back to article Hull surfers cut off by router attack

Thousands of broadband customers in the Hull area have been left without reliable internet access following a cyber attack. Local telco KCOM blamed difficulties for its customers which began over the weekend and remains ongoing on an attack it said was targeted at models of routers it supplies to some of its customers. Since …

  1. Lotaresco

    Too much cheapness

    This is just reinforcing my refusal to use kit supplied by an ISP. "Free" kit seems to be worth exactly what you pay for it.

    1. Tom Chiverton 1

      Re: Too much cheapness

      And ISPs that leave the management ports open to the internet...

  2. Frank Bitterlich
    Mushroom

    The root cause...

    "We have now identified that the root cause of the problem was a cyber attack..."

    No. The root cause lies somewhere between the stupid vulns that are present in so many routers, and the fact that the telco didn't see that coming.

    I don't know whether this is the same exploit that brought down large numbers of Deutsche Telekom customers four days earlier, but it doesn't really matter. Checking the routers you sell or lease to your customers against recently reported security problems is something I'd expect from _any_ telco these days.

    But you can, of course, adopt that old "Hey, everything's going fine so far - why worry" mentality, whether you're a telco or a person just passing the third level while falling down from a 20-story building. The outlook is about the same.

    We're all doomed.

    1. Tom Paine

      Re: The root cause...

      I don't know whether this is the same exploit that brought down large numbers of Deutsche Telekom customers four days earlier, but it doesn't really matter.

      Up to a point, Lord Copper.

      This wasn't a DoS attack on random domestic broadband customers. The DoS was a side effect of the latest round of scans looking for vulnerable InternetOfShit devices to recruit for the Mirai botnet. It would be naive to imagine that all the attackers managed to do was crash or brick a few million routers; they've obviously been adding to their list of trivially pwned devices (either via exploits, common default admin passwords or unauthenticated management interfaces left open to 0/0.) My educated guess is that we'll find out how big the botnet is now at some point in the next few weeks / couple of months. Do we have any big events coming up? Let's see... there's the massive Christmas Day spike in gaming traffic as all the newly unwrapped consoles are fired up, I suppose. And something's happening in Washington in late January, IIRC. Any other obvious candidates for a spectacular DDoS?

      1. DryBones
        Pint

        Re: The root cause...

        Well, there is prior form for LulzSec and LizardSquad and the like to DDoS the XBL and Sony servers out of existence. Maybe they'll go for Steam and some of the other nice things that people would want to be enjoying over the Christmas break too... And then get back to holding infrastructures hostage.

        Beer in anticipation of the inevitable "Mistakes were made".

  3. Alister

    I'm sure I read a recent story on here about certain models of ZyXel being wide open to attacks due to an internet facing open management port which was meant to be locked down to certain IPs, but was left open to everyone and his dog.

    I thought it was Talk-Talk, but apparently not, I can't find the story now.

    Could well be the same problem though.

    1. Paul Crawford Silver badge

      You might be thinking of the Irish ISP:

      http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

    2. Frank Bitterlich

      It was...

      ... Deutsche Telekom, in the library, with a lead pipe Germany, with a Mirai botnet.

      http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/

    3. Peter X

      I'm sure I read a recent story on here about certain models of ZyXel being wide open to attacks due to an internet facing open management port which was meant to be locked down to certain IPs, but was left open to everyone and his dog.

      TalkTalk and the Post Office apparently. Hard to believe a company as diligent as TT got hit though... they'll have to deploy Dido to allay fears!

      Actually, the linked BBC article mentions that the Post Office have/are deploying router updates and requesting customers to reboot their routers to install the update. So that's something.

  4. petef

    Backdoor

    “ZyXel has developed a software update for the affected routers that will address the vulnerability. In most cases this will be applied remotely and customers will not need [to] do anything”

    So ZyXel have a backdoor into the routers they have sold? What happens when (not if) the bad guys get a hold of that?

    1. Tom Chiverton 1

      Re: Backdoor

      "So ZyXel have a backdoor into the routers they have sold? What happens when (not if) the bad guys get a hold of that?"

      They just did...

    2. Jon 37

      Re: Backdoor

      No, not ZyXel, but your ISP has a way to "remotely manage" the router they gave you.

      There are valid reasons for this, e.g. installing the firmware update that fixes this bug, or trying to troubleshoot a connection issue, either by getting logs from the router or by changing router settings for you.

      Details of the remote management protocol are here: https://en.wikipedia.org/wiki/TR-069

      However, this is a security trade-off, of course, and the remote management feature can be a source of security vulnerabilities.

      In my opinion, ideally ISPs should document exactly what TR-069 features they've enabled on the router, and how it's secured, so customers could make informed decisions on whether to use the "free" router or not. (99.999% of customers wouldn't be able to understand the technical details, but security experts could read the ISP's documentation and provide advice). However, most companies try to avoid providing documentation like that, instead saying basically "trust us".

    3. Tom Paine

      Re: Backdoor

      So ZyXel have a backdoor into the routers they have sold?

      What makes you think that? It's service providers who'll be managing their CPE gear. For some, this will be a remarkable new experience... full managed routers, whatever next?!

  5. Anonymous Coward
    FAIL

    The missing statement

    "We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network......"

    "....If we'd bothered to update the firmware for this known and fully document problem prior to this, you wouldn't have suffered this issue....but we couldn't be arsed."

  6. Anonymous Coward
    Anonymous Coward

    And ISPs that leave the management ports open to the internet

    Why would one need the management interface enabled at all in a TR69 environment beggars belief. The management system(s) used in a SP DO NOT use normal config ports for management. At all. The connection is originated from the router to the control system and should (if the SP had any clue) be secured with X509 one way or even both ways (router and ACS). While the TR69 spec is considered by all people who have had to develop for it an Abomination Onto Nuggan, it is, if deployed as per its standard design, reasonably secure.

    This is criminal stupidity and incompetence. Actually what can I expect from a SP which used to advertise for a senior engineer position with laptop specified as a "benefit" in the job spec. I still keep that advert as a reminder "do not ever apply here" (from around 2007-ish). I guess they did not change. At all.

    1. Tom Paine

      Oooh, X.509, yeah, great security. The best security, really the best.

  7. Tubz

    Hull's defences wide open, are we talking about their football team?

    1. Anonymous Coward
      Anonymous Coward

      Hah!

      They voted Brexit. Let them suffer.

  8. Anonymous IV
    1. Wensleydale Cheese

      Re: Better article on the BBC website...

      "TalkTalk and Post Office routers hit by cyber-attack"

      The mention of the Post Office in connection with telecoms had me thinking it was 1979 again.

      1. Geoff Heaton

        Re: Better article on the BBC website...

        Ah yes, and all the racks of Strowger switches were painted in Post Office Light Straw Paint.

        Happy days.

  9. frank ly

    That picture

    I'm sure that's not a picture of the Hull coast. Then again, it might have been developed a bit since I last saw it.

    1. Wensleydale Cheese

      Re: That picture

      "I'm sure that's not a picture of the Hull coast. Then again, it might have been developed a bit since I last saw it.:

      A bit of A lot of climate change too. The last time I was there, a full on wet suit would have been more appropriate.

  10. Anonymous Coward
    Anonymous Coward

    Pasties and chip spice

  11. Anonymous South African Coward Silver badge

    Bwahaha.

  12. Anonymous Coward
    Anonymous Coward

    KCOM farce

    The same Telecoms provider had an air-con unit above the main email server.

    So when the air-con leaked, it took down most of the client base email, consequently the P45 printer went into operation.

    Kit was replaced / repaired, but put back in the same location.

    Cue second leak.....taking it all down again.

  13. Mikitik

    Were only ZyXel routers not protected against such an attack, or have there been cases with other manufacturers as well?

  14. Mikitik

    The article says that only routers from ZyXel were affected.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022