Approximately 100,000 UK TalkTalk and Post Office ISP users were affected by the recent Mirai attack that severely affected nearly a million Deutsche Telekom customers in Germany in late November. It was assumed that the UK victims were the outer ripples of the primary attack; and this was confirmed by a subsequent report that quoted the Mirai developer as apologizing for the effect on the Post Office. The UK disruption was apparently an accident and not done intentionally.
This version of events is now questioned by the findings of Pen Test Partners. Senior consultant Andrew Tierney reported Friday that the effect on TalkTalk routers was different to the effect on Deutsche Telekom routers. “We can’t see what is causing the claimed ISP outages for TalkTalk and the Post Office reported in the press. It shouldn’t stop the router routing, and as of yet, the bots haven’t taken part in any attacks.”
Pen Test Partners concluded, “Whilst the spread and purpose of the bot net is similar to Mirai, there are enough differences with this variant that it should really get a new name.”
In a subsequent post on Saturday, Tierney seems to have named the second worm ‘Annie’.
“The TR-064 security hole that was reported this week is really nasty,” he reported. “The worm that exploits this is being referred to as ‘Annie’. Attackers appear to have cottoned on to the fact that the TR-064 vulnerability can be used for more than just recruiting the router into a botnet.” The additional purpose, he suggested, is to steal the router’s WiFi network key. Worryingly, he also claims that the fix pushed out by TalkTalk will most likely not solve the problem.
Following the incident, TalkTalk published its solution: customers should switch off affected routers and leave them for 20 minutes while they update with new software. “After 20 minutes try and access the internet again, if you’ve changed your wireless details then you’ll need to use the wireless network name and password on the back of the router.”
But Tierney sees a problem with this: it won’t work as a fix. “Nearly all customers never change their Wi-Fi key from that written on the router. Why would they? I’ll bet many don’t even realize they can.” So what happens is that Annie steals the key, and “the TalkTalk fix simply resets the router, to the exact same keys that have already been stolen!!”
Having acquired the WiFi key, a hacker can listen in to communications and infect the network with additional malware. He would need to be in close physical proximity to the router (outside, perhaps in a closely parked vehicle); but, added Tierney, “if you know the SSID (also stolen using the Annie worm) you can use databases such as https://wigle.net to find your victim’s house.” His solution is that TalkTalk “should be REPLACING all customers routers urgently;” possibly as many as 55,000.
TalkTalk itself is not currently keen to do so. A spokeswoman told the BBC that the number of infected routers had been “nothing in that order of magnitude”. She added, “Our security team does not believe there is any greater risk that a customer’s wi-fi can be used or accessed without their permission as a result of this.”
Dr. Steven Murdoch from University College London suggested something in between the two positions. “It’s possible [the perpetrators of Annie] are just security researchers, but also reasonably possible that they are actually criminals that intend to exploit this information.” He doesn’t believe that TalkTalk needs necessarily recall all the routers: “The hardware is fine, what needs to be replaced is the wi-fi password.”
He does, however, admit that this is difficult. “If TalkTalk does this online or over the phone, that leaves the customers open to phishing attacks, where a scammer says: ‘As you heard on the news you need to change your password, please do these things…'”
TalkTalk remains adamant that even the password change is unnecessary. Given its recent hefty fine by the UK’s Information Commissioner following last year’s breach, it must be very confident.