Taking The Easy Route: Why Your ISP Router Reset May Be A Waste Of Time

By   muhammad malik
Chief Editor , Information Security Buzz | Dec 12, 2016 05:58 am PST

Have you changed the WiFi key on your home router? Do you even know how to? You’d be surprised how complicated this can be. Routers have their own IP address and a default password or key but how you access and change this can vary from one device to another. In the event of a compromise that means most routers are sitting ducks. Which is why when TalkTalk recently stated it was going to do a ‘password reset’ on routers affected by the Annie worm which exploits a security hole associated with the TR-064 vulnerability we rolled our eyes in despair. A reset to the default which is already compromised? Pleaase.

This particular vulnerability is a misconfiguration in the router whereby a function set called ‘TR-064’ is exposed to the Internet. It has been around for some time but no-one realised it could be used to for more than simply recruiting a router into a botnet. Using this, a hacker can steal your Wi-Fi keys from your router; take control of your router by changing what’s known as the ‘ACS’ (the server your router connects to download settings and updates); stop your router working (known as ‘bricking’); intercept all of your internet traffic, through changing the DNS; and more. ACS takeover is particular problem. Once that’s been achieved, effectively allowing the attacker to seize complete control, no update will fix it unless it’s done on site physically at the router and that means sending out an engineer.

This is a widespread problem so it’s more than likely that many of the major carriers will be involved. Most routers are made in the Far East and the affected routers have components in them made by a group of companies called Ralkink/Econet/Mediatek. No one is certain, but some think that the manufacturers of the routers had software written for them that didn’t secure the ‘TR-064’ protocol correctly. Currently it’s believed that over 3 million routers are part of the bot-net created using the TR-064 attack.

We run a ‘honeypot’ router that looks like one of these routers and helps us monitor odd activity on the internet. When we saw weird requests, we realised that peoples Wi-Fi keys and worse could be stolen. That’s when we realised just how serious this issue is. The honeypot received around 170 attempts to exploit the TR-064 vulnerability in the last 12 hours, mostly from GB/UK sources. This suggests a lot of activity around UK ISPs. Only two of these have been attempts to get Wi-Fi keys, both originating from Africa, and the headers suggest that these are not Annie bots.

TalkTalk did step up and try to tackle the problem. It published a ‘fix’ to the TR-064 / Annie issue which disables the TR-064 interface and resets the router. This resets the passwords all right – back to the ones written on the router. As nearly all customers never change their Wi-Fi key, and the Annie worm and hackers have already stolen the Wi-Fi keys, the TalkTalk fix simply resets the router to the exact same keys that have already been stolen.

There is one mitigating factor in all of this: the hacker has to be physically close to the router to compromise the Wi-Fi. But if you know the SSID (also stolen using the Annie worm) you can use databases such as https://wigle.net to find the victim’s house and target the attack.

ISPs need to urgently look at how many of their routers are vulnerable to the Annie attack and to issue a firmware update. If, as an ISP, you haven’t yet got this far, quickly prep your call centre staff who are going to be very busy over the next few days fielding calls from customers who want to know how to do just that. And be prepared to replace some of that stock. In some cases, a reset may fail or just be too complex and your disgruntled customers will be demanding a replacement. Unless ISPs can prove through detailed logging that the customer Wi-Fi keys have not been stolen then they should be replacing all customers routers urgently.

Personally, I think that ALL affected routers should be replaced. Why? Because it’s possible that the hackers could keep control of your router even after you’ve reset it and applied the fix. This is because the router can been taken over through ACS modification, as described above, and you can bet your bottom dollar that sending out an engineer to every affected device will be way more expensive than simply issuing a replacement. The costs of a mass replacement may seem prohibitive but that’s going to pale into insignificance compared to the mass harvesting and potential exposure of large proportions of the ISP’s customer base costing you customers. Then there’s the regulatory repercussions: try explaining to the ICO why you failed to replace hardware in customer homes when you knew about this vulnerability and the industry was urging a recall and replace strategy.
In the short term, users can solve this by resetting their router (follow the TalkTalk advice) and then change their Wi-Fi password. In many cases, it’s a matter of pushing the little reset button on the back of the router with a paper clip or similar. This should force the router to download new software (called ‘firmware’) from your ISP and fix itself. Next, change your Wi-Fi key. If you’re not sure how to do this, again go to your ISP web site and check. If the router doesn’t work after you’ve reset it (this could take a few minutes or more) then it’s time to call your ISP and ask for a replacement router. Do be aware though that this could lead to phone scams whereby the scammers call you claiming to be your ISP offering to update your firmware and change your wireless keys. That’s why it’s best for you as the consumer to make contact with your ISP rather than waiting for a reset or replacement.

[su_box title=”About Ken Munro” style=”noise” box_color=”#336588″][short_info id=’99453′ desc=”true” all=”false”][/su_box]

Recent Posts