Dear colleagues, First of all, I hope the relevant staff in operators is aware. I am pretty sure the bigger ones are, but if you have any (DSL) CPE in your network, please be aware of any unauthorised traffic or scanning towards TCP/7547 and consider dropping it. For information please refer to https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attac... Of course this it not directly related to the Internet of Things, although of course these are things and they are connected to the Internet. And more importantly, again an example of device security not being 100%, which no doubt we will see amplified in the press and possibly the political space in calls for more security and regulation. What is even more interesting here is that the attack vector essentially is on the interface which allows for remote configuration and software management: TR-069. I can think of a million questions and countless what-if scenarios that end in a dark cold world with few blinking LEDs, but let’s try to stay on the positive side of things. Beyond warning the community and the operators about this vulnerability and urging them to patch the systems effected, what else is there for us or the RIPE community to do? We would need some help, also from people on this list, but would it be worth to see if we can write up a more constructive “lessons learned” article, one that maybe goes beyond this particular incident. If we could try and distribute this amongst IoT equipment manufacturers, maybe it does raise some attention. So far I’ve seem many articles and warnings about incidents and of course, also as recently posted to this list, there are a number of very high-level approaches on security and how to besg embed it in business process and product design. But apart from very detailed technical specs, I haven’t seen much around that sort of hovers along the middle: Here is a number of incidents that all seem to be rooted in the same mechanisms, together with some recommendations on how to fix this in a structured manners. One interesting detail on this one for instance is indeed the call to drop this traffic on borders, an approach that might work for this particular type of device and attack as TR-069 should be limited to the operator’s domain. But it also seems one that would be less effective or even impossible for an IoT device that is sold over the counter and needs the same management capabilities, only from "somewhere on the Internet” or more popular: “the Cloud”. Would there be space in RIPE to work on this and do you think there is work to be done on this and related items for our community? Regards, Marco Hogewoning -- External Relations - RIPE NCC