TalkTalk router Mirai worm attack refusing to die
The recent attacks on TalkTalk customers using the DSL-3780 router and some Zyxel devices has highlighted some of the vulnerabilities as millions of us make our homes more and more complex and increasingly have little understanding about how devices will interact.
The Mirai worm was initially thought to be relatively benign i.e. reset router and off you go again, but in the process of investigating the Mirai attack it was found that someone was using the same vulnerability to harvest some 57,000 combinations of SSID (wireless network identifier) and MAC (unique hex string identifying WAN interface of a router) and passwords allowing access to the Wi-Fi network. Whether this harvesting was done to see what was possible via the vulnerability and no-one was planning to use the data for nefarious purposes or with clear criminal intent is a big unknown.
So why are we writing about it now, i.e. relatively late to the party, mainly because the original numbers involved were fairly small, but there is now a war of words about whether advice from TalkTalk is sufficient i.e. no need to change router passwords and wireless access keys.
The reality is that while its easy to say the risk is low, the impact for someone who may see their network compromised could be high. Of course in reality the risk from sharing a wireless access key with a 'friend' or the latest bit of malware attached to yet another phishing email is probably a lot higher.
To exploit the SSID and Wi-Fi network you of course need to be fairly close to a property, but if someone joins your Wi-Fi network and they know your router admin password all manner of things are possible, or alternatively they may do nothing more than surf a few websites and if someone has tracked you down by linking together all the data out there they might decide to play a blackmail game, or worse carry out activities that are what the security and police forces are watching for.
So should you change your router passwords? Better to be safe at the end of the day, and TalkTalk does have guides on how to do this. You should also double check that your various devices have their own security and anti-virus and malwave detection software up to date and working.
A final note of caution, the various help-desk scammers are likely to cotton onto this new issue and start their 'random' phoning of people, so be wary of any calls about installing software to fix issues. In short treat any random call as a scam even if they claim to be your ISP and actually have some of your personal details, hang-up, dial a friend to double check the line is clear, then find the actual phone number of your providers support and call them or make use of their online web chat.
Update 6pm A re-wording to emphasis that the Wi-Fi and router password scrape was not carried out using the Mirai worm, but some other software that made use of the same vulnerability. This multiple exploits scenario for a vulnerability should be no real surprise as once multiple people learn about a vulnerability there will be people racing to make use of the hole before it is shut down, or put another way there is money to be made trading this sort of information on the dark web.