But it's not a *consequence* of running TR069 so in particular, this:

    "A Shodan search [login required] indicates that approximately five million devices offer TR-064 service over the internet. While not all of these devices are necessarily vulnerable, many of them are"

    isn't true. Having 7547 open does NOT imply a TR064 service is offered. Probably just the TR069 connection request and that's harmless unless you can guess the credentials and near harmless even if you do have them.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Soulhand

      Nah, the article's all good - you're just assuming ISPs and router firmware makers aren't nuts. The exploit works by connecting to a TR-064 server behind port 7547, which is opened by TR-069.

      "What is not very well known is that the server on port 7457 is also a TR-064 server. This is another protocol related to TR-069. It is also known as 'LAN-Side CPE Configuration'"



      1. Mephistro
        Thumb Up

        Re: Soulhand (@ diodesign)

        Totally agreed. A proof of the ISPs nuttiness in the following paragraph from the link:

        "Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable."

        ISPs know -mostly- how to do things right, but they just don't bother, as any breach in the service will have little consequence in their baseline. This won't change till ISPs and router makers become legally liable for lack of due diligence regarding security of the products they sell/hire/install. Yeah, I know, pigs breaking the sound barrier over the snowy landscapes of hell in a month with six Sundays etcetera etcetera.

        By the way, I tried to create a free Shodan account without success. My guess is that either your article "slashdotted" them or they are being DDOSed. :-D

        Such a marvellous time to be alive!

    2. Anonymous Coward
      Anonymous Coward

      Does Shodan make a minimum of discovery on ports it finds open? Usually it takes little to discover what is listening on a given port.

  2. J. R. Hartley

    ...And that's why I use Dreytek.

    1. Anonymous Coward

      Mr Hartley: That's Draytek. So do I - a 130 as a simple modem and pfSense behind it to do the real work.

      If you have a 2820 or whatever, have you ensured the TR069 stuff is switched off and that you don't allow remote management? Have you verified that the built in DNS proxy thing is not susceptible to being poisoned or otherwise messed around with? Have you port scanned your external address? Anyway if you are in the UK and use FTTC make sure you get the latest firmware on it. Do that last anyway - good practice. BTOR are/have been making changes ...

      1. J. R. Hartley

        I have a 2860 with all the fancy stuff turned off. Apart from UPnP, I just leave that on.


  3. Doctor Syntax Silver badge

    "The Register asked TalkTalk for comment today and was told that a response will not be immediately forthcoming because the working day in the UK was just ending."

    And that, TT customers, is just how important your security is to us.

    1. Anonymous Coward
      Anonymous Coward

      Maybe ElReg could follow up at 9AM and get the more reassuring answer of "we haven't been affected by this issue yet so do not need to comment" or just rely on the Twitter update in two weeks time of "we are looking into the unexpected security issue that is affecting a large number of our (soon to be ex) customers".

      1. Dan 55 Silver badge

        I think testing for port 7547 yourself using e.g. GRC's Shields Up would be faster? (Somebody confirm this please)

    2. VinceH

      To be fair, this isn't about the customers' security per se*, but only about potentially not providing them with a service, based on what the article says happened with Deutsche Telekom - and why would TalkTalk need to worry about that? They'll undoubtedly have the customer money for each billing period in advance. It will therefore only matter if and when it happens to them, and they have to ensure they'll get the customer money for the next billing period.

      * Although technically, it is: If this equipment can be hijacked and crashed, then it can be hijacked to create a way into other devices on the LAN - but just based on the issue reported in the article, it's effectively about being denied a service.

  4. Frozit

    Why is this port not filtered by the ISP?

    Of course, that would imply they knew they had a problem before this.

    Filter the port traffic to only be allowed from a small subset of the ISP's management set. Done. Sigh.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is this port not filtered by the ISP?

      You're assuming here that ISPs like most part of the companies these days hire competent people in IT which, sadly, is no longer true. They're all looking for cheapest possible labor.

      1. Dan 55 Silver badge

        Re: Why is this port not filtered by the ISP?

        And that's after they knock services like hoating and Usenet on the head and farm email out to the likes of Google or Yahoo. They had one job, broadband, and they can't even do that.

    2. Christian Berger

      It's complicated

      Many companies resell their DSL and add their own router which they'd like to manage from outside the Telekom network. So you may have an IP telephony company renting you a CPE which turnes the DSL they buy from Deutsche Telekom to 4 ISDN T0 lines. That equipment needs to be remotely managed from outside the Telekom network.

      Obviously the smart thing would be for vendors and deployers to restrict the IP-Ranges the connection requests are accepted from. Essentially a little ACL in the router would do... unfortunately despite that being a really powerful and easy to implement feature, hardware vendors tend to not use it.

      BTW, Deutsche Telekom could have just used a rather decently secure alternative from a German vendor which wouldn't have been much more expensive. They chose the cheaper route and they chose to not test it properly.

  5. ecofeco Silver badge

    From monthly to weekly to daily

    Seems like ages ago these types of attacks and take-downs were only happening every few months and then about one a per month.

    Then weekly. Now it's daily.

    And still the big companies haven't learned anything.

    1. Anonymous Coward
      Anonymous Coward

      Re: From monthly to weekly to daily

      They can't with the quality of people they hire.

    2. lglethal Silver badge

      Re: From monthly to weekly to daily

      And they wont learn, becuase it doesnt cost them a cent. Not until the fines for this sort of mismanagement starting hitting bottom lines will IT security actually be taken serious...

  6. Christian Berger

    The big problem is...

    that Deutsche Telekom now poses as a victim, even though it's their fault.

    Like many security problems their problem comes from risky behaviour, in this case a cheap, badly implemented router they didn't even bother to test properly.

    A simple ACL on the box, which would prevent it from talking to anybody else than Deutsche Telekom, would have completely eliminated this problem at virtually no cost. After all they already get their custom firmware and custom cases from the vendors.

    1. Charlie Clark Silver badge

      Re: The big problem is...

      Well, legally they are a victim of a malicious attack. As to whether they were negligent, well, that's another matter.

      Fritz boxes are not immune either: a a couple of months ago there was an exploit that finally galvanised Unitymedia and AVM into a firmware update for their 6360s.

  7. Anonymous Coward
    Anonymous Coward

    ISPs just don't get it

    I have a router from French ISP Orange (France Telecom). It comes with standard credentials for LAN-side management of admin/admin (d'oh!). As part of my initial setup I changed the password, and locked it down as best I could. A few months ago I was irritated, to say the least, when I connected to the management interface to find a mesage syaing that for "improved" security they had reset the password ro be a variant of the serial number. I set it back to my own password, of course.

    I wasn't so much annoyed that they had changed it to a less secure password than the one I had already set, but by the fact that they could change my customer-side password without my knowledge. Now I wonder who else can do that...

    1. MR J

      Re: ISPs just don't get it

      Well, Be glad you don't have some routers of Netgear.

      Theirs allow a "Password Recovery" via WAN side if you know the Serial number.

      You would think that's secure (why would anyone have their serial number when not at home?) but There is actually a crafted URL you can pass to most Netgears that will tell you - The serial number!

      Major hole (fixed now) but anyone who patched when the hole was made still has it open!..

      Netgear told me about 3 years ago that they had no intention on fixing this as they have had no reports of it being exploited in the wild!

  8. ThatGuy2088

    It is very important to note that this vulnerability has nothing to do with the TR-069 protocol itself. It's a consequence of a vendor's implementation doing something really, really broken.

    1. diodesign (Written by Reg staff) Silver badge

      Re: ThatGuy2088

      Guys, for God's sake, read the god damn article before smugly shooting off about TR-069/64. It's explained in the piece. It's not solely about TR-069 but it's part of the problem because it exposes a vulnerable TR-064 service.


  9. John Brown (no body) Silver badge

    two routers provided by UK ISP TalkTalk are vulnerable

    Don't worry folks. DodoDido is bringing her stupendous talent to bear on the problem. When it all goes TITSUP she'll be ready with her PR to sooth the heaving masses.

  10. Anonymous Coward
    Anonymous Coward

    You can disable remote administration on Telekom routers, at least on the Speedport W 723V Type B under Verwaltung > Hilfsmittel > EasySupport. First thing to look for when installing a router IMO. Yes you have to install firmware manually, and so isn't for everyone but it does seem to have been a wise move.

  11. EnviableOne

    yet another reason to replace consumer kit with enterprise grade

  12. Destroy All Monsters Silver badge

    Declared as another hit by at least a friend of a friend of P.U.T.I.N.

    Mama Merkel isn't 100% sure, but apparently Russia is involved somehow and tries to undermine democracy by wrecking Freedom Country People's routers!

    German leaders angry at cyberattack, hint at Russian involvement: German politicians say action must follow a hack that paralyzed some 900,000 internet connections. Berlin stopped short of blaming Russia, but fears are growing Moscow could try to influence the 2017 German election.

    No word about ISPs going full retard with the material they foist on customers and that this could have been done by Trump's 400-pounder in the basement.

    Instead we get this pap:

    Landefeld says that one of the major problems is that the public at large uses IT technology without sufficient awareness of the risks involved. That's one reason, he says, that there are limits to what politicians can do to minimize the threat of cyberattacks in the short term.

  13. cannfoddr

    This is a question of implementation

    If implemented as per the standard the only "listening port" on the router for TR-069 should be there to handle a CONNECTION REQUEST. Its a capability that allows the TR-069 management server to "wake up" a router and tell it to "go and talk to YOUR designated management server" - note its not "talk to me because I want to manage you" - that would totally break security.

    A well implemented solution will randomise the URL used for connection requests and will set a connection request authentication using a username and password.

    TR-064 is a totally separate protocol designed to allow automated LAN side configuration of broadband routers - it was never intended to be used over a WAN connection, if someone were to choose to do so this would present all sorts of nasty security implications - qed.

    It looks like in this instance the router manufacturer went down the route of combining TR-069 and TR-064 into a single service with no real separation of interface and function.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like