TalkTalk's great approach to security... not!

Regarding the issue of TalkTalk provided (and branded) Dlink DSL-3780 routers, and the hacking of said routers default WiFi keys, TalkTalk's advice to customers rather suggests that the company's attitude to security hasn't fundamentally changed since last year's breach of its customer database.

BBC News: TalkTalk's wi-fi hack advice is 'astonishing'

The Inquirer: TalkTalk denies claims that customer passwords were stolen in Mirai router attack


This excerpt from the BBC News article perhaps says it all:

A spokeswoman for TalkTalk said that customers could change their settings "if they wish" but added that she believed there was "no risk to their personal information".

She referred the BBC to another security expert. But when questioned, he also said the company should change its advice.

What a shower!

Heard alot of these attacks recently but they all fail to mention how the worm attacks the router. Is it like your typical worm where a dodgy email or link it clicked by the user, or is this something different?

https://badcyber.com/new-mirai-attack-vector-bot-exp...
Tl;dr the attack is via the ISP's update port(s) and protocol(s), vulnerable routers in the main lack acl's and have unpatched vulnerabilities in their implementation of the TR-064 / TR-069 protocols
It's one of a few attack vectors that require no interaction on the target's behalf, other than using low grade ISP supplied routers and / or modems.

Edited by deleted (Wed 07-Dec-16 20:04:58)

Proving ISPs patch this via a firmware update pushed automatically to devices (i assume a patch is out there?) then i can see why Talk Talk dont feel the need to replace effected routers.

Also does this only effect ISP provided routers/modems rather than 3rd party ones alot of people use?

Edited by bobble_bob (Wed 07-Dec-16 20:34:39)

Talktalk (and many other smaller ISP's) do not implement ACLs, without restricting the source of device management, the protocol will allow access to anyone with the correct credentials, hence the 'astonishment' at Talktalk forcing a credential reset to default, thereby making any of their routers where the end user has changed the default credentials 'to improve security' immediately vulnerable.
Some aftermarket routers and modems have vulnerabilities, use Shodan to check yours.
The specific vulnerability is the implementation of NTP as a command rather than a protocol, simply fixing this will not make the device secure, just less vulnerable.

Additionally, some routers / modems expose TR-064 to the WAN interface, only TR-069 traffic should be accepted (with auth.) on the WAN, it is possible on some devices for TR-064 to listen on the WAN for traffic. This should not happen. It is also possible for TR-064 to accept commands without authentication, the specification says it should always be authenticated - clearly not all manufacturers follow the specification.

Edited by deleted (Wed 07-Dec-16 22:59:24)

Ah understand now, cheers for the explanation

Is it just hacking of wifi? so as I dont use it am I safe?

In reply to a post by 23Prince:

Is it just hacking of wifi? so as I dont use it am I safe?

No, nothing to do with WiFi.

It is access through the routers remote management ports.

Do you have remote management TR064/TR069 set to allow on your router?

The list of vulnerable routers is shown in most of the reports.

No, it's gaining access to your LAN (wired and / or wireless) remotely using the router or modem WAN interface due to a poor implementation of the TR-064 /TR-069 Protocol.
Typically, this has manifested itself in allowing 'botnets' to be created using the modem or router hardware, it is possible that because it bypasses any built-in firewall or access rules, that an attacker could infiltrate devices on the LAN, possibly to deploy ransomware or harvest personal details. As I stated previously, closing off this particular attack vector does not make you secure, just less insecure.

In reply to a post by AdrianPH:

In reply to a post by 23Prince:

Is it just hacking of wifi? so as I dont use it am I safe?

No, nothing to do with WiFi.

It is access through the routers remote management ports.

Do you have remote management TR064/TR069 set to allow on your router?

The list of vulnerable routers is shown in most of the reports.

Thanks for the info.

I do - but I did disable remote management... After reading this I disabled the router and put on a Billion so I can prevent being hacked. I've got CCTV and a card machine on my line afterall!

I owe you one.

In reply to a post by 10forcash:

No, it's gaining access to your LAN (wired and / or wireless) remotely using the router or modem WAN interface due to a poor implementation of the TR-064 /TR-069 Protocol.
Typically, this has manifested itself in allowing 'botnets' to be created using the modem or router hardware, it is possible that because it bypasses any built-in firewall or access rules, that an attacker could infiltrate devices on the LAN, possibly to deploy ransomware or harvest personal details. As I stated previously, closing off this particular attack vector does not make you secure, just less insecure.

Again thanks to you for the info. I hope I have done all I can to protect myself.

Edit..

Not sure I can get away from this.. I put the Billion on and did a factory reset - and it picked up my account right away. Not even put my username in!

Which is this TR69?

Edited by deleted (Thu 08-Dec-16 19:54:18)

I just changed the Auth method from Auto to CHAP and put my username and password in - which I hope will turn the TR69 thing off.

Talktalk vDSL uses DHCP, no authentication needed. TR-069 is the protocol used by ISP's and if installed, not generally presented as an on/off option - but can generally be controlled via telnet commands.
If you have CCTv, that is a vulnerability all by itself if it presents itself to the internet. Not sure what you mean by 'card machine'
I've said it before on this site - and been derided for it - any internet connected network needs to be treated as compromised and all the devices connected to it need to be secured, not just 'from the outside' but also from each other.
See the following articles:-
http://www.theregister.co.uk/2016/12/08/talktalk_rou...
http://www.theregister.co.uk/2016/10/27/good_luck_se...
http://www.theregister.co.uk/2016/12/07/ip_cameras_u...
http://www.theregister.co.uk/2016/12/08/can_isps_ste...
http://www.theregister.co.uk/2016/10/19/home_router_...

Apologies to those who find 'The Register' irksome, they do make some pretty dry stuff readable to non - greybeards.
Edit:- It appears that Some Billion routers do make TR-069 available - this in itself isn't an issue as it's a specific problem with certain chipsets and their firmware implementation of TR-064 and it's availability on the TR-069 port, not an issue with all TR-069 / TR-064 implementations. There appears to be a knee-jerk reaction in people rushing to try and disable the TR-069 protocol, this is not useful, in the event of an ISP or modem / router manufacturer having to push updates to prevent further vulnerabilities or correct connection issues (or even enable features such as G.Fast), those with equipment that isn't updatable will at best, lose out on new features or at worst, have their equipment compromised.

Edited by deleted (Thu 08-Dec-16 22:57:23)

In reply to a post by 10forcash:

Not sure what you mean by 'card machine'

One of those contactless terminals like you get in your local Tesco.

Ah, well as long as it complies with PCI DSS then you should be OK, it won't make things any more secure but procedurally you're covered against losses.

I believe so - it was put in by a reputable company. But I WILL check and thanks for the info!

TalkTalk lines don't need an authentication account usually

Thats true - I was on right away with their autoconfig but isn't this the same thing as the TR069 that people are using to hack with?

I've set my gear to use CHAP instead of Auto so I hope this will help? I have no real Idea what I am on about but I want to protect the card machine and CCTV as it's of my many properties so to me it's sensitive. It's also remotely monitored.

Not the same, DHCP is very different to the TR-069 Protocol - you can disable TR-069 and DHCP will still function, as long as the modem / router is configured to use it. Note that DHCP is (as far as I'm aware) only used on Talktalk LLU circuits, other implementations, including aDSL may require authentication. If you really want control of the LAN side of your network, pfsense is a good option but it will require another device in the chain with two network ports, I set one up for my son to test using an old Compaq netbook with a USB Ethernet dongle as the second port, it's low power consumption with the screen switched off helps too.

Thanks for the advice. I am sure I am on the LLU network of it's equiv for FTTC. I know that without DHCP the connection won't work. I have been considering re commissioning my TP-Link Rack mounted load balancer which has 4 ports and would be able to round robin and balance my connections and bond them together. It cost me £150 about 2 years ago and I have not really used it much!

Edit: I must be on their LLU network or something - as a Static IP change forced me to re auth - something they wouldn't be able to do on BT.

Edited by deleted (Fri 09-Dec-16 19:15:10)

I think the CCTV will be okay. I checked today with the installer and apparently in order to see the internet stream the software on the device has to scan a QR code on the screen first.

I know he scanned my Ipad and phone for when I am away - so therefore hope I am the only one with access (and the remote monitoring company)

The best card machines are the ones which do encryption in the pinpad, because in this instance all cardholder data is encrypted in the device when the card is inserted and PIN entered. Here no cleartext cardholder data propagates through the network and it does not even enter the POS memory (where memory scrapers have been known to exfiltrate that data).

Look at solutions namely P2PE... That said it is very common to see organisations where cleartext cardholder data is transmitted from the pinpad into the POS (windows XP or Windows 7 typically), out into the network, to a backend store server, over an MPLS link to a server of some-kind (sometimes windows server 2003 despite this being a critical vulnerability), and then onto the payment acquirer. Where windows server 2003 or XP is used, as part of PCI-DSS that is flagged as a major vulnerability and the company has to take a decision whether they accept the risk or not. We will always flag it and the risk is made very clear.

Reasons for accepting the risk could be the vendor who installed the POS worldwide in year 2002 is no longer in business, so new POS systems, new pinpads, new backend store servers etc all need to be sourced etc which could be multi-million pounds. Here we commonly see companies trying to upgrade to Windows 7 on POS, and they will try to run the old vendor software, but when it fails and the vendor no longer exists, there is little option but to go back to XP until they can get budget to effectively scrap the whole solution.

Luckily we are seeing so many large firms moving to end to end encryption.

A lot of this stuff seems elementary, but doing the basics such as changing default passwords for webcams, switches, routers etc and any server software running (ie Apache Tomcat etc) helps enormously, as does keeping the latest OS patches installed.

Edited by ukhardy07 (Mon 12-Dec-16 00:09:00)

Thanks I will do that. I know the machine does the encryption but that's about it. I would need to ask the Manufacturer, however it's the same machines you get in your local ASAD/Tesco - I forget the name of it right now but it starts with "O"

I do need to ring TTB anyway because for some reason one of my worksafe options are working. So I will ask them about all of this when I do.