The "open interface" myth: what really happened
Dec 1, 2016
Since yesterday, speculation about alleged vulnerabilities has been rampant, in connection with a broad-based external attack on the Speedport routers of Deutsche Telekom customers. We have compiled detailed background information below that we hope will help to objectify the discussion.
For the secure remote maintenance of the Speedport routers, a feature called "Easy Support", Deutsche Telekom uses the TR-069 protocol, a standard defined by the Broadband Forum. This feature enables the installation of firmware updates and the configuration of specific devices, for example, as well as fault diagnosis when requested by the customer. All remote maintenance functions require the user device to initiate a secure connection, protected by the latest encryption standards, with Deutsche Telekom's auto-configuration server (ACS). The ACS is the network-side component for the remote maintenance functions. Therefore, it is not possible to access the data model on a user device through a connection initiated from the Internet. The following events cause a user device to log on to the ACS:
- The user device is restarted or the Internet connection was interrupted and is re-established.
- The user device is online and a predefined time interval has passed.
- The ACS requested the user device to connect. This "connection request" is defined in the TR-069 standard.
For the connection request to work, the ACS must be able to access the user device over the Internet. The standard defines port 7547/tcp for this function and all Speedport routers use this port. The connection request is sent using the HTTP protocol. On Speedport routers, a variety of security features protect this mechanism against misuse. For example, the ACS has to authenticate itself on the user device using a device-specific password. Once more: when a connection request is sent, it triggers the user device to create a secure connection to a preconfigured ACS at Deutsche Telekom. In general, the connection request does not permit access to the data model on the user device.
Vulnerabilities in remote maintenance functions for Internet routers that use the TR-069 protocol were already published several years ago. Deutsche Telekom monitored and assessed these publications. In addition, we also examined our own infrastructure for potential vulnerabilities. All the publications that Deutsche Telekom has become aware of in recent years essentially involved the security of the network-side component for TR-069, the ACS.
The current attacks did not involve the ACS, however, but rather the endpoint for the connection request on the user device, which can be reached via port 7547/tcp. The attack method that was used is new and was unknown to date. According to our current information, it is based on a publication on the Internet from early November 2016. This publication describes a severe vulnerability in the implementation of the connection request on a router model produced by a third-party manufacturer – one that Deutsche Telekom does not use or distribute. The vulnerability not only allows access to the device's data model, but also the injection of coding that then runs on the affected router.
We suspect that the current extensive attacks on Internet routers, which also affect Deutsche Telekom customers, were launched over port 7547/tcp based on this publication. According to our analysis, the objective of the attack is to install malware on the routers to add them to a botnet – meaning they could be used as the remote-controlled infrastructure for future attacks.
The current attack was not designed to target Deutsche Telekom's Speedport routers, which means it does not exploit any vulnerability in Deutsche Telekom's Speedport routers. According to our current information, no Speedport routers are affected by the problem described in the Internet publication. This means it is not possible to install or run malware on a Speedport router with this method.
It is correct, however, that the extensive attacks resulted in malfunctions on individual Speedport models, which deactivated key router functions such as the DNS proxy. For our customers, this means their Internet access and IP telephony, for example, are disrupted. Thanks to network-side filter mechanisms we have implemented in the interim, restarting the device will usually solve such problems. In addition, firmware updates are already available for the most widely used router models – Speedport W 921V (incl. Fiber), Speedport W 723V model A, Speedport W 504V and Speedport entry I – that further improve the robustness of these models. These updates will be distributed to the devices through the Easy Support remote maintenance function and are also available to download under www.telekom.de/stoerung.