Following the news that Hackers suspected as 900,000 hit by internet outage. Update: German Telekom is now looking into evidence of a hacker attack after 900,000 internet, phone and television clients were hit by a massive outage starting on Sunday and going into Monday. IT security experts from Synopsys Software Integrity Group, Rubicon Labs and Positive Technologies commented below.
Mike Ahmadi, CISSP, Global Director, Critical Systems Security at Synopsys Software Integrity Group:
“While it is still unclear what caused this mass outage, it is important to note that massively scalable cybersecurity attacks, as evidenced by the recent Mirai Botnet attacks, is sure to be the new rage with the malicious hacker community. This is particularly alarming because our testing tools have been able to uncover literally thousands of scalable attacks on very commonly deployed networking equipment and IoT devices over the last several years. On more than one occasion we have discovered malformed inputs directed at the broadcast address of networks which caused the firmware of particular devices to erase, all at once. It seems that simply finding a vulnerability is no longer all that interests the malicious hacker world, but finding and exploiting high impact vulnerabilities is very interesting. Unless developers and users implement more rigor into discovering and mitigating software vulnerabilities, scalable attacks will continue to grow.”
Rod Schultz, VP of Product at Rubicon Labs:
“With this attack and with Mirai you are beginning to see the dangers with ‘break once, break everywhere’ technology. You have an ecosystem of routers that are hosted by Deutsche Telekom that have little digital diversity (same hardware and software), and an exploit on one router appears to be working on all routers, or there is a cascading effect that is bringing down the network. Management of devices is simpler when they are all the same, but that simplification is also leveraged by attackers to compromise the system. To be clear, this is not a simple problem to fix, and that security challenge is going to be exploited by attackers for many years to come.”
Alex Mathews, EMEA Technical Manager at Positive Technologies:
“The attack of this kind isn’t something new: this year we had multiple reports about thousands of infected routers used for DDoS botnets. We would even suspect that this German story is about “a broken botnet”. After all, hackers are not very interested in broken routers, they prefer to take control over working routers, and use them for other attacks. Perhaps, someone tried to build a Mirai-like botnet out of these infected routers in Germany but something went wrong and routers just went off.
“Whether this attack could have been prevented depends on what type of vulnerability was used to infect the routers. For example, Mirai botnet code wasn’t too serious: the malware was looking for gadgets with well-known default passwords (admin: admin, root: password, and so on). If people had just changed these default passwords, their routers wouldn’t have been infected. On the other hand, the malware authors can use more serious, unknown vulnerability in routers’ firmware or in communication protocols. In this case, users hardly can do anything to protect themselves. Only serious security tests can detect such vulnerability. It should be done by service providers and by routers’ manufacturers… but unfortunately, they don’t do enough safety testing.”