British man arrested after 900,000 broadband routers knocked offline in Germany

5 March 2017

About 900,000 Deutsche Telekom customers suffered internet outages on Sunday 27th and Monday 28th November 2016. Two weeks ago a 29-year-old man has been arrested at Luton airport by the UK’s National Crime Agency (NCA) in connection with this attack. Both, the attack and the arrest of the cyber attacker made it into the headlines.

Report ‘New Mirai attack vector – bot exploits a recently discovered router vulnerability‘, posted on 28 November 2016 at BadCyber, describes the technical details of attack. The attacker used the TR-064 protocol over Port 7547 to inject code into the routers configuration details.

Protocol TR-064 is used by ISP’s to keep their infrastructure up-to-date. Under normal conditions the updates are initiated by the router. In this case the attacker sent some specially crafted packets to the router to inject the malicious code.

For access to the router a username and password is required. The attacker used well-known default passwords in the attack, with great success:

Username Password
 root     xc3511
 root     vizxv
 root     admin

How can such attacks been avoided?

We all need to take greater care over our router security. Default passwords must be changed at commissioning, forced by the router software. In addition, the router should prevent the usage of passwords from the ‘Worst Password‘ lists.

But in my opinion that’s not enough. Vendors deliver internet routers with really poor software quality. Although injection attacks are at least for ten years on the OWASP Top 10 Vulnerabilities list, no vendor seems to care about this issue.

The NIST NVD database lists 995 injection related software flaws (e.g. remote command injection or sql-injection) in the last three years, even though solutions to address this issues, e.g. by input sanitizing, are known for years now.

in my opinion, to protect critical infrastructures from cyber attacks some governmental attention is required. For critical components like internet routers a certification before selling is required to make sure, that state-of-the-art protection against common attack vectors is implemented.

Sounds easy, doesn’t it?

Have a good weekend. And check the complexity of your internet router password.

Advertisements

One thought on “British man arrested after 900,000 broadband routers knocked offline in Germany

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s