TalkTalk has moved to reassure users that an issue regarding routers and the Mirai worm, and advised that users change their password.
According to research by Imperva Incapsula, a Mirai variant was used to exploit a newly discovered TR-069 protocol vulnerability to hijack network routers. The vulnerability reportedly poses a threat to customers of numerous ISPs around the world. The command can be modified to let hackers remotely execute bash commands, including enabling them to: open port 80 for remote access; obtain WiFi passwords; modify the IP table rules; and inject malware into the device.
A scan revealed a number of malware-infected home routers, over 99% of which belonged to the TalkTalk Telecom network. “Without full access to the infected routers, it’s difficult to know with certainty whether the malware used to execute this attack was the same Mirai variant used against Deutsche Telekom or the one encountered by the BadCyber researchers,” Imperva said.
“That said, every minor source code modification breeds a new Mirai ‘mutation’, making these nuances almost beside the point. What’s important to note is that these attacks are enabled by the same vulnerability in ISP distributed routers. We hope that the accumulated reports of the attacks will serve as a wake-up call for ISPs using routers susceptible to the vulnerability in the TR-069 protocol.”
A statement from TalkTalk, published by BBC News, moved to reassure customers that “there is no risk to their personal information as a result of this router issue and there is no need for them to reset their wi-fi password”. It also claimed that a ‘small number of TalkTalk customers have been affected’.
Its statement read: "However, any customer with concerns can find out how to change their wi-fi password on our website or in their initial router set up guide. We have made good progress in repairing affected routers, but any customer who is still having any problems should visit our help site where they can find a guide that will show them how to reset their router.
“Alternatively, they can call us and we can talk them through the repair process or send them a new router.”
Ken Munro, partner at Pen Test Partners, recommended users contact their ISP to find out if their router is vulnerable, and if so, how to update the firmware. “Personally, I think that the ISP should be replacing ALL of the affected routers, as it’s possible that the hackers could keep control of your router even after you’ve reset it and applied the fix,” he said.
“The ISPs should have done a better job of checking their routers before sending them to customers. The manufacturers should have had the software written securely in the first place. The TR-069 issue has been known about for a while, though until recently few realized just how serious it was. Until someone started building the botnet and peoples’ routers stopped working, few were taking this seriously.”
Update - Story was updated to correct protocol from TR-064 to TR-069