User comments on ISPs
  >> TalkTalk Broadband


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User binary
(member) Wed 07-Dec-16 16:14:48
Print Post

TalkTalk's great approach to security... not!


[link to this post]
 
Regarding the issue of TalkTalk provided (and branded) Dlink DSL-3780 routers, and the hacking of said routers default WiFi keys, TalkTalk's advice to customers rather suggests that the company's attitude to security hasn't fundamentally changed since last year's breach of its customer database.

BBC News: TalkTalk's wi-fi hack advice is 'astonishing'

The Inquirer: TalkTalk denies claims that customer passwords were stolen in Mirai router attack


This excerpt from the BBC News article perhaps says it all:
A spokeswoman for TalkTalk said that customers could change their settings "if they wish" but added that she believed there was "no risk to their personal information".

She referred the BBC to another security expert. But when questioned, he also said the company should change its advice.


What a shower!
Standard User bobble_bob
(knowledge is power) Wed 07-Dec-16 16:38:11
Print Post

Re: TalkTalk's great approach to security... not!


[re: binary] [link to this post]
 
Heard alot of these attacks recently but they all fail to mention how the worm attacks the router. Is it like your typical worm where a dodgy email or link it clicked by the user, or is this something different?
Standard User 10forcash
(regular) Wed 07-Dec-16 20:01:39
Print Post

Re: TalkTalk's great approach to security... not!


[re: bobble_bob] [link to this post]
 
https://badcyber.com/new-mirai-attack-vector-bot-exp...
Tl;dr the attack is via the ISP's update port(s) and protocol(s), vulnerable routers in the main lack acl's and have unpatched vulnerabilities in their implementation of the TR-064 / TR-069 protocols
It's one of a few attack vectors that require no interaction on the target's behalf, other than using low grade ISP supplied routers and / or modems.

Edited by 10forcash (Wed 07-Dec-16 20:04:58)


Register (or login) on our website and you will not see this ad.

Standard User bobble_bob
(knowledge is power) Wed 07-Dec-16 20:27:04
Print Post

Re: TalkTalk's great approach to security... not!


[re: 10forcash] [link to this post]
 
Proving ISPs patch this via a firmware update pushed automatically to devices (i assume a patch is out there?) then i can see why Talk Talk dont feel the need to replace effected routers.

Also does this only effect ISP provided routers/modems rather than 3rd party ones alot of people use?

Edited by bobble_bob (Wed 07-Dec-16 20:34:39)

Standard User 10forcash
(regular) Wed 07-Dec-16 21:23:37
Print Post

Re: TalkTalk's great approach to security... not!


[re: bobble_bob] [link to this post]
 
Talktalk (and many other smaller ISP's) do not implement ACLs, without restricting the source of device management, the protocol will allow access to anyone with the correct credentials, hence the 'astonishment' at Talktalk forcing a credential reset to default, thereby making any of their routers where the end user has changed the default credentials 'to improve security' immediately vulnerable.
Some aftermarket routers and modems have vulnerabilities, use Shodan to check yours.
The specific vulnerability is the implementation of NTP as a command rather than a protocol, simply fixing this will not make the device secure, just less vulnerable.

Additionally, some routers / modems expose TR-064 to the WAN interface, only TR-069 traffic should be accepted (with auth.) on the WAN, it is possible on some devices for TR-064 to listen on the WAN for traffic. This should not happen. It is also possible for TR-064 to accept commands without authentication, the specification says it should always be authenticated - clearly not all manufacturers follow the specification.

Edited by 10forcash (Wed 07-Dec-16 22:59:24)

Standard User bobble_bob
(knowledge is power) Wed 07-Dec-16 22:02:37
Print Post

Re: TalkTalk's great approach to security... not!


[re: 10forcash] [link to this post]
 
Ah understand now, cheers for the explanation
Standard User 23Prince
(committed) Thu 08-Dec-16 18:19:16
Print Post

Re: TalkTalk's great approach to security... not!


[re: binary] [link to this post]
 
Is it just hacking of wifi? so as I dont use it am I safe?
Standard User AdrianPH
(member) Thu 08-Dec-16 18:54:47
Print Post

Re: TalkTalk's great approach to security... not!


[re: 23Prince] [link to this post]
 
In reply to a post by 23Prince:
Is it just hacking of wifi? so as I dont use it am I safe?


No, nothing to do with WiFi.

It is access through the routers remote management ports.

Do you have remote management TR064/TR069 set to allow on your router?

The list of vulnerable routers is shown in most of the reports.
Standard User 10forcash
(regular) Thu 08-Dec-16 18:57:06
Print Post

Re: TalkTalk's great approach to security... not!


[re: 23Prince] [link to this post]
 
No, it's gaining access to your LAN (wired and / or wireless) remotely using the router or modem WAN interface due to a poor implementation of the TR-064 /TR-069 Protocol.
Typically, this has manifested itself in allowing 'botnets' to be created using the modem or router hardware, it is possible that because it bypasses any built-in firewall or access rules, that an attacker could infiltrate devices on the LAN, possibly to deploy ransomware or harvest personal details. As I stated previously, closing off this particular attack vector does not make you secure, just less insecure.
Standard User 23Prince
(committed) Thu 08-Dec-16 19:45:15
Print Post

Re: TalkTalk's great approach to security... not!


[re: AdrianPH] [link to this post]
 
In reply to a post by AdrianPH:
In reply to a post by 23Prince:
Is it just hacking of wifi? so as I dont use it am I safe?


No, nothing to do with WiFi.

It is access through the routers remote management ports.

Do you have remote management TR064/TR069 set to allow on your router?

The list of vulnerable routers is shown in most of the reports.


Thanks for the info.

I do - but I did disable remote management... After reading this I disabled the router and put on a Billion so I can prevent being hacked. I've got CCTV and a card machine on my line afterall!

I owe you one.
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to