5 March 2017
About 900,000 Deutsche Telekom customers suffered internet outages on Sunday 27th and Monday 28th November 2016. Two weeks ago a 29-year-old man has been arrested at Luton airport by the UK’s National Crime Agency (NCA) in connection with this attack. Both, the attack and the arrest of the cyber attacker made it into the headlines.
Report ‘New Mirai attack vector – bot exploits a recently discovered router vulnerability‘, posted on 28 November 2016 at BadCyber, describes the technical details of attack. The attacker used the TR-064 protocol over Port 7547 to inject code into the routers configuration details.
Protocol TR-064 is used by ISP’s to keep their infrastructure up-to-date. Under normal conditions the updates are initiated by the router. In this case the attacker sent some specially crafted packets to the router to inject the malicious code.
For access to the router a username and password is required. The attacker used well-known default passwords in the attack, with great success:
Username Password root xc3511 root vizxv root admin
How can such attacks been avoided?
We all need to take greater care over our router security. Default passwords must be changed at commissioning, forced by the router software. In addition, the router should prevent the usage of passwords from the ‘Worst Password‘ lists.
But in my opinion that’s not enough. Vendors deliver internet routers with really poor software quality. Although injection attacks are at least for ten years on the OWASP Top 10 Vulnerabilities list, no vendor seems to care about this issue.
The NIST NVD database lists 995 injection related software flaws (e.g. remote command injection or sql-injection) in the last three years, even though solutions to address this issues, e.g. by input sanitizing, are known for years now.
in my opinion, to protect critical infrastructures from cyber attacks some governmental attention is required. For critical components like internet routers a certification before selling is required to make sure, that state-of-the-art protection against common attack vectors is implemented.
Sounds easy, doesn’t it?
Have a good weekend. And check the complexity of your internet router password.
I remember this, and I’m glad they caught the guy. It’s like any crime–just because there is an opportunity to do wrong doesn’t give someone a right to exploit it.