Router back-doors appear to be cause of Deutsche Telekom security breach
It appears that poor router security has led to a hacker attack which left over 900,000 Deutsche Telekom users without internet access this weekend.
Since the beginning of this weekend hundreds of thousands of Deutsche Telekom customers in Germany have been suffering as a result of network outages which appear to have happened as a result of a massive distributed denial of service (DDoS) attack.
Deutsche Telekom has said in a statement that as many as 900,000, as much as 4.5% of its 20 million fixed-line customers have suffered internet outages starting on Sunday and still happening although the number of affected users has begun to decline sharply.
Thomas Thchersich, Deutsche Telekom's IT Security chief, told the newspaper Der Tagesspiegel that the outages appeared to be linked to a botched attempt to turn a sizeable number of customers' routers into part of the Mirai botnet.
The attack left victims without internet access over the weekend. According to Deutsche Telekom, this is the second massive attack on their internet-connected devices since earlier in October this year.
"In the framework of the attack, it was attempted to turn the routers into a part of a botnet," Tschersich told a Berlin newspaper, referring to the network devices customers use to connect to the internet for phone, data and TV services.
Mirai is malicious software designed to turn network devices into remotely controlled "botnets" that can be used to mount large-scale network attacks. Last month, hackers used it to unleash an attack using standard devices such as webcams and digital recorders to cut internet access to some huge websites.
Deutsche Telekom has said it will be reviewing its business relationship with the supplier of its Speedport routers, Arcadyan, following the outage. It offered firmware updates on Monday to three models, all of which are made by Arcadyan Technology.
Stephen Gates, chief research intelligence analyst at NSFOCUS said: "Most people don’t know that all broadband service providers have ensured they have backdoors into ‘their’ customer-edge devices; which can be cable modems, DSL modems, routers, etc. The reason for this is simple. It ensures people don’t get services for free, while at the same time allowing the provider access into the remote devices for troubleshooting, updating, billing, etc. This helps reduce associated costs. In this case, it appears that hackers have figured out a way to capitalise on the backdoor, and cause a noteworthy denial of service outage.”
The fact that it appears to be Deutsche Telekom’s lack of security awareness in attempting to leave a ‘back door’ open will enrage its users. This theory was bolstered by comments from Alex Mathews, EMEA technical manager at security specialist Positive Technologies who told us that: “Whether this attack could have been prevented depends on what type of vulnerability was used to infect the routers. For example, Mirai botnet code was not too serious: the malware was looking for gadgets with well-known default passwords (admin: admin, root: password, and so on). If people had just changed these default passwords, their routers would not have been infected. On the other hand, the malware authors can use more serious, unknown vulnerability in routers' firmware or in communication protocols. In this case, users hardly can do anything to protect themselves. Only serious security tests can detect such vulnerability. It should be done by service providers and by the manufacturers of the routers. However, unfortunately, they do not do enough safety testing.”
We asked for a comment from Deutsche Telekom however, at time of publishing we had not heard back from their spokesperson.