900,000 Germans knocked offline, as critical router flaw exploited

As many as 900,000 Deutsche Telekom customers were knocked offline on Sunday and Monday as an attempt was made to hijack broadband routers into a botnet.

Malicious hackers are commandeering vulnerable Zyxel and Speedport routers, commandeering them into a botnet which they can command to launch huge denial-of-service attacks against websites. The vulnerability exploits the TR-069 and TR-064 protocols, which are used by ISPs to manage hundreds of thousands of internet devices remotely.

In this particular case, an attack was able to fool the vulnerable routers into downloading and executing malicious code, with the intention of crashing or exploiting them. Compromised routers could then be commanded to change their DNS settings, steal Wi-Fi credentials, or bombard websites with unwanted traffic.

As the SANS Internet Storm Center describes, Deutsche Telekom customers would be wise to ensure that their routers are patched with a newly-released firmware update:

Affected user are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.

More details (in German) of the patch are available on Deutsche Telekom's website and in the following YouTube video:

https://www.youtube.com/watch?v=vFR2vdn9Dhw&rel=0

According to a statement issued by Germany's BSI, the attack on the vulnerable routers also attempted to disrupt government systems but failed due to preventative measures.

Meanwhile, customers of Ireland’s biggest telcoms provider, Eir, were experiencing problems accessing the internet via their ZyXEL-built Eir D-1000 broadband routers mere days after a security researcher published proof-of-concept code demonstrating how they could be easily hijacked remotely by a malicious attacker.

Researchers at Fox IT have pinned the blame for the attack against Eir customers on an updated version of the Mirai botnet, which recently launched a massive IoT-powered attack against the website of security blogger Brian Krebs and knocked major websites offline after similarly assaulting DNS service Dyn.

Germany, Ireland... I think it would be no surprise at all to hear that there are broadband routers being used in other parts of the world which are similarly prone to hijacking via similar or the same flaws.

Obviously it's important that the vulnerable devices either get patched or replaced as soon as possible, but there are surely more mitigations that ISPs can put in place to make future attacks harder to accomplish?

For instance, if ISPs want the functionality to remotely manage customers' routers surely it would be sensible to only allow connections from the ISP's own managed network - and not from anyone on the internet, wherever in the world they might be.