Thousands of Telekom customers in Germany have been knocked offline due to a cyber attack targeting routers.
Over the weekend, hundreds of thousands of Deutsche Telekom customers in Germany were unable to connect to their home internet. Why? Because cybercriminals took advantage of a vulnerability in a home router Deutsche Telekom provided its customers. This shouldn’t come as a suprise, though, to Germans – or anyone else. In 2014, when we introduced our Home Network Security feature (included in Avast Free Antivirus), Avast found that three out of four German routers and four out of five US routers were vulnerable.
Clearly the router security situation hasn’t improved in the last two years, because we're seeing more and more instances where routers are being targeted and used as zombies to carry out DDoS attacks, for example.
So what exactly happened this weekend? My Avast colleague and malware analyst Pavel Šrámek explains:
"The problem in this case lies in a vulnerable implementation of the CPE WAN Management Protocol (CWMP, also called TR-069). This protocol is used by some Internet Service Providers (ISPs), like Deutsche Telekom, to remotely manage customers' routers, for example to adjust Domain Name Service (DNS) or Network Time Protocol (NTP) settings. CWMP uses the TCP port 7547, which is widely used around the world. In fact, with more than 40 million open instances, the TCP port 7547 is the second most opened port on the entire public internet, number one being the TCP port 80, used for HTTP. However, since many ISPs leave this port open to the outside world, it is freely accessible and can be abused by attackers to hack routers whose CWMP service is vulnerable. What's especially nasty about this, is that attackers can close the port after having infected the router with malware, so the ISP can no longer access the port to remove the malware.
"Unfortunately, a flaw in processing the NTP time server addresses has recently been disclosed. Normally, the CWMP protocol allows the ISP to send the name of a NTP server where the device can get the current time from, in order to configure its clock. Through this vulnerability, it is possible for attackers to replace the NTP server name with a series of commands, which are then executed by the router, for example downloading and executing malware. Not all routers managed by CWMP are affected though, only the ones that do not require authentication for this request are affected. Therefore, Deutsche Telekom routers are affected, while Verizon routers, which require an authentication, are not.
"The vulnerability allows remote code execution on many routers and is present, among others, also in Speedport routers issued by Deutsche Telekom. Many ISPs neglected to patch their devices in time, leaving a veritable paradise for cybercriminals, as through the vulnerability they can attack hundreds of thousands of devices at the same time. For example, the authors of the infamous Mirai botnet, that previously infected IP cameras with default passwords, have started to abuse this vulnerability, and it is possible that they were also the ones behind the attack on Deutsche Telekom customers."
Many Deutsche Telekom customers have now experienced what a problem an insecure router can be. However, it is safe to say that this might be just the beginning of what could happen in the future. The next step for attackers could be to hack into other home devices once they gain access to the router, like webcams, smart TVs, or thermostats.
We as a digital security company are collaborating with router manufacturers to find solutions that will make routers more secure. In the end, security software should be implemented directly in the router, which is the central point of the home network, connecting all smart home devices to the internet.
You can check your router's security by running Avast's Home Network Security scan, which is included in Avast Free Antivirus. Home Network Security detects if your router's TCP port 7547 is open and accessible from the outside, which could make it vulnerable to future attacks similar to this one.