More than 900,000 Deutsche Telekom customers came under attack over the weekend by someone who was deploying a ‘Mirai-like' toolkit against certain models of routers.
Due to some unknown error, possibly a flaw in the attacker's code, rather than pwning the routers, all the attacker managed to do was crash them.
If they had been successful it could have been catastrophic. A 1.1 terabyte per second attack – from a Mirai botnet which leveraged the firepower of tens of thousands of connected devices – was enough to bring down Dyn which in turn crippled some of the biggest names on the internet including Netflix, Twitter and Spotify.
But even this would be dwarfed by an attack that leveraged the power of 900,000 devices.
If the attacker had been successful in taking over nearly one million consumer routers, we wouldn't be thinking of Deutsche Telekom as the victim but the enabler of a botnet that would have been able to take down core components of the internet.
Deutsche Telekom's Speedport routers are rebadged OEM devices, mostly sourced from Asia. About five percent of the customers base, or 900,000 out of 20 million customers, were using one of three models from Arcadyan Technology in Taiwan.
Now DT is pushing out updates and reviewing its relationship with Arcadyan. But it would be wrong to assume that punishing one company will be enough to clean up the internet because we know that routers from dozens of manufacturers are riddled with security vulnerabilities, many of which have remained unpatched for years.
Other telecom providers should sit up and take notice. Two obvious lessons to learn from this attack:
Don't give your customers routers with weak security. One of the questions that Deutsche Telekom has to answer is how rigorously it tested these devices before giving them to their technologically unsavvy customers.
Monitor your broadband infrastructure for the indicators of an attack. An attack against every router on your network is bound to throw up some common pattern that would raise red flags in Sec Ops.
Although it turns out that Deutsche Telekom was playing Russian Roulette with the internet, we know it's not the only one. This incident had the potential to cripple the internet not only in Germany but anywhere else the attacker chose to target with a DDoS attack.
This time we dodged a bullet but if internet service providers don't take steps to secure their broadband customers, next time we might not be so lucky.