Blog: In the news

TalkTalk router hack. Consumers, what should you do?

Ken Munro 07 Dec 2016

No doubt you’ve seen the press coverage about the compromise of TalkTalk and many other ISP routers. What should you do about it, what should you advise your friends and family to do?

The hack is believed to be gathering peoples home internet routers to create a huge ‘bot-net’. This can be used to send vast amounts of internet traffic to popular web sites and critical internet components, knocking them offline in what’s called a Distributed Denial of Service or DDoS attack.

A smaller bot-net called ‘Mirai’ that involved CCTV cameras & digital video recorders knocked various social networks offline for a few hours in October. This one is much bigger and more dangerous.

What can the hack do?

It takes advantage of a misconfiguration in the router when set up by your ISP. A function set called ‘TR-064’ is exposed to the internet. Using this, a hacker can do the following:

  • Steal your Wi-Fi keys from your router
  • Take control of your router by changing what’s known as the ‘ACS’ – this is a server your router connects to download settings and updates. Normally this is operated by your ISP, but the hacker can change it to one they control.
  • Stop your router working – known as ‘bricking’
  • Intercept all of your internet traffic, through changing what’s known as your DNS – that translates web page addresses in to IP addresses that the internet understands
  • And more…

What should you do?

Contact your ISP to find out if your router is vulnerable, and if so, how to update the firmware

In many cases, it’s a matter of pushing the little reset button on the back of the router with a paper clip or similar.

This should force the router to download new software (called ‘firmware’) from your ISP and fix itself.

Next, change your Wi-Fi key. If you’re not sure how to do this, again go to your ISP web site and check.

Changing the Wi-Fi key is really important, as this could have been stolen by the hacker.

If the router doesn’t work after you’ve reset it (this could take a few minutes or more) then it’s time to call your ISP and ask for a replacement router

Personally, I think that the ISP should be replacing ALL of the affected routers, as it’s possible that the hackers could keep control of your router even after you’ve reset it and applied the fix.

How did this happen?

It’s a long story, but we think that the ISPs didn’t properly check the security of the routers they were providing to customers.

Most routers are made in the far east, most of the affected routers have components in them made by a group of companies called Ralkink / Econet / Mediatek. No-one is certain, but some think that the manufacturers of the routers had software written for them that didn’t secure the ‘TR-064’ protocol correctly.

The ISPs should have done a better job of checking their routers before sending them to customers. The manufacturers should have had the software written securely in the first place.

The TR-064 issue has been known about for a while, though until recently few realised just how serious it was. Until someone started building the bot-net and peoples routers stopped working, few were taking this seriously.

We run what’s called a ‘honeypot’ router – this is a piece of software that looks like one of these routers and helps us monitor odd activity on the internet. When we saw weird requests, we realised that peoples Wi-Fi keys and worse could be stolen. That’s when we realised just how serious this issue is.

Go and check your router now, update it and change your Wi-Fi keys urgently. Hopefully ISPs will realise the error of their ways and replace the routers too.

Whilst you’re at it, make sure you us a password manager and always use two step verification when logging in to web sites and apps.

View source article »