TalkTalk's great approach to security... not!

Regarding the issue of TalkTalk provided (and branded) Dlink DSL-3780 routers, and the hacking of said routers default WiFi keys, TalkTalk's advice to customers rather suggests that the company's attitude to security hasn't fundamentally changed since last year's breach of its customer database.

BBC News: TalkTalk's wi-fi hack advice is 'astonishing'

The Inquirer: TalkTalk denies claims that customer passwords were stolen in Mirai router attack


This excerpt from the BBC News article perhaps says it all:

A spokeswoman for TalkTalk said that customers could change their settings "if they wish" but added that she believed there was "no risk to their personal information".

She referred the BBC to another security expert. But when questioned, he also said the company should change its advice.

What a shower!

Heard alot of these attacks recently but they all fail to mention how the worm attacks the router. Is it like your typical worm where a dodgy email or link it clicked by the user, or is this something different?

https://badcyber.com/new-mirai-attack-vector-bot-exp...
Tl;dr the attack is via the ISP's update port(s) and protocol(s), vulnerable routers in the main lack acl's and have unpatched vulnerabilities in their implementation of the TR-064 / TR-069 protocols
It's one of a few attack vectors that require no interaction on the target's behalf, other than using low grade ISP supplied routers and / or modems.

Edited by deleted (Wed 07-Dec-16 20:04:58)

Proving ISPs patch this via a firmware update pushed automatically to devices (i assume a patch is out there?) then i can see why Talk Talk dont feel the need to replace effected routers.

Also does this only effect ISP provided routers/modems rather than 3rd party ones alot of people use?

Edited by bobble_bob (Wed 07-Dec-16 20:34:39)

Talktalk (and many other smaller ISP's) do not implement ACLs, without restricting the source of device management, the protocol will allow access to anyone with the correct credentials, hence the 'astonishment' at Talktalk forcing a credential reset to default, thereby making any of their routers where the end user has changed the default credentials 'to improve security' immediately vulnerable.
Some aftermarket routers and modems have vulnerabilities, use Shodan to check yours.
The specific vulnerability is the implementation of NTP as a command rather than a protocol, simply fixing this will not make the device secure, just less vulnerable.

Additionally, some routers / modems expose TR-064 to the WAN interface, only TR-069 traffic should be accepted (with auth.) on the WAN, it is possible on some devices for TR-064 to listen on the WAN for traffic. This should not happen. It is also possible for TR-064 to accept commands without authentication, the specification says it should always be authenticated - clearly not all manufacturers follow the specification.

Edited by deleted (Wed 07-Dec-16 22:59:24)

Ah understand now, cheers for the explanation

Is it just hacking of wifi? so as I dont use it am I safe?

In reply to a post by 23Prince:

Is it just hacking of wifi? so as I dont use it am I safe?

No, nothing to do with WiFi.

It is access through the routers remote management ports.

Do you have remote management TR064/TR069 set to allow on your router?

The list of vulnerable routers is shown in most of the reports.

No, it's gaining access to your LAN (wired and / or wireless) remotely using the router or modem WAN interface due to a poor implementation of the TR-064 /TR-069 Protocol.
Typically, this has manifested itself in allowing 'botnets' to be created using the modem or router hardware, it is possible that because it bypasses any built-in firewall or access rules, that an attacker could infiltrate devices on the LAN, possibly to deploy ransomware or harvest personal details. As I stated previously, closing off this particular attack vector does not make you secure, just less insecure.

In reply to a post by AdrianPH:

In reply to a post by 23Prince:

Is it just hacking of wifi? so as I dont use it am I safe?

No, nothing to do with WiFi.

It is access through the routers remote management ports.

Do you have remote management TR064/TR069 set to allow on your router?

The list of vulnerable routers is shown in most of the reports.

Thanks for the info.

I do - but I did disable remote management... After reading this I disabled the router and put on a Billion so I can prevent being hacked. I've got CCTV and a card machine on my line afterall!

I owe you one.