On Sunday November 27, a new variant of the Mirai botnet knocked more than 900 000 customers of German ISP Deutsche Telekom (DT) offline. The malware targeted potentially vulnerable home internet routers to exploit a vulnerability in the implementation of the standard protocol, TR-069, that is designed to allow the Internet Service Provider (ISP) to remotely manage the router. The aim of the attack presumably was to recruit additional devices for Mirai-infected botnets that have been used to conduct massive denial-of-service attacks in the past weeks.
As Comsecuris demonstrates in a blog post, the Speedport-routers of DT (mainly produced by the Taiwanese company Arcadyan) themselves were in fact not vulnerable to the TR-069/064 exploit. They collapsed due to the sheer volume of attack traffic generated by the malware – in that sense their outage was “˜collateral damage’. While the routers were not vulnerable to that exploit, the fact that they collapsed means that they suffer from other bugs and deficiencies that caused network routing to function improperly. Hence, DT does bear responsibility for the crashes. The TR-069 Port should only have been available from the DT Internet protocol (IP) address range, which can be achieved through the use of a firewall.
While Speedport routers of DT have not been infected by the malware, many other routers are probably vulnerable to this attack. Security researcher Kenzo2017 already published details about the vulnerability in early November. We can thus expect this and similar attacks to successfully infect many other mass routers and thereby be absorbed into botnets. All ISPs worldwide should now check their router models, and contact their customers and deploy a firmware update if they are potentially vulnerable.
The DT router outage illustrates the changing tactics of Mirai attackers. The Mirai malware has already infected hundreds of thousands of vulnerable devices, targeting mostly embedded systems and so-called Internet of Things (IoT) devices such as digital video recorders, cameras, babyphones and routers. The “˜original’ malware exploited hard coded default usernames and passwords of the devices it infected. Since infected devices broadcast attack traffic once they are infected to compromise other similarly vulnerable devices, the botnets acquired massive strength and mounted the largest DDoS attacks known to date, against the French ISP OVH (1.1 Tbps), DNS service provider Dyn, and the website of investigative journalist Brian Krebs (620 Gbps).
This and other past incidents demonstrate that producers of hard- and software have to assume responsibility for the products they sell. Leading German politicians have called for stricter liability requirements for software producers and the topic will most certainly be on the policy agenda of the new government to be elected in fall of 2017. The German Federal Office for Information Security BSI has additionally called for the swift adoption of an IT Security quality seal. And many call for mandatory IT security certification. These measures are the “˜usual’ solutions to market failures in IT security. The introduction of stricter liability requirements have been discussed for decades without a concrete outcome. In the context of massive IoT attacks, they might finally be put into practice, but in any case, this is no immediate solution to the problem. As Bruce Schneier points out, “the market can’t fix this because neither the buyer nor the seller cares”.
Meanwhile, Mirai botnets can be rented on the internet. Renting out botnets of IoT devices has become a lucrative business model of cyber criminals, and we should not expect them to go away any time soon.