An independent penetration testing company have published information about a major vulnerability in TalkTalk’s routers.
Recently, Pen Test Partners discovered that a variant of the Mirai worm could be used to steal Wi-Fi passwords from TalkTalk router.
The problem is three fold: firstly, it’s a fairly simple to exploit vulnerability, secondly it’s made worse if users haven’t changed their Wi-Fi passwords and thirdly TalkTalk’s fix won’t help all users.
To elaborate, TalkTalk did release a fix which disables the interface being used and resets the router back to its default password.
This would help if you had changed your password, which the vast majority of users never do and may not know how.
Unfortunately this highlights a problem we see all too frequently with Internet of Things and general Internet connected devices: users not changing default passwords.
Pen Test Partners have called for TalkTalk to “either replace customer routers immediately, or prove that they haven’t been compromised.”
Mark James, ESET IT Security Specialist, provides comment on the issue.
Is a recall and replacement of wireless routers likely?
“The problem we face with routers and their downfalls is getting the public to understand the problem and comprehend they can fix it themselves.
“Releasing firmware updates and expecting people to download, often unpack and then install the update is for most ‘more bother than its worth’. On top of that when installing firmware, we often tell the user that any problems encountered may render that device useless!
“For most people the only way to fix the issue is to have a new device, configured and ready to go, the cost of doing this in an already cutthroat market is for most companies prohibitive and more unlikely to happen.”
What can ISPs do to mitigate such a problem?
“If fixes are available then offering help and guidance in getting them updated as soon as possible is the best we can hope for.
“The problems will be people getting the message and indeed the right help from authenticated parties: the scope for phishing and scam calls from others claiming to be the original manufacturers will only confuse and muddy the waters of who is who.”
Are you a TalkTalk customer? Does this worry you? @ESETUK
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.