At the end of November, the pre-Christmas season usually starts in Germany. The famous Christmas Markets, such as the Christkindle market in Nuremberg, open in every city and people celebrate the first Advent by lighting the first of four candles of the Advent wreath. Usually, the first Advent is the day when the contemplative time starts. The 27th of November, the first Advent in 2016 was for many people in Germany in a particular way very calm. Round about one million DSL routers, mainly devices from Germany’s biggest telecommunications carrier, fell victim to hacker attacks.
No Internet, no IP telephony and no TV via IP for about one million customers. It was the biggest cyber attack in Germany so far. But not only people in Germany were offline, about 100 000 DLS routers in the UK broke down as well.
Apparently, a strain of the Mirai botnet family was responsible for the outage. Mirai (Japanese for “the future”) is malware that attacks computer systems based on Linux. The target is to turn the systems into remotely controlled “bots” (robots) and use them in botnets for large-scale network attacks. The word botnet combines the words robot and network. The source code for Mirai is published in hacker forums as open-source and can therefore be used in many malware projects.
A world-wide wave of cyber attacks by the communication protocol TR-069 has been registered. TR-064 commands tried to compromise the routers by installing malware and integrating them in an IoT botnet. Infected devices within the botnet should attack further devices. At least, this was the plan of the attackers.
As it turns out, the attack did not really succeed and it could have been worse because only the first step of the attack was successful. The connection via port 7547 of the TR-069 protocol has been accepted and opened. The second step, compromising the devices did not work because the routers were not based on Linux and the attack assumed a Linux operating system. The attack ended up in a denial of service but did not compromise devices. However, flooding the routers with TR-069 requests, the devices opened up a vast number of connections and did not terminate them as scheduled which resulted in an outage. Updates for the DSL routers have solved the problem promptly within one to two days.
Compared to what could have happened, the carrier’s customers got off lightly. Nevertheless, the damage for online shops was remarkable – especially at pre-Christmas season. As we have mentioned in previous blog posts, Teldat with its very long tradition in the telecommunication and IT market is also partner and supplier for top German carriers. The cyber attack did not really succeed. Nevertheless, the outage happened because of security vulnerability in remote management protocols.
The system architecture of Teldat’s devices does not have this vulnerability and are therefore not affected.