{"id":1542,"date":"2020-09-03T12:06:31","date_gmt":"2020-09-03T10:06:31","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=365424"},"modified":"2020-09-03T12:06:31","modified_gmt":"2020-09-03T10:06:31","slug":"how-a-hacker-broke-telkom-adsl-routers-to-make-it-fix-security-flaws","status":"publish","type":"post","link":"https:\/\/interwebdev.co.za\/index.php\/2020\/09\/03\/how-a-hacker-broke-telkom-adsl-routers-to-make-it-fix-security-flaws\/","title":{"rendered":"How a hacker broke Telkom ADSL routers to make it fix security flaws"},"content":{"rendered":"

On the dark web and in the deeper corners of the public Internet, hackers tell stories of a vigilante who scoured the Internet for insecure devices, hacked into them, and disabled them so that other hackers couldn\u2019t use them to launch attacks from.<\/p>\n

One of those stories is of how this hacker exploited vulnerabilities in the Aztech and D-Link ADSL routers Telkom sold to its customers.<\/p>\n

The hacker went by the moniker \u201cDr Cyborkian a.k.a. janit0r\u201d and claimed to be the same hacker who created the infamous BrickerBot malware in 2017.<\/p>\n

Although the BrickerBot part of the story is relatively well known<\/a><\/strong>, less well-known is the fact that Janit0r wrote detailed reports about what they did after the success of BrickerBot.<\/p>\n

Part memoir and part technical guide aimed at fellow hackers who would like to try their hand at cleaning up the Internet by euthanising insecure devices, Janit0r posted nine reports on the dark web over several months.<\/p>\n

In an interview with Bleeping Computer<\/a><\/strong> in April 2017, Janit0r described their work as \u201cInternet Chemotherapy\u201d.<\/p>\n

\n

I consider my project a form of \u201cInternet Chemotherapy\u201d. I sometimes jokingly think of myself as The Doctor.<\/p>\n

Chemotherapy is a harsh treatment that nobody in their right mind would administer to a healthy patient, but the Internet was becoming seriously ill in Q3 and Q4\/2016 and the moderate remedies were ineffective. The side effects of the treatment were harmful but the alternative (DDoS botnet sizes numbering in the millions) would have been worse.<\/p>\n

I can only hope hope that when the IoT relapse comes we\u2019ll have better ways to deal with it. Besides getting the number of IoT DDoS bots to a manageable level, my other key goal has been to raise awareness.<\/p>\n

The IoT problem is much worse than most people think, and I have some alarming stories to tell.<\/p>\n<\/blockquote>\n

Janit0r\u2019s memoir is also titled \u201cInternet Chemotherapy\u201d. The first nine parts of the memoir were published between 10 December 2017 and 7 July 2018.<\/p>\n

After a long hiatus, Janit0r returned to the dark web and started posting updates again on 22 June 2020. The latest instalment was published on 31 July 2020.<\/p>\n

The hacker stated that the intention behind BrickerBot and their subsequent hacks on ISPs and telecommunications service providers was to make the Internet a safer place.<\/p>\n

With so many vulnerable Internet-of-Things devices online that could be turned into \u201cbots\u201d, Janit0r said that there was a serious risk should these devices continue to be left online in their insecure states.<\/p>\n

The dirty case of Telkom South Africa<\/h3>\n

On 2 February 2018, Janit0r published the fourth instalment of \u201cInternet Chemotherapy\u201d which was subtitled \u201cThe dirty case of Telkom South Africa\u201d.<\/p>\n

In it, Janit0r explained how they used the TR069\/64 SOAP vulnerability (CVE-2016-10372<\/a><\/strong>) to hack into insecure Telkom-branded Aztech routers and render them inoperable.<\/p>\n

While going through the device pool on the Telkom network, Janit0r said they noticed a large number of D-Link devices that you could log into with default passwords and reconfigure over the Internet.<\/p>\n

MyBroadband reported about vulnerabilities in Telkom-deployed D-Link routers<\/strong><\/a> as early as May 2013, but the problem was never fully addressed.<\/p>\n

In addition to hacking and \u201csoft bricking\u201d the exposed Aztech routers on Telkom\u2019s network, Janit0r said that they also targeted some D-Link and Huawei routers.<\/p>\n

Janit0r\u2019s hope was that the disruption would cause Telkom to realise that there was a significant security problem on its network and fix it. However, that is not what happened.<\/p>\n

Since Janit0r did not leave the routers in a state where they were permanently destroyed, Telkom simply advised customers to restore them to factory default settings.<\/p>\n

Janit0r executed his attacks against the vulnerable routers frequently, which means that even if Telkom subscribers factory reset their routers, they would soon find themselves disconnected from the Internet again.<\/p>\n

If subscribers complained about the repeated problems with their router, Telkom\u2019s support staff would advise that customers buy a new router.<\/p>\n

The hacker broke down the effect of their attacks on a daily and monthly basis. The following table shows how, according to Janit0r, the number of vulnerable devices on Telkom\u2019s network declined between July 2017 and January 2018:<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n
Month<\/th>\nAztech (TR069 exploit)<\/th>\nD-Link (default password)<\/th>\nHuawei (MediaTek RPC exploit)<\/th>\nOther<\/th>\n<\/tr>\n<\/thead>\n
July 2017<\/td>\n246<\/td>\n0<\/td>\n0<\/td>\n783<\/td>\n<\/tr>\n
August 2017<\/td>\n159411<\/td>\n1771<\/td>\n0<\/td>\n31519<\/td>\n<\/tr>\n
September 2017<\/td>\n11203<\/td>\n4249<\/td>\n3180<\/td>\n20394<\/td>\n<\/tr>\n
October 2017<\/td>\n8196<\/td>\n2145<\/td>\n2577<\/td>\n14997<\/td>\n<\/tr>\n
November 2017<\/td>\n9225<\/td>\n2303<\/td>\n2077<\/td>\n15492<\/td>\n<\/tr>\n
December 2017<\/td>\n4278<\/td>\n765<\/td>\n604<\/td>\n8925<\/td>\n<\/tr>\n
January 2018<\/td>\n3716<\/td>\n670<\/td>\n268<\/td>\n7245<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/a><\/p>\n

\u201cAlthough you might call the 94% reduction in vulnerable devices between August and January a big improvement, it should be noted that it took 6 months to realize this result,\u201d Janit0r stated.<\/p>\n

In contrast, Janit0r reported that they saw Rogers in Canada respond decisively to similar attacks within 48 hours, while Infostrada Italy had a five-day turnaround.<\/p>\n

\u201cBased on the social media record Telkom simply took a \u2018not our problem, buy a new modem\u2019 approach to any Telkom-supplied device that was out of warranty, and the mitigations were left to the user community to figure out on their own,\u201d Janit0r reported.<\/p>\n

Complaints on social media<\/h3>\n

Many of the social media posts from 2017 which Janit0r refers to in the original dark web post are still online to serve as proof of the Telkom hack.<\/p>\n

\u201cIt seems that we have been picking up some issues with the Aztech routers that we have in the field. We are busy investigating the cause of the problem, but in the meantime it seems that resetting your router to the Factory Defaults and then reconfiguring it will solve most, if not all the issues,\u201d a Telkom community manager<\/a><\/strong> said on the company\u2019s support forum.<\/p>\n

In response, several users continued to complain. One reported: \u201cI\u2019ve done the factory reset as per the instructions a few times already. It only lasts for an hour or two, and then the same problem rears its ugly head\u2026no internet.\u201d<\/p>\n

In a different thread on the same forum, another user posted<\/a><\/strong> that a support desk agent informed them that 80% of the complaints Telkom was getting related to Aztech routers, and 20% to Huawei routers.<\/p>\n

On MyBroadband, one of the forum members posted about how they solved a problem with a D-Link router during the attacks<\/strong><\/a>:<\/p>\n

\n

Client complained about no internet. Went to site to find SSID changed to TELKOMHACKED, password still the same, and the Internet Connection (pppoe under WAN connection) completely gone.<\/p>\n

Router\u2019s admin password wasn\u2019t on default. Support user\u2019s password however was still on TelkomDlink12345. Suppose that\u2019s how they got in. Telkom as ISP.<\/p>\n

Just FYI to change support password as well when configuring these modems.<\/p>\n<\/blockquote>\n

Telkom, Aztech, D-Link, Huawei router vulnerabilities not unique<\/h3>\n

Janit0r noted that the situation on Telkom\u2019s network was, unfortunately, not isolated or unusual.<\/p>\n

\u201cAdmittedly the case of Telkom of South Africa isn\u2019t that unique or even interesting, but it\u2019s a story that has to be told in order to give you a better perspective of the complexities involved in forcing negligent ISPs to correct their security problems,\u201d stated Janit0r.<\/p>\n

\u201cThe problems involving Telkom are representative of the issues with many large ISPs outside the US and RIPE network space.\u201d<\/p>\n

Last year South African ISPs faced multiple waves of devastating distributed denial of service (DDoS) attacks. Cool Ideas was especially hard hit<\/strong><\/a>, with subscribers left unable to connect to the Internet for days at a time.<\/p>\n

These attacks were enabled by poorly configured MiktoTiK routers<\/strong><\/a> on entirely different networks than the ISPs who were targeted.<\/p>\n

In an unrelated matter, the Hawks also investigated cryptojacking attacks<\/strong><\/a> last year that were perpetrated through MikroTik routers that were not properly secured.<\/p>\n

The DDoS and cryptojacking attacks in South Africa happened despite the fact that MikroTik offers excellent support and timely security patches for its devices, unlike some other Internet router manufacturers.<\/p>\n

The issue was therefore not the MikroTik devices themselves, but the fact that Internet service providers and network operators had not configured them correctly or kept them properly updated.<\/p>\n

The retirement of Janit0r<\/h3>\n

Janit0r announced their retirement<\/a><\/strong> from hacking and bricking IoT devices at the end of 2017. The final instalment of \u201cInternet Chemotherapy\u201d was posted to the dark web on 7 July 2018.<\/p>\n

MyBroadband asked Telkom how it has secured its network against hacks such as the one Janit0r launched on vulnerable routers, but the company did not respond by the time of publication.<\/p>\n

Thanks to Defplex<\/a><\/strong> for the tip.<\/em><\/p>\n

Now read: How to protect yourself after the Experian data breach<\/a><\/h3>\n

Source: MyBroadband<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

On the dark web and in the deeper corners of the public Internet, hackers tell stories of a vigilante who scoured the Internet for insecure devices, hacked into them, and disabled them so that other hackers couldn\u2019t use them to launch attacks from. One of those stories is of how this hacker exploited vulnerabilities in […]<\/p>\n","protected":false},"author":2,"featured_media":1543,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[77],"tags":[52,53,54,55,56,8,57,59,72,60,61,62,63,64,65,66],"class_list":["post-1542","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-co-za","tag-com","tag-affordable","tag-cheap","tag-cpanel","tag-development","tag-domain","tag-hosting","tag-interweb","tag-joomla","tag-registration","tag-reseller","tag-shared","tag-south-africa","tag-website","tag-wordpress"],"acf":[],"_links":{"self":[{"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/posts\/1542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/comments?post=1542"}],"version-history":[{"count":0,"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/posts\/1542\/revisions"}],"wp:attachment":[{"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/media?parent=1542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/categories?post=1542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/interwebdev.co.za\/index.php\/wp-json\/wp\/v2\/tags?post=1542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}