Wordfence are a provider of security tools for the popular Wordpress CMS. They routinely analyse online threats to Wordpress-based websites and publish their findings to their user community.
Recently, they posted an alert about the large global population of domestic routers that have a vulnerability which enables hackers to:
Their analysis has found thousands of routers worldwide being used for (1) so this is a real threat, not a theoretical one.
In response to a user request they have provided a tool that tests one's router for port 7547 being open or is running a vulnerable version of RomPager. My Home Hub failed this test, so it's reasonable to assume that everybody else's will too.
The seriousness of this hardly needs emphasising so I raise the alert on this forum in the expectation that BT, as a responsible ISP, will take urgent and effective action to protect not only its customers but the global internet user community.
I understand that this port enables ISPs to download and install firmware updates, so the solution would appear to be the establishment of a secure protocol to enable encrypted communication while blocking 7547 from public access. Apparently there is already malware that installs itself on the router and then closes the port behind itself. You have to admire the ingenuity!
Over to you BT. You should find Wordfence very supportive in helping you address this problem.
Contrary to your statement "My Home Hub failed this test, so it's reasonable to assume that everybody else's will too".
Having used a few different "Port Checking" websites and checked the port on a couple of Homehubs I found that the port was closed on them.
During the December router attack there were no instances of BT Hubs being involved. I'm not a fan of Hubs but they seemed to weather that particular storm intact. The port may not be stealthed but no instances of Hubs being recruited have been established.
A little info here:
So no reason to be concerned or cause panic with less knowledgeable users.
KRD - I'm in the same boat and agree they should be fixing this right away. It's totally irresponsible not to act.
It was not my intention to cause a panic! I raised the issue over the telephone with BT Tech Support who advised me to post the issue to this forum. So I provided as full information as I have.
My reported failure of the Wordfence security test may be a false positive or it may have revealed a problem that needs fixing. either way, I would expect BT to come back to this forum with an authoritative response to put all our minds at rest.
I am grateful to you for posting this here, as I have also recieved the same update from Wordfence, and having tested my BT home hub, it also shows that the router has port 7547 open and may be vulnerable.
Here is the advice from wordfence:
'What to do with the results
If you are vulnerable, we recommend that you:
If you are not vulnerable, but port 7547 is open on your router, we recommend that you:
Have you guys got any software installed that uses some form of Licence Management? That could be the reason for the oddity with your port.
I also received the alert from Wordfence and ran their test indicating my router was vunerable.
It also alerted me to the fact the router's call home feature to update the firmware wasn't working, so my firmware was 9 months out of date. I had to factory reset my router several times this morning to force an update. This was extermely concerning.
Once the update was installed, my router got the all clear and the port was closed.... for about 20 minutes... when it once again became vunerable.
It should be very simple for BT to block internet access to this port via a simple corporate firewall rule
The port is used to communicate using TR-069, a technical specification for remote management of end-user devices. It should only be open between the ISP and the remote device. This is basic network security.
To quote the wordfence blog...
Your ISP should not allow someone from the public internet to connect to your router’s port 7547. Only your ISP should be able to access this port to manage your home router.
No reason to be concerned or cause panic? I disagree. Just because the router hasn't been hacked yet doesn't mean that it wont be. BT should take immediate action now to protect it's customers from a very real threat.
We should all be extermely concerned that BT are not doing anything about this.
My SmartHub has 7547 open too. This a home installation and not we are not running anything like licensing software.
There are a lot of TR69 ConnectionRequest Failed entries in the log....
I've put in several calls to BT today regarding this, but ended up bouncing from one support team to another, occasionaly being referred to the paid subscription 'Tech Experts' service, which I keep refusing to accept as a solution. I've been told to call 0808 100 4332 tomorrow, but I'm a little skeptical.
Any BT security engineers able to shine any light on this?