FRITZ!Box update wave: Information on the (fixed) security gap

AVM and the FRITZ!Box are widely known for their very good security and are often considered the most secure routers on the market.Numerous tests and evaluations have repeatedly confirmed this fact.Nevertheless, it has been shown that even with continuous security updates and constant improvements, security problems can occasionally occur that cannot be completely ruled out.Today, Monday, FRITZ!Box owners were overwhelmed by a wave of updates.

Various models, including devices that have long since been written off, are receiving an important security update.Supposedly more models will follow tomorrow (05.09).The background of the updates has not yet been officially confirmed, but there have already been reports in several Italian forums as to what exactly has happened to the FRITZ!Box.It’s about access from the Internet – often via port 443.

The suspected vulnerability apparently makes it possible to change the configuration of the device by exposing Internet ports.The main suspicion centers on the opening of port 443 for remote access to the router, which appears to be a common trait among the affected victims, as allegedly reported by AVM itself.However, some sources claim that port forwarding may also suffice, while others report that devices with closed port 443 are affected and are using alternative ports for these functions.

Advertisement

The (freely translated) press release in the “Fibra Click” forum read like this:

“AVM is aware of cases in which internet access via PPPoE and/or registration on the FRITZ! Box 7590 user interface is no longer possible. AVM is currently investigating the problem thoroughly. What we currently know:

  • In all cases of remote access to the FRITZ!Box user interface via https, the access port was activated using the well-known https port 443.
  • In all cases, this https access was set up by the ISP to administrate the router
  • We don’t have a FRITZ!Box models in addition to FRITZ!Box 7590 affected by the issue.”

The attacks

According to reports, customers of various ISPs, mainly in Italy as well as internationally, are the target of attacks that appear to exploit precisely this suspected vulnerability.The effects are as follows:

  1. Deletion of the PPPoE access data: This prevents users from connecting to the Internet.
  2. Changing or deleting administration credentials: This prevents users from accessing the router interface.

The only solution to restore functionality is to reset the device to regain access to the box and reconfigure the PPPoE parameters for the Internet connection.There are currently no known long-term or costly effects.

Solution

AVM has already released a security update for more than 25 FRITZ!Box models.More will most likely follow on September 5th, 2023.This closes the security gap.The update will usually be installed automatically tonight.AVM has a service for important security updates that can automatically and immediately install the update (at setting level II & III).

According to information from Deskmodder, this (extreme) measure was last carried out almost 10 years ago.Here, also through external access, SIP access data for telephony were imported, which could cause enormous costs.At that time, too, an update of this magnitude was installed.

There were probably “only” 9 days between the detection of the problem and the solution in the form of an update.It is always commendable that both current and very old models are still being updated.We would highly recommend installing the latest updates for your FRITZ!Box and not blocking any updates.The repeatedly mentioned sentence “Don’t touch a running system” can be neglected with such measures ?.

The instructions published by AVM, also in the forum, read (freely translated) like this:

“What we recommend end users to restore their internet service:

  • Open http://fritz.box in the browser on a device that is connected to the FRITZ!connected is.
  • If you can log in with the FRITZ!Box password, click on “Wizards”, then on “Internet” and follow the instructions.
  • If login fails, you can restore user settings via the “Forgot Password” feature on the login page and follow the instructions (detailed information).After the internet service has been restored, update to the latest FRITZ!OS version.”