Blog: Internet Of Things

TalkTalk and other ISPs need to replace customer routers urgently

Ken Munro 03 Dec 2016

TalkTalk and other ISPs need to replace customer routers urgently

routerwormsThe TR-064 security hole that was reported this week is really nasty.

The worm that exploits this is being referred to as ‘Annie’.

Attackers appear to have cottoned on to the fact that the TR-064 vulnerability can be used for more than just recruiting the router into a botnet.

Here’s a real example we saw earlier today:

IP, SSID, WLAN MAC, WPA Key, Manufacturer, Model, Product Class, Serial, Software Version, Firmware Version

92.0.***.***,TALKTALK-******,78:54:2E:**:**:**,XN6JKMJG,D-Link,None,DSL-3780,78542E******,V100R001B012,3.10.0.24

I’ve redacted some of the above, but not the customers Wi-Fi key in bold.

We run a TR-064 / Annie honeypot and saw requests last night, which alerted us to the issue. Here you can see someone trying to steal our Wi-Fi network key using the ‘GetSecurityKeys’ command

getseckeys

TalkTalk published a fix to the TR-064 / Annie issue. What this does is disable the TR-064 interface and reset the router. It resets the passwords, back to the ones written on the back of the router

talktalkrouterpw

Here’s why the fix doesn’t work: Nearly all customers never change their Wi-Fi key from that written on the router. Why would they? I’ll bet many don’t even realise they can.

So, the Annie worm and hackers have already stolen their wi-fi keys, and the TalkTalk fix simply resets the router, to the exact same keys that have already been stolen!!

There is one mitigating factor in all of this: the hacker has to be physically close to the router to compromise the Wi-Fi. However, if you know the SSID (also stolen using the Annie worm) you can use databases such as https://wigle.net to find your victim’s house.

So, in conclusion: TalkTalk and other ISP customers that use similar routers are likely to have had their Wi-Fi keys stolen, opening them up to hackers.

Actions

Unless TalkTalk and others can prove through detailed logging that the customer Wi-Fi keys have not been stolen…

…then they should be REPLACING all customers routers urgently.

TalkTalk could remotely change the Wi-Fi keys, but then how would they communicate these to the customer quickly and easily? The customer would lose Wi-Fi access to their router until they realised what was going on.

If the change was communicated by telephone, that creates an awesome opportunity for vishing and telephone social engineering. “I’m calling from TalkTalk and I need your password to help you change it”

So, I say this to TalkTalk and other ISPs who left customers exposed by not setting up their routers correctly:

Either replace customer routers immediately, or prove that they haven’t been compromised.

Users in the short term can solve this by resetting their router (follow the TalkTalk advice) and then change their Wi-Fi password.

Out of interest, our honeypot has received around 170 attempts to exploit the TR-064 vulnerability in the last 12 hours, mostly from GB/UK sources. This suggests a lot of activity around UK ISPs such as TalkTalk:

anniesource

Only two of these have been attempts to get Wi-Fi keys, both originating from Africa, and the headers suggest that these are not Annie bots.