Hundreds of thousands of Deutsche Telekom customers in Germany had their broadband service cut off, or severely slowed, on Sunday following a Mirai-bot hack-attack on its hardware.
As Sunday turned into Monday, the scale of the widespread attack on the maintenance interfaces of certain types broadband routers owned by Deutsche Telekom customers became clear. The effect of the attack was to affect the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany.
While the number of those affected does seem high, Deutsche Telekom made the point that the 900,000-number represented only about 4.5% of their customer base. A statement on their website said:
“The attack attempted to infect routers with a malware but failed which caused crashes or restrictions for four to five percent of all routers.”
While it is yet unknown who was behind the attack on the German Internet Service Provider (ISP), the culprit seems to have been a modified version of the Mirai worm.
The source code for the Mirai-bot-worm was released into the wilds of the internet earlier this year, and was quickly seized upon by hackers to mount what was the single largest denial of service attack in internet history.
Mirai works by spreading itself across the internet and searches for “vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.”
In the Deutsche Telekom hack over the weekend, the outages so far only seem to have affected certain models of customer broadband DSL and fibre routers, but crucially not the network itself, the company said.
Fortunately, curing infected devices of Mirai is relatively simple. All customers need to do is simply reboot the device in question. Mirai can currently only exist in memory. But if users don’t then change the default IoT device password they are extremely liable to be hacked again by Mirai in just a few minutes, especially if not all affected users reboot and/or don’t’ change their passwords.
“After the reboot, the router should function normally, say Deutsche Telekom on their website. Quite how affected customers were supposed to read this message without any web access is another thing.
Deutsche Telekom has also issued a patch for two models of its Speedport broadband routers (Speedport W 921V, Speedport W 723V Type B) that are affected, and it should install itself automatically.
While the effects of Mirai can be extensive and cripple networks, users can protect themselves easily by changing the default passwords that come with their routers and other Internet of Things devices.