Answers to attack on routers of DT customers

Some of our customers experienced restrictions of the fixed-line network. Here you can find an overview of the most relevant answers including answers on the security of routers and past cases.

The routers are obviously configured in a way that not only Deutsche Telekom but also third parties have access to them. Why were the routers not better protected?

Of course, the routers were protected: The attack was not successful, the routers were not infected. There are no IT components which guarantee 100 percent safety. That’s why identified vulnerabilities have to be closed as soon as possible. This was done here in cooperation with the manufacturers.


As stated by IT security experts, this vulnerability was already known. Why was this gap not closed earlier?
The current problem was neither identical with the vulnerability from 2014 nor with the case in Ireland a few weeks ago. The routers in our case were not infected, the attack was not successful. However, because of the attack the routers of our customers were overloaded and crashed.


Are now all affected routers of DT costumers secure?

Yes, the updates of the routers prevent a new access by third parties to the maintenance interfaces. We need a remote maintenance system, e.g. to signalize routers that there are updates available.


Was the Deutsche Telekom network hacked? 
No, the attack targeted routers of Deutsche Telekom customers and, according to the German Federal Office for Information Security, was part of a global attack on so-called remote maintenance interfaces.

What was the aim of the attack? 
It was an attempt to infect these routers with malware and to turn them into parts of a so-called botnet - this failed. The attack was not successful.

What impact did the attack have on customers? 
There was no impact for the vast majority of them, around 96 percent. The impact varied for around four percent, in other words, around 900,000 customers. Some experienced restricted service, others were unable to use our services at all. At present, not all customers are back online.

How long will it take before all customers are disruption-free again?
We made the first software updates available yesterday and installed them on the affected routers. New updates will follow today, and more are in progress. However, the procedure is time-consuming. It will take a few more days before the final router is updated.

What measures has Deutsche Telekom taken?
Firstly, we have applied filter measures in the network to prevent the remote maintenance interface from being accessed by the attackers in order to exclude a new infection of devices. In parallel, experts from the router manufacturers have begun developing software updates, and their installation on the affected routers began yesterday afternoon. We could already see signs of a clear stabilization during the course of yesterday morning, so our measures have taken effect. We also had to check whether or not all router types that were not affected were perhaps infected with malware. The fact that they were working was no proof of being free of malware.

Could the attack have been prevented?
Based on current information, no. But the detailed analysis is still ongoing. The attack was part of a worldwide offensive, which is what the Federal Office or Information Security has confirmed

Has Deutsche Telekom made savings at the cost of security? 
No, on the contrary: We invest billions in our network and in its security. We operate a cyber-defense center and have a separate Board department responsible for the protection of our data. When purchasing routers we work closely with our suppliers in order to meet our high security and quality standards. The case shows us, however, that there is no such thing as 100 percent security.

The same repeated requests to take the routers offline came across as helpless, to put it mildly … 
Nevertheless, it's the most effective way for a lay person to have improved software installed. For those who would rather install the software themselves, the software can be downloaded from

Isn't the migration to IP the wrong route to take?
No, the attack targeted routers, not the network. Lines both in the traditional and the IP-based network were affected.

Is anything already known about the possible culprits? 

Were sets of customer data stolen?
Based on what we currently know, this is not the case.

Are other types of Speedports affected by this attack?
Update 12-01-2016: In the interests of our customers we will check all Speedport models and provide appropriate firmware updates. These are already available for Speepdort W921V (incl. fiber) and Speedport W723V Type B; we can provide them today for Speedport W504V Type A and Speedport Entry I. We will provide our customers with firmware updates for other models as soon as possible.

The models Speedport W 724 Typ A, Typ B, Typ C, Speedport Smart, Speedport Entry II, Speedport Neo, Speedport W 922V and Speedport Hybrid are not affected by the attack, on the basis of the facts currently known. 

Isn't it high time to put an end to router coercion? 
There is no router coercion at Deutsche Telekom.