Cyber attack affects more than 900k routers in Germany

Eruainur · November 30, 2016

For roughly two days internet access for hundred of thousands of people here in Germany was severely limited due to a cyber attack.

The target were aparently the routers of customers of Deutsche Telekom, Germanys largest ISP.

Here's a heatmap of what it looked like on Sunday, roughly at 6pm local time. It was a desaster. Social Media was blowing up around that time.

Source: http://allestörungen.de

The hackers targeted a vulnerability in a few models of the popular "Speedport" routers where port 7547 was exposed.

That port is usually used to remotely and automatically update the devices. If that port was closed on your router, e.g. if you built a pfsense box or just use 3rd party routers you were fine.

Quote

According to Shodan, about 41 Million devices have port 7547 open. The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP.

New firmware was rolled out on monday and the problem seems to be fixed now. However, aparently this was part of a global attack, so please check port 7547 on your devices.

I hope ISPs have learned to listen to their community more because this vulnerability was pointed out by some cunstomers in 2014 and they predicted this to happen eventually. Lovely.

Source: http://securityaffairs.co/wordpress/53871/iot/deutsche-telekom-hack.html

SCHISCHKA · November 30, 2016

A very good reason to make your own custom router. Its a shame we are forced by our ISPs to use their outdated firmware & hardware

tlink · December 1, 2016

38 minutes ago, SCHISCHKA said:

A very good reason to make your own custom router. Its a shame we are forced by our ISPs to use their outdated firmware & hardware

i do get some of it, the main problem is that their hardware is shit a lot of the time, and when its not its configured so badly they might as well have used shit hardware. but the bennefit of it is that they can spend a whole lot less time on customer support because they can errorcheck their side of the ISP contract very easily

SCHISCHKA · December 1, 2016

20 minutes ago, tlink said:

i do get some of it, the main problem is that their hardware is shit a lot of the time, and when its not its configured so badly they might as well have used shit hardware. but the bennefit of it is that they can spend a whole lot less time on customer support because they can errorcheck their side of the ISP contract very easily

There are many households still using Telecom NZ modems over ten years old running linux kernel 2.4. They can upgrade but they wont unless they get the modem for free and the ISP will tell them their modems are ok because they have no incentive to do otherwise. I have no control over my modem because its locked to the only 4G provider that offers a 100GB plan. No firmware updates have been released since I purchased it but I get monthly security updates for my desktop OS

Eruainur · December 1, 2016

Disclaimer: I actually work for Deutsche Telekom so i'll try not to be biased.

While it is true that you can spend far less time on customer support if there are only a few routers in use I think when it comes to cyber security you should be advised by your geeks and not your treasury department.

To be fair, the routers are usually just rebranded 3rd party routers and these companies are responsible for the firmware. However, I have no clue how much influence the actual ISPs have.