600,000 routers bricked

https://www.linkedin.com/pulse/600000-families-using-one-internet-provider-have-routers-bruce-perens-geedc/

And then when it became clear that the issue wasn’t being addressed, they forcibly turned off those 600,000 routers. I am finding it difficult not to applaud that action.

The concern is that someone would shut off the routers or compromise them, so they compromised and shut them off?

After reading the actual report, I think bruce is making assumptions about the attackers’ motivations that may or may not be the case.

https://blog.lumen.com/the-pumpkin-eclipse/

Still, 600k routers gone in 72 hours is quite a lot. If they were also being actively used in a botnet, good riddance.

That post from Mr. Perens about this is honestly really shitty.

  1. Is he right that Lumen has to shoulder blame for not keeping CPE updated with exploit free software? Certainly.
  2. Making a claim that all 600k of these routers were being used as botnet zombies without any supporting evidence is really poor form.
  3. Even if we assert that 50% of these devices were exploited for botnet activity, that means 50% WEREN’T. We shouldn’t be applauding 300k people/businesses that just had their internet connectivity yeeted away from them through zero fault or their own.
  4. “I’ve never heard of these router manufactures” is exceptionally ignorant. ActionTec has been around since the early 90s. Sagemcom wasn’t someone I’ve heard of before , but so what.

Yes, CPE provided by ISPs can be a problem. But applauding asshats who bricked all this stuff as some noble event that should be “applauded” as he says is really, really stupid. It’s not going to meaningfully move the needle with how ISPs handle this stuff, and all it did was inconvenience a LOT of end users.

let's hope that this action didn't harm anyone - particularly a
vulnerable person who might have an emergency system using IP to send
alerts

1 Like

In the second paragraph, he cites his source: https://blog.lumen.com/the-pumpkin-eclipse/

Lumen’s Black Lotus Labs detected the event; the post answers all of your concerns. Further, they remark that this was an especially sophisticated infection, that hid its tracks well.

Lee

Lumen’s Black Lotus Labs detected the event; the post answers all of your concerns.

The source document from Black Lotus details the behavior of the malware used to brick the equipment. It does NOT make any statements or claims that the targeted devices were being used in botnet activity, which is the accusation made by Mr. Perens in his post.

I’m sorry, but if you have the wherewithal to commandeer 600,000 devices well enough to permanantly brick them, you have the wherewithal to commandeer them and load a patched version of software on them closing up the vulnerability.

If there’s no fixed version of software available for the platform, then you cannot fault the ISP for not patching the devices.

If there IS a fixed version of the software available, this person should have used the botnet c2 to distribute and apply the fixed firmware, thus solving the problem while not killing connectivity for innocent end users.

The decision to take destructive action is indefensible. The right choice should been to update the devices with patched software if it was available, and if it wasn’t, to leave them alone and instead focus on trying to develop a fixed version of software.

Now, if they were simply inept, and were trying to load fixed software onto the devices but failed to test their process adequately first, then at least their heart was in the right place, even if their understanding of how to do large-scale firmware upgrades safely wasn’t.

But that’s certainly not what that article would lead us to suspect was the intended outcome.

Matt

It’s important to note though that if you quietly (or even publicly) patch 600k devices to fix a bug, nobody cares. Plus, doing so is still a crime: it’s 600k instances of accessing a computer system without permission. It’s also far, FAR easier to write a stream of 0s to the bootloader than it is to decompile and debug bad firmware.

Now if you brick the 600k devices, it gets attention. I’m NOT saying this is the appropriate or morally righteous thing to do, but like any other form of protest, the point is not to solve a single instance of a problem, it’s to draw attention to the wider systemic issue: some ISPs not patching or life-cycling their CPEs.

Depriving access to the Internet (and potentially 911) to 600k households is still wrong, no matter the intent.

-Matt

Lumen USED TO HAVE a walled-garden they dropped people into when their
links/network ran amok.. at least in legacy-qwest/century-link
consumer connectivity situations.
maybe that's gone now?
maybe the part of the affected network for this incident didn't have
that capability?

If you do a bit more digging the ISP is not Lumen … It is a well known ISP and I recall reading about this outage when it happened. I don’t know if indeed this was a botched attempt to gather a bot network or like some said an intentional act to get attention.

Robert Jacobs​​​​ | Data Center Manager

Direct: 832-615-7742
Main: 832‑615‑8000
Fax: 713-510-1650

5959 Corporate Dr. Suite 3300; Houston, TX 77036

Facebook

LinkedIn

Twitter

A Certified Woman‑Owned Business

24x7x365 Customer Support: 832-615-8000 | support@pslightwave.com

​This electronic message contains information from PS Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately.

It appears that Robert Jacobs <rjacobs@pslightwave.com> said:

-=-=-=-=-=-

If you do a bit more digging the ISP is not Lumen ... It is a well known ISP

It's Windstream.

and I recall reading about this

outage when it happened. I don’t know if indeed this was a botched attempt to gather a bot network or like
some said an intentional act to get attention.

Nobody else knows either. For me the most interesting question is where did Windstream get
600,000 replacement routers and how long did it take. The original attack was three days.

1 Like