Deutsche Telekom Mirai router outage
A botched Mirai botnet campaign targeting a router exploit crashed roughly 900,000 Deutsche Telekom routers, knocking German customers offline for internet, phone, and TV over two days in November 2016.
- Victim
- Deutsche Telekom
- users
- 900.0K
On the evening of 27 November 2016, roughly 900,000 of Deutsche Telekom's 20 million routers began crashing, cutting internet, telephone, and television service for German customers in a disruption that spilled into the following day. The cause was a botched Mirai botnet campaign.
What happened
Earlier that month, on 8 November 2016, an exploit targeting the TR-064 remote-management protocol (over port 7547) on Eir D1000-class routers was published. A new variant of the Mirai IoT botnet quickly weaponised it, mass-scanning the internet to enrol vulnerable home routers into the botnet.
When this variant probed Deutsche Telekom's Speedport routers (models W 921V, W 723V Type B, and W 921 Fiber), the devices did not actually become infected — they crashed instead. A flaw in the attack code meant the exploit attempt locked up the routers rather than recruiting them, paradoxically preventing infection but causing a mass outage. About 900,000 customers lost connectivity.
Impact
- Around 900,000 fixed-line customers lost internet, VoIP telephony, and IPTV service.
- Outages began around 17:00 on Sunday 27 November and continued into Monday morning, roughly two days of intermittent disruption.
- Deutsche Telekom responded by pushing a firmware update that installed automatically once affected routers were power-cycled, restoring service.
Attribution
The campaign was traced to a botnet operator using the handle "BestBuy," later identified as British national Daniel Kaye. He was arrested at Luton Airport in February 2017 and convicted by a German court in July 2017, receiving a suspended sentence. Kaye had reportedly been building a botnet for hire and did not intend to take down Deutsche Telekom specifically — the outage was collateral damage from a broken exploit.
Why it matters
The Deutsche Telekom outage was an early, vivid demonstration of how insecure consumer IoT and CPE devices can be conscripted at national scale — and how even a failed infection attempt can cause large-scale collateral disruption to critical telecom services. Coming weeks after Mirai's record-breaking DDoS attacks on Dyn and Krebs on Security, it cemented Mirai as the defining IoT-botnet threat of the era and accelerated regulatory and ISP attention to router security, remote-management interfaces, and default-credential hardening.
Timeline
An exploit targeting the TR-064 protocol on Eir D1000-class routers is made public, opening the door to remote infection.
A new Mirai variant begins mass-probing port 7547; around 17:00 local time roughly 900,000 Deutsche Telekom routers start failing.
Outages continue into Monday morning, disrupting internet, telephony, and TV for affected customers.
Deutsche Telekom rolls out a firmware update that installs automatically after infected routers are rebooted.
Suspect Daniel Kaye ('BestBuy') is arrested at Luton Airport, UK, in connection with the campaign.
A German court convicts Kaye, handing him a suspended sentence over the botnet attack.
Sources
- krebsonsecurity.comhttps://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/
- news.sophos.comhttps://news.sophos.com/en-us/2016/11/29/deutsche-telkom-outage-mirai-botnet-goes-double-rogue/
- bankinfosecurity.comhttps://www.bankinfosecurity.com/mirai-botnet-knocks-out-deutsche-telekom-routers-a-9565
- flashpoint.iohttps://www.flashpoint.io/blog/new-mirai-variant-involved-latest-deutsche-telekom-outage/