TalkTalk and other ISPs have been urged to replace wireless routers after an update to fix the problem fails to stop hackers from stealing router credentials.
According to a blog post from Pen Test Partners, the TR-064 security hole that affects routers provided by TalkTalk and other ISPs has not been properly fixed as all it does is reset a router that has been overtaken by hackers and disable the TR-064 interface.
This reset changes passwords back to the ones written on the back of the router. Pen Test Partners said that the fix doesn't work as “nearly all customers never change their Wi-Fi key from that written on the router.”
The firm said that many customers don't even realise password could be changed. A worm, dubbed “Annie” by Pen Test Partners, exploits the flaw to steal Wi-Fi passwords. The worm takes advantage of a misconfiguration in the router whereby a function set called ‘TR-064' is exposed to the internet. Most of the routers affected have components in them made by a group of companies called Ralkink, Econet, or Mediatek.
“So, the Annie worm and hackers have already stolen their Wi-Fi keys, and the TalkTalk fix simply resets the router, to the exact same keys that have already been stolen!!”
The security consultancy said that there was one mitigating factor: “The hacker has to be physically close to the router to compromise the Wi-Fi. However, if you know the SSID (also stolen using the Annie worm) you can use databases such as https://wigle.net to find your victim's house.”
Speaking to SCMagazineUK.com, Ken Munro of Pen Test Partners said that where the router has been taken over through ACS modification, then replacement is probably the only practical solution.
“This will be a very expensive exercise – sourcing the volume of routers required in a short space of time will be difficult,” he said.
“Where only Wi-Fi keys have been stolen, the ISP needs to help consumers update their firmware and change their wireless keys. This lends itself to telephone social engineering – you can see the scammers eyes light up: ‘Hi, I'm calling from TalkTalk and need to help you change your passwords after the recent hack…'.
“Replacement of the router is probably the only secure option to achieve this, without exposing customers to scammers,” he warned.
Adam Brown, manager of security solutions at Synopsys, told SC that ISPs can implement a supply chain process to analyse firmware before it is pushed to routers.
“Firmware in many cases does not come directly from the ISP themselves but from the router manufacturer, possibly with some amendments made by the ISP. To know exactly what components are in that software and the vulnerabilities associated with those components is vital. By running a check against the router firmware, ISPs can then understand the risks posed by the software running on their network and act accordingly,” he said.
Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC that many ISPs have inadvertently implemented insecure routers, running insecure protocols, that were easy to deploy and operate. “Unfortunately, just because it's easy, does not mean it's secure,” he said.
“Most people don't realise that ISPs are all experiencing eroding margins and increased competition. As operating costs continue to increase, and bandwidth becomes a commodity, their margins are being squeezed even further. If an ISP is faced with replacing all of their customer routers, this might just break their bank,” said Gates.
A spokesperson for TalkTalk said in a statement to SC that the issue is one impacting many ISPs around the world, and a “small number of TalkTalk customers have been affected”.
“We can reassure these customers there is no risk to their personal information as a result of this router issue and there is no need for them to reset their Wi-Fi password. However, any customer with concerns can find out how to change their Wi-Fi password on our website or in their initial router setup guide,” said the spokesperson.
“We have made good progress in repairing affected routers, but any customer who is still having any problems should visit our help site where they can find a guide that will show them how to reset their router. Alternatively, they can call us and we can talk them through the repair process or send them a new router.”