Current security topics

Currently there are reports about the botnet malware 'Avrecon', which can infect Linux-based routers. Thorough investigations have not revealed any vulnerabilities in our products which could be used to infect them with the 'Avrecon' botnet malware. No botnet malware is active on our products, as indicated by our own observations and customer reports.

A scientific paper on security issues in the Wi-Fi standard entitled 'Framing Frames' is currently being discussed in specialist circles. Our products are not affected by any of the implementation-specific issues described in the paper. Also discussed is a security issue with the 802.1x login method known as 'WPA Enterprise'. FRITZ!Box does not offer this method and is therefore not affected by this either.

The standard-specific denial-of-service (DoS) possibility discussed by the researchers also applies to our products, as it does to every wireless device from any manufacturer; and that is until the standard changes. However, there are always DoS possibilities when it comes to wireless technologies and many Wi-Fi clients reconnect very quickly (0.5 to 3.5 seconds). The connection would only be briefly interrupted, but no data could be stolen.

Overall, we assess the threat posed by the 'Framing Frames' security vulnerability as rather low. Regardless of the points currently being discussed, we generally recommend always using higher-level encryption methods such as HTTPS or VPN when using public hotspots. With the current FRITZ!OS 7.50, it is now even easier to use VPN in a hotspot, see also VPN with FRITZ!Box.

A security vulnerability in the free software projects uClic and uClibc-ng regarding the use of transaction IDs in DNS queries has recently been discovered. FRITZ!OS does not use these projects for DNS queries to the internet and is therefore not affected by this security vulnerability.

A vulnerability has recently been discovered in the popular Java logging library 'log4j'. FRITZ! products are not affected by this. The MyFRITZ! service is also not affected.

Phishing emails are currently circulating that appear to be sent in the name of the FRITZ!Box. The phishing mail imitates a FRITZ!Box push service email and claims to have a message from the answering machine as an attachment. However, the attachment is malware.

Never open any attachments or links in such emails. If the FRITZ!Box push service is not used, ignore these emails. If you do use the FRITZ!Box push service, carry out the following steps to verify the email:

• Compare the sender of the email with the sender for the FRITZ!Box push service.
• Check whether the phone number mentioned in the email corresponds to a phone number you have set up in your FRITZ!Box.
• Check whether the attachment in the email has the file extension 'wav'.

There are currently reports in the media about vulnerabilities in routers with Realtek system-on-a-chips (SoCs). FRITZ! products are not affected by this.

There are currently reports in the media about the CVE 2021-20090, 2021-20091, and 2021-20092 router vulnerabilities. FRITZ! products are not affected by this. The vulnerabilities only apply to OEM devices from one manufacturer.

Today, security researchers drew attention to the 'FragAttack' Wi-Fi security vulnerability. The security vulnerability is manufacturer-independent and affects many wireless devices such as smartphones, notebooks, routers, and game consoles. We are not aware of an unauthorized exploitation of FragAttack, which could also only occur in the direct physical proximity of the Wi-Fi network. The security of services such as mail or apps that perform encryption using TLS protocols, or internet connection via HTTPS pages, is not affected by the security vulnerability. Based on current knowledge, practical effects of FragAttack are unlikely.

FRITZ! started the roll-out of security updates against FragAttacks last week. An update is available for the FRITZ!Box 7590, 7530 AX, 7530, 7490, 6590 Cable, 6490 Cable, 5491, and 5490. Additional updates for current products will follow soon.

FRITZ! follows the recommendation of the Wi-Fi Alliance and installs updates made available from manufacturers for wireless devices like notebooks, wireless speakers, and smartphones.

Currently there are many reports about attempts to access FRITZ!Box products. These attempts are unsuccessful attempts to log in, apparently by guessing passwords. These so-called 'credential stuffing' attacks constantly target many devices connected to the internet.

You can find further information on this topic in our Knowledge Base.

As a general rule, we recommend that users follow the advice on creating strong passwords, which they can find in the FRITZ!Box interface, for example.

Security vulnerabilities have been discovered in the DNSmasq software that could allow DNS entries to be manipulated. FRITZ! products are not affected by this security vulnerability.

A series of security vulnerabilities in the TCP/IP stack known as 'Amnesia:33' was recently discovered in several networked devices. FRITZ! products are not affected by this.

We also update the security features with each new FRITZ!OS update. Therefore, we suggest installing the current update on all devices.

There are currently a number of media reports regarding 'Spectra', a security vulnerability in Wi-Fi and Bluetooth chips. FRITZ! products are not affected by the Spectra vulnerability.

The media is also currently reporting about a Wi-Fi security vulnerability called 'Kr00k' (CVE-2020-3702). The widely-used FRITZ!Box models such as 7590, 7580, 7530, 6590 Cable, 6591 Cable, and 6660 Cable, for example, are not affected by the Kr00k vulnerability. Other FRITZ! products with FRITZ!OS 7.20 or later are also not affected. All products for which the Protected Management Frames (PMF) feature is activated are also not affected. The PMF feature can be activated in the FRITZ!Box user interface under 'Wireless > Security > Additional Security Settings'. We estimate the practical impact of the vulnerability to be low, as it did in February with Kr00k (CVE-2019-15126). The majority of Internet communication is encrypted and an attacker would have to be locally on site to exploit the vulnerability.

There are currently reports of a security vulnerability dubbed 'CallStranger'. Security researchers have found a way to send an amplified amount of traffic using the UPnP protocol. The FRITZ!Box is not affected as its UPnP service cannot be accessed or used from the internet.

The media has been reporting on the Kr00K Wi-Fi vulnerability (CVE-2019-15126). It only affects devices with Broadcom and Cypress chips, both of which are not used in FRITZ! products. The only exceptions are the specialist models FRITZ!Box 7581 and 7582 for special connections such as g.fast and channel bonding. We made updates to FRITZ!OS 7.13 available for these models in which the Kr00K security vulnerability has been fixed.

The relevance of the vulnerability in practice is very small, as there are a number of conditions necessary for an attack to be successful, such as physical proximity to the respective device. Regardless of this, encryptions such as HTTPS are generally not affected as they operate at a higher layer.

Currently, there are reports about the CVE-2020-8597 security vulnerability in the pppd project. We do not use this software project. FRITZ! products are therefore not affected by the security vulnerability.

Currently, there are reports about a security vulnerability in cable modems. FRITZ!Box products are not affected by 'Cable Haunt'. The vulnerable service does not exist in FRITZ!OS.

Media has reported on a vulnerability in the new WPA3 encryption for devices such as smartphones, tablets, routers etc. The FRITZ!Box is not affected by this vulnerability. The recently announced FRITZ!Repeater 3000 is the only FRITZ! product that already supports WPA3. The new WPA3 Wi-Fi standard is not active in the repeater's factory settings.

We have already released an update for the FRITZ!Repeater 3000 as a Lab version, which addresses the points of the current WPA3 security vulnerability. We also recommend always choosing a long, strong network password. The password evaluation in FRITZ!OS helps you find a strong password. We strongly recommend installing the updates made available by manufacturers for all wireless clients, for example notebooks, smart TVs or tablets.

The practical impact of the WPA3 security vulnerability is considered to be low due to it still being new and less widespread than other WPA standards. The current standard used by most wireless devices is WPA2. It has proven itself over many years in the use of long, strong passwords.

Phishing emails are currently circulating that appear to be sent in the name of the MyFRITZ!Net service. The mail links to a website that is a faked FRITZ!Box login page.

Never open links in such emails. Only log onto the page myfritz.net. The authenticity of the MyFRITZ!Net page can be checked in your web browser. Links in emails that we send to MyFRITZ! users are only from myfritz.net, fritz.com or avm.de.

Also refer to the tips given in the guide Tips for dealing with phishing emails.

Media reports are currently reporting about a new potential attack on the WPA2 security protocol. We don't see any practical implications on the FRITZ!Box if the WPA key is sufficiently complex. We recommend using WPA keys that the FRITZ!Box recognizes as 'good' or 'strong'. Due to its length, the Wi-Fi network key preset upon delivery is secure.

Currently media is reporting about malware known as 'VPNFilter' found on routers from different manufacturers. There are no indications that FRITZ! products are affected by this.

Update 17/01/2018

Currently we see no further potential for attacks on the security concept of FRITZ! products due to the security vulnerabilities in processors known as 'Spectre' and 'Meltdown'. We are still in contact with the chip producers we work with.

Report from 04/01/2018

We are currently investigating the security vulnerability known as Spectre and Meltdown that affects processors and are in contact with the manufacturers that produce the chips we use. Currently see no potential for attacks on the security concept of FRITZ! products.

To exploit the security vulnerability, an attacker must be able to have a FRITZ! product execute their application. Unlike systems with open architecture and access to the operating system, our products are not designed to run third-party applications.

The media reports about this security vulnerability in TLS implementations (CVE-2017-1000385). The FRITZ!Box is not affected by this vulnerability.

Update 10.11.2017:

In rare cases, a router is configured so that it uses the internet connection of another router via Wi-Fi uplink. We made an update available for the FRITZ!Box 7590, 7580, 7560, and 7490.

Update 26/10/2017

We made an update available for all current FRITZ!Repeaters and FRITZ!Powerline products with Wi-Fi support.

Update 20/10/2017

We have made the first updates available for FRITZ!Repeaters and FRITZ!Powerline products with Wi-Fi support.

Update 19/10/2017

Multiple WPA2 weaknesses were made public on 16 October 2017. Almost all indicated attacks target wireless clients. All attacks would have to occur within a close range of the targeted Wi-Fi.

All FRITZ! products that are solely used as wireless access points are not affected, for example FRITZ!Boxes on broadband connections (DSL, cable, WAN, etc.). FRITZ! products that are used as wireless clients are affected by some of the indicated possibilities.

Overview:

• FRITZ!Box on a broadband connection used as a wireless access point (preconfigured and common operating mode): no update necessary
• FRITZ!Box with Wi-Fi uplink to another router (deviating from the preset, rarely used operating mode): upcoming update recommended
• FRITZ!Repeater used as a wireless bridge (preconfigured and common operating mode): upcoming update recommended
• FRITZ!Repeater used as a LAN bridge (deviating from the preset, rarely used operating mode): no update necessary
• FRITZ!Powerline with Wi-Fi support used as a powerline bridge (powerline uplink) (preconfigured and common operating mode): no update necessary
• FRITZ!Powerline with Wi-Fi support used as a wireless bridge (Wi-Fi uplink) (deviating from the preset, rarely used operating mode): upcoming update recommended

The security of the wireless home network depends on the secure connection of each individual wireless device. Based on the internationally used CVSS classification, the WPA2 weakness was rated at 5.4 (medium) and is therefore considered a minor problem. We explicitly recommend installing the updates provided by manufacturers on all wireless clients (for example notebooks, Android smartphones).

Update 17/10/2017

WPA2 vulnerability: FRITZ!Box on broadband connections secure

Report from 16/10/2017

As of today, there are reports of a vulnerability in the WPA2 protocol for Wi-Fi. WPA is relevant for all wireless products from smartphones to routers to IP cameras. So far no attacks have been reported, which could only occur in a direct Wi-Fi environment. More details are required for a more accurate assessment. Regardless of Krack, internet connections via HTTPS pages (online banking, Google, Facebook, etc.) are securely encrypted.

If necessary, we will make an update available as always. Here is an article from the Wi-Fi Alliance on the topic.

The media has reported about several security vulnerabilities in the DNS server software Dnsmasq. The FRITZ!Box is not affected as FRITZ!OS does not use the Dnsmasq software.

Under very unlikely circumstances, it is possible that information about home network devices (only device name, MAC and IP address) is visible when devices with an active IPv6 connection are used. Access is not possible. The risk is very low (CVSS v3: 3.1, low). This will be fixed in upcoming updates.

There have been reports about a security vulnerability in Samba (CVE-2017-7494). the FRITZ!Box is not affected by this vulnerability.

The current version FRITZ!OS 6.83 improves a weakness in the older FRITZ!OS version 6.80/6.81. Under certain circumstances, a restart could have occurred. No misuse was reported. The version 6.80/6.81 was already completely replaced by the version 6.83 via auto update.

The media has reported about a worldwide hacker attack on internet routers. In Germany, this lead to disruptions in Speedport routers from the Deutsche Telekom. The FRITZ!Box is not affected.

In the course of a certificate exchange, we have been using new and improved manufacturer certificates since 2015. Older certificates were exchanged by software updates from cable providers. Users don't have to do anything. Misuse of older certificates was not reported.

The FRITZ!Box is optimally protected by regular security updates. Concerning CVE-2016-5195 (Dirty Cow), we currently see no affect on the security level of the FRITZ!Box firmware.

Recently there have been a few cases of fraudulent use of telephone services connecting through routers. Concerning the FRITZ!Box, this can only occur with rarely used configurations and mainly only with older FRITZ!OS versions.

We continuously increase the features and security standards of the FRITZ!Box and generally advise using the latest version, which is currently FRITZ!OS 6.50 or higher. The current version can be checked and updated on the FRITZ!Box user interface.

You can find more information on security in the article Protecting the FRITZ!Box.

The currently implemented SSL/TLS in the FRITZ!Box is not affected. SSLv2 was only used for an externally hosted server that was responsible for a rarely visited subdomain of our website until recently. This was fixed the same day the DROWN possibility was released.

Media such as arstechnica.com has reported about a security vulnerability in Linux networks via the glibc library. FRITZ!Box is not affected, since AVM does not use glibc in FRITZ!OS.

The media is currently reporting about a security vulnerability in routers for cable connections. Users are advised to change default Wi-Fi passwords. FRITZ!Box owners do not have to do anything. All FRITZ!Box models are protected with an individual Wi-Fi network key that is created at random. It is therefore not possible to use the serial number or other device-specific information to determine the Wi-Fi network key of a FRITZ!Box.

The media has reported about a security vulnerability in the infrastructure of the cable network and in the cable modem. Through the vulnerability it was possible to download profiles and passwords of modems from other customers.

FRITZ!Box is not affected by this security vulnerability.

According to statements from Vodafone/Kabel Deutschland, the security vulnerability has been closed by protection filters uploaded in mid-December.

Media is now reporting about a vulnerable service that is being used to execute arbitrary code on the router. The reports concern the service 'USB Over IP', which routers use to access devices like USB printers in the local network. The driver that has been compromised is called NetUSB.

The FRITZ!Box is not affected by the exploited security vulnerability, as it never uses the NetUSB driver.

FRITZ!Box products, both hard and software, are all developed in-house by FRITZ!. Regular, free updates to the FRITZ!OS operating system are integral to the FRITZ!Box concept and keep all devices up to date with the current state of technology.

At the recent 31st Chaos Communication Congress, it was announced that the HTTP server Rompager showed multiple security vulnerabilities. FRITZ! products are not affected by this.