Ethical hackers claim Mirai is “tip of the iceberg”, as Deutsche Telekom boosts security after attack

Deutsche Telekom, router, broadband, hack

Deutsche Telekom will redouble its network and data security in the light of this week’s failed hack on its routers, which saw around 900,000 customers disconnected from telephone, broadband and television services.

Speaking yesterday at the European Communications/Mobile Europe IoT Conference 2016, Falk von Bornstaedt, Head of Group Peering and IP Trading at Deutsche Telekom, said: “It is wake-up call. It will mean a lot of investment in even more security.

“It will help us be even more secure in the future, and the management will invest a lot of energy into being more secure.”

von Bornstaedt restated that Deutsche Telekom was not the sole target for the attack, which sought to infiltrate customers’ routers via the TR-069 protocol with ‘Mirai’ malware, seize their control, and launch a wider attack on the internet.

“It wasn’t just Deutsche Telekom. It was a worldwide attack. And I wonder why Deutsche Telekom was in the press, and many other people are not. But somehow the focus has been on us,” he said.

At the event, Pen Test Partners, a group that tests security vulnerabilities in latest devices, said the Mirai botnet was limited but warned it was the “tip of the iceberg” for the telecoms and wider IoT community.

Tony Gee, Consultant at Pen Test Partners, explained: “Mirai is actually a rubbish attack tool. It uses SSH and Telnet. Hardly any of these devices connect to the internet using SSH and Telnet.

“Most connect to the internet and provide a web interface with 480 or 443. So if that was tailored to target those ports, you’d reach a whole lot of other devices. This is the tip of the iceberg.”

Gee also made the point that the “attack surface” for hackers will be multiplied with the rise of the IoT, predicted to cover 6.4 billion connected devices by the end of 2016, according to Gartner.

“If that many devices are all going to be internet connected, then they have the ability to be attacked,” he said.

Gee suggested internet routers were more advanced, generally, than IoT devices.

He said: “Because there have been a lot of attacks against routers, developers have started to put better security in place, whereas the IoT hasn’t gone thought that problem yet.”

Deutsche Telekom said today that vulnerabilities in remote maintenance functions for internet routers that use the TR-069 protocol were published several years ago, and involved the security of the ACS network side component, which it has looked to address.

It said the attack on its routers at the weekend, instead, involved the endpoint for the connection request to the router, reached via the 7547/tcp port.

“The current attacks did not involve the ACS. The attack method that was used is new and was unknown to date,” it said in a statement. 

It said it had traced the 7547/tcp vulnerability to a report from last month.

“The vulnerability not only allows access to the device's data model, but also the injection of coding that then runs on the affected router.

“We suspect that the current extensive attacks on internet routers, which also affect Deutsche Telekom customers, were launched over port 7547/tcp based on this publication,” it said.

“According to our analysis, the objective of the attack is to install malware on the routers to add them to a botnet – meaning they could be used as the remote-controlled infrastructure for future attacks.

“The current attack was not designed to target Deutsche Telekom's Speedport routers, which means it does not exploit any vulnerability in Deutsche Telekom's Speedport routers.

“However, that the extensive attacks resulted in malfunctions on individual Speedport models, which deactivated key router functions such as the DNS proxy.

“For our customers, this means their internet access and IP telephony, for example, are disrupted.”

Deutsche Telekom maintains its IP network remains unaffected.

It has advised customers to disconnect and reboot their routers if they suspect an attack.

An automatic software update is already in place, it said, and is being delivered to affected devices.

Separately, the company said it had appointed Johannes Pruchnow as Representative of the Deutsche Telekom Board of Management for Broadband Cooperation in Germany.

The operator said the appointment highlighted the importance of “rapid, comprehensive fibre-optic broadband build-out” in Germany.

Pruchnow will look to strengthen Deutsche Telekom’s cooperation with competitors.

More News

VEON hires Huawei exec to lead global comms VEON hires Huawei exec to lead global comms VEON has appointed Huawei veteran Roland Sladek to drive its PR as the operator continues its attempt to reinvent itself as a tech company. More detail
Bouygues serves up new digital media content to fixed and mobile customers Bouygues serves up new digital media content to fixed and mobile customers Bouygues Telecom is giving subscribers free access to over 1,000 online publications, as it looks to tap into what it described as a surge in digital media usage. More detail
Altice consigns Portugal Telecom, SFR brands to history Altice consigns Portugal Telecom, SFR brands to history Altice will become a major brand in the telecoms world as the owner of Portugal Telecom and SFR unveiled a new global identity. More detail
Vodafone merges Maltese opco with Melita in new convergence play Vodafone merges Maltese opco with Melita in new convergence play Vodafone has agreed a deal with the owners of Melita to merge their operations in Malta. More detail
Telcos need to focus on context, conference hears Telcos need to focus on context, conference hears Context is key to the future success of telcos, speakers at the DigiWorld Future event have said. More detail