Monday, 05 December 2016 14:29

IoT eminently hackable – 900,000 routers down and millions vulnerable Featured


Hacked Internet of Things (IoT) devices are powering massive botnets and cybercriminals are offering DDoS attacks as a service. A total of 900,000 ZyXEL routers took down Deutsche Telekom users last week.

The IoT is essentially it is anything that connects to the Internet apart from a computer. That includes Wi-Fi routers, security cameras, thermostats, home appliances to sensors used in industrial and manufacturing applications.

IoT is inherently insecure – a lack of standards, operating systems, embedded passwords, and manufacturer’s backdoors make it so. For example, a team of security experts hacked 12 of 16 most common Bluetooth smart locks used in the US. Smart thermostats, security cameras and kids toys have also been hacked.

All IoT devices have some capability to send email alerts, or access the Internet to upload data and receive instructions and that is why access to them is sought after by hackers. According to Motherboard,  two hackers have created a new powerful zombie army of hacked IoT devices for rent to launch DDoS attacks.

The hackers claim to have improved on the Mirai “virus” enabling it to troll the Internet, find insecure devices, and bring them into the botnet. They now have over a million devices under control.

“The original Mirai was easy to take, like candy from kids,” the hacker, who calls himself BestBuy, told Motherboard in an online chat, referring to other competing hackers, who’ve been fighting in an online turf war to control vulnerable devices in the last few weeks.

Flashpoint puts the figure at around five million devices as the new Mirai virus finds more targets. It says while the original Mirai propagated over TCP/23 (Telnet) and TCP/2323 and leveraged default usernames and passwords, this new variant of Mirai utilizes the TR-064 and TR-069 protocols over port 7547 and exploits a known vulnerability to gain control of devices.

Flashpoint says it was used to take down 900,000 routers on the Deutsche Telekom network last week. It says infected devices have been found in the following countries: United Kingdom, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina, Italy, and Germany.

Though the number of infected devices is unknown, some estimates put the total number of devices with port 7547 open at around 41 million, and devices that allow non-ISPs access to provisioning networks number up to five million. If even a fraction of these vulnerable devices are compromised, they would add considerable power to an existing botnet.

While almost all ADSL routers have port 7547 open, most of the ones used on Deutsche Telekom were supplied by ZyXEL. It has responded that, “it is aware of the issue and assures customers that it is handling it with top priority. We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers".

If that is really the issue then the world needs to worry – ZyXEL uses Broadcom chips as used in most brands and models of routers and provide TR-069 remote ISP management as standard.

Part of the problem is that the consumer routers have been incorrectly configured, says Johannes Ullrich, dean of research at the SANS Institute of Technology. The attacks exploited a software vulnerability via a remote administration setting usually restricted to ISPs.

"These remote admin protocols are supposed to use authentication and access restrictions but it appears they are not implemented correctly,” he says. Ullrich says he hopes the attacks will serve as a wake-up call for ISPs, but, "there are likely many so far unknown vulnerabilities left in the various implementations of these remote admin protocols".

Tod Beardsley, senior security research manager at Rapid7, said “While we have been warning about crummy routers and switches at home for years and years, I wasn't expecting to see the Mirai botnet become this IoT attack platform. It turns out it's a pretty decent platform for subbing in new attacks for old ones. A lot of these modems are rebranded by ISPs."

In the US, a DDoS attack was identified on Thanksgiving Eve and over the Black Weekend sales, involving involved 400Gbps attacks for hours on end. Within 24 hours the attacks became 24/7.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments