The latest router security problem, that initially cropped up a week ago in Germany, has since been confirmed in other countries as well.
That its a new variant of Mirai, makes for sexy for headlines, but is not important. That five million devices may be vulnerable is also not important. And, It's pretty much irrelevant that the buggy routers were produced by Acadyan and Zyxel.
The most important issue in this latest router attack is that most of the blame falls on the Internet Service Providers (ISPs).
The routers were attacked on TCP port 7547, which is used by the TR-069 protocol (also known as CWMP or CPE WAN Management Protocol). Leaving port 7547 open would have been a non-issue if the ISPs had made better decisions.
For example, it is common knowledge that open TCP/IP ports are dangerous. When an ISPwants to access their customer devices on an open port, they should take steps to insure that only they can do so. Instead, we saw ISPs mis-configuring both the routers and their internal networks such that any bad guy, anywhere in the world, can get into the routers on port 7547.
Its the network equivalent of not wearing seat belts. No surprise then, that customers were eventually thrown through the front window.
Security expert Graham Cluley was also ticked off by this, writing
The attacks ... are exploiting functionality which allows ISPs to remotely manage their customers' broadband routers. I can fully understand why ISPs want that kind of ability to reduce the support burden, but surely it would be better if connections were only allowed from the ISP's own managed network rather than any Tom, Dick or Harry based anywhere in the world?
The router bug that is being exploited was first discovered in early November by someone who goes by "kenzo2017." He found the flaw on a D1000 modem from Irish ISP Eir and chastised them writing:
Back in the days when Eir were Eircom and they used Netopia modems, port 7547 was blocked to every IP address except those assigned to Eir’s management servers. This meant even though the Netopia modems had bugs, they could not be exploited. Inexplicably, Eir do not do this for their newer modems. If they did, these bugs would not have been exploitable.
Seat belts.
Not to pick on Eir, the same is true of Deutsche Telekom. Let's parse a couple sentences in their public statement .
... routers of Deutsche Telekom costumers were affected by an attack from outside.
In other words, their default network configuration allowed anyone in the world to hack into the routers of their customers, via an open port, and that is on them .
Their fix?
We implemented a series of filter measures to our network.
Network filters that should have been there all along .
Ironically, Deutsche Telekom brags that their Cyber Defense Center emphasizes "good preventive strategies."
Another effected UK ISP, KCOM, also "... put in place measures to block future attacks from impacting our customers."
None of the ISPs took the obvious defensive step until they were shamed into it.
And, sadly, there is nothing special about these three ISPs. Reports say that Shodan found 41 million devices on the Internet with port 7547 open. If ISPs were limiting access to this port to just their servers that need it, then Shodan would not be able to detect that the port was open.
Limiting access to an open TCP/IP port can be done a couple ways. The router itself can check the source (i.e. "from") IP address of incoming packets and reject those that are not from the ISP. Or, firewalls in the ISP's internal network can do the same thing, reject incoming packets directed to port 7547 that did not come from the ISP itself.
BUGGY ROUTERSAnother common ISP security mistake is giving their customers sub-optimal routers.
The routers that were hacked this week were buggy, which is not all that unusual .
The issue here seems to have been with the very old TR-064 protocol. According to a 2004 document from the DSLHome-Technical Working Group , the protocol is also known as "LAN-Side DSL CPE Configuration" (CPE is Customer Premises Equipment). The important point being that the protocol was designed to work on a LAN, that is, on the inside of your home. It was not designed or intended to be used over the Internet.
Yet, that's what the vulnerable routers were doing, they were responding to TR-064 commands sent to port 7547.
It's somewhat akin to a doctor operating on the wrong leg of a patient. How much competence does it take to keep protocols designed for LAN side use away from the Internet? Too much, obviously.
According to Dan Goodin , the Shodan search engine reports that "about five million [devices] expose TR-064 services to the outside world."The same thing happened in 2013 with UPnP , another protocol designed for LAN use only. Back then, Rapid7 found 80 million devices that responded to UPnP over the Internet.
BAD ROUTERSThe bad guys in this case, had no intention of knocking people off the Internet. The malware was supposed to compromise the routers so they could be later used for income producing purposes.
What went wrong? It turns out, some routers stop working when asked to do too much actual routing.
As the malware tries to infect other routers, it creates network traffic. So much traffic, that it caused some routers to lock-up.
Johannes Ullrich, of The SANS Technology Institute, told Brian Krebs that the excessive network traffic crashed some routers that were not even vulnerable to the malware. These other routers simply could not handle all the incoming connection attempts on port 7547 from infected routers.
Security company Comsecuris did their own hacking of an Arcadyan router and confirmed that an excessive amount of incoming conne
