Current security notifications

Please consider our security information about updates as well.

Release date Update and security topic

19.07.2023

No "Avrecon" malware on FRITZ! products

Currently there are many reports about the botnet malware "Avrecon", which can infect Linux-based routers. Comprehensive investigations have not revealed any vulnerabilities in our products which could be used to infect them with the "Avrecon" botnet malware. No botnet malware is active on our products. Our own observations and customer reports indicate that no botnet malware is active on on our products.

29.03.2023

Security information on the Wi-Fi topic "Framing Frames" of the Wi-Fi standard

A scientific paper on security issues in the Wi-Fi standard entitled "Framing Frames" is currently being discussed in specialist circles. Our products are not affected by any of the implementation-specific issues described in the paper. Also discussed is a security issue with the 802.1x login method known as "WPA Enterprise". FRITZ!Box does not offer this method and is therefore not affected by this either.

The standard-specific denial-of-service (DoS) possibility discussed by the researchers also applies to our products, as it does for every wireless device from any manufacturer; and will continue to apply until the standard changes. However, there are always DoS possibilities when it comes to wireless technologies and many Wi-Fi clients reconnect very quickly (0.5 to 3.5 seconds). The connection would only be briefly interrupted, but no data could be stolen.

Overall, we assess the threat posed by the "Framing Frames" vulnerability as rather low. Irrespective of the points currently being discussed, we generally recommend always using higher-level encryption methods such as HTTPS or VPN when using public hotspots. With the current FRITZ!OS 7.50, it is now even easier to use VPN in a hotspot. Find out more here: https://en.avm.de/service/vpn/

04.05.2022

uClibc and uClibc-ng: FRITZ!Box not affected

A vulnerability in the free software projects uClic and uClibc-ng regarding the use of transaction IDs in DNS queries has recently been discovered. FRITZ!OS does not use these projects for DNS queries to the internet and is therefore not affected by this vulnerability.

13.12.2021

Vulnerability affecting Java project "log4j"

A zero-day vulnerability has recently been discovered in the popular Java logging library "log4j". AVM products are not affected by this vulnerability. The MyFRITZ! service is also not affected.

25.11.2021

Phishing emails with FRITZ!Box answering machine message

Phishing emails are currently circulating that appear to be sent in the name of FRITZ!Box. The phishing email replicates the content of a FRITZ!Box push service email and claims to contain an attachment with an answering machine message. However, the attachment is fraudulent.

Please do not open any attachments or links in such emails. If you do not use the FRITZ!Box push service, ignore any emails like this. If you do use the FRITZ!Box push service, you should carry out the following steps to verify the email:

  • Compare the sender of the email with the senders you have set up for the FRITZ!Box push service.
  • Check whether the phone number mentioned in the email corresponds to a landline number you have set up in your FRITZ!Box.
  • Check that the attachment in the email has the file extension "wav".

18.08.2021

Router security

There are currently media reports about vulnerabilities in routers with Realtek system-on-a-chips (SoCs). AVM products are not affected.

10.08.2021

Router security

There are currently reports in the media about the CVE 2021-20090, 2021-20091 and 2021-20092 router vulnerabilities. AVM products are not affected. The vulnerabilities only apply to OEM devices from one manufacturer; the devices are listed here.

11.05.2021

"FragAttacks" Wi-Fi vulnerability

Security researchers today drew attention to the “FragAttacks” Wi-Fi vulnerability. The vulnerability is manufacturer-independent and affects various wireless devices such as smartphones, notebooks, routers and game consoles. We are not aware of an unauthorized exploitation of FragAttacks, which could also only occur in the direct physical proximity of the Wi-Fi network. The security of services such as mail or apps that perform encryption using TLS protocols, or internet connection via HTTPS pages, is not affected by the vulnerability. Based on current knowledge, practical effects of FragAttacks are unlikely.

AVM started rolling out security updates against FragAttacks last week. An update is available for the popular FRITZ!Box 7590; and there are public beta versions for other products. Additional updates for current products will follow soon.

AVM joins the Wi-Fi Alliance in recommending carrying out the updates offered by manufacturers for wireless devices such as notebooks, Wi-Fi speakers and smartphones.

Update, 21.05.21
An update is also available for the FRITZ!Box 7530 AX, 7530, 7490, 6590 Cable, 6490 Cable, 5491 and 5490 models, with public beta versions available for other products. Further updates for current products will follow soon.

01.03.2021

Router Security

Currently there are many reports about attempts to access FRITZ!Box products. These attempts are unsuccessful attempts to log in, apparently by guessing passwords, also known as "credential stuffing" attacks. Such attacks are constantly directed at countless devices connected with the internet.

Our Knowledge Base offers this information

As a general rule, we recommend heeding our instructions for secure passwords, which the user receives on the FRITZ!Box user interface.

20.01.2021

DNSpooQ - AVM products not affected

Security vulnerabilities have been discovered in DNSmasq software, whereby DNS entries could be manipulated. AVM products are not affected by this vulnerability.

08.12.2020

Amnesia:33 - AVM products not affected

A series of security gaps in the TCP/IP stack known as "Amnesia:33" was recently discovered in several networked devices. Devices from AVM are not affected.

Since every new version of FRITZ!OS includes updated security functions, we strongly recommend always loading the latest update to all devices.

06.08.2020

Wi-Fi security

There are currently a number of media reports regarding "Spectra", a vulnerability in Wi-Fi and Bluetooth chips. AVM products are not affected by the Spectra vulnerability.

In addition, media outlets are currently reporting on another Wi-Fi vulnerability called "Kr00k" (CVE-2020-3702). Common FRITZ!Box models including the 7590, 7580, 7530, 6590 Cable, 6591 Cable and 6660 Cable are essentially not affected by the Kr00k vulnerability. Other FRITZ! products with FRITZ!OS 7.20 or later are also not affected. All products for which the Protected Management Frames (PMF) feature is activated are also not affected. The PMF feature can be activated in the FRITZ!Box user interface under Wireless / Security / Additional Security Settings. AVM estimates the practical impact of the vulnerability to be low, as it did in February with Kr00k (CVE-2019-15126). The majority of Internet communication is encrypted and an attacker would have to be locally on site to exploit the vulnerability.

09.06.2020

Callstranger - FRITZ!Box not affected

There are currently reports of a security vulnerability involving the keyword "Callstranger." Security researchers have found a way to send an amplified amount of traffic using the UPnP protocol. FRITZ!Box is not affected as its UPnP service cannot be accessed or used from the Internet.

27.02.2020

Kr00K - FRITZ! products not affected

Media outlets have been reporting on the Kr00K Wi-Fi vulnerability (CVE-2019-15126). It only affects devices with Broadcom and Cypress chips, both of which are not used in FRITZ! products. Testing is being carried out for two older models from individual providers for special connections such as g.fast and channel bonding. If necessary, an update will be released in the near term for the two specialist models. According to the international CVSS standard, the vulnerability has a score of 3.1, which is low.

 

The relevance of the breach in practice is very small, as there are a number of conditions necessary for an attack to be successful, such as physical proximity to the respective device. Regardless of this, encryptions such as HTTPS are generally not affected as they operate at a higher level.

 

Update, 02.03.2020
AVM has provided updates to FRITZ!OS 7.13 for the two affected specialist models, FRITZ!Box 7581and 7582. This provides a fix for the Kr00k vulnerability.

21.02.2020

Router security - "pppd" project

Media outlets are currently reporting on the CVE-2020-8597 vulnerability in the PPP daemon (pppd) project. AVM does not use this software project and AVM products are therefore not affected by the vulnerability.

13.01.2020

Router security – "Cable Haunt"

Media outlets are currently reporting on a vulnerability that impacts cable modems. FRITZ!Box products are not affected by "Cable Haunt". The vulnerable component does not exist in FRITZ!OS.

11.04.2019

Wireless Security - WPA3 "Dragonblood"

Media outlets have reported on a vulnerability in the new WPA3 security protocol for devices such as smartphones, tablets, routers etc. The FRITZ!Box is not affected by this vulnerability. The recently announced FRITZ!Repeater 3000 is the only AVM product that already supports WPA3. The new WPA3 WiFi standard is not active in the repeater's factory settings.

AVM has already released an update for the FRITZ!Repeater 3000 as a Lab version, which addresses the points of the current WPA3 vulnerability. AVM also recommends always choosing a really long, strong network password. The password evaluation in FRITZ!OS helps you find a strong password. AVM strongly recommends deploying the provided updates from manufacturers for all wireless clients, for example notebooks, smart TVs or tablets.

The practical impact of the WPA3 vulnerability is considered to be low due to it still being new and less widespread than other WPA standards. The current standard used by most wireless devices is WPA2. It has proven itself over many years in the use of long, strong passwords.

08.08.2018

Wireless security and WPA2

Media reports are currently discussing a potential attack on the WPA2 security protocol. AVM doesn't see any practical implications on the FRITZ!Box if the network key is correspondingly complex. AVM recommends using a network key that the FRITZ!Box recognizes as "good" or "strong". Due to its length, the network key that is preset upon delivery is also secure.

25.05.2018

Malware VPNFilter - AVM products not affected

VPNFilter is a malware infecting routers around the world, and is a global issue that has been getting a lot of attention in the media. There is no evidence that AVM products are affected.

04.01.2018

Meltdown and Spectre – no potential attacks on AVM products

Update 17.01.2018
Currently AVM sees no further potential for attacks on the security concept of AVM products due to the security breaches in processors known as "Spectre" and "Meltdown". We are still in contact with the chip producers we work with.

Report 04.01.2018
AVM is currently investigating the security breaches in processors known as Spectre and Meltdown and is in contact with the chip producers that AVM cooperates with. We see no potential for attacks on the security concept of AVM products at the moment.

To take advantage of the weaknesses the attacker would need to execute his application directly on the AVM product. Unlike open architecture systems with access to the operating system, our products are specifcally designed not to run third-party applications.

13.12.2017

Security leak in TLS negotiation (Robotattack) - FRITZ!Box not affected

Media have reported about security breaches in various TLS implementations (CVE-2017-1000385).

FRITZ!Box is not affected by this.

16.10.2017

Krack breach in WPA2 (updated 10.11.2017)

Update 10.11.2017
In rare cases a router could be configured so it is able to access the internet provided by another router via wireless LAN uplink. This will be addressed with the next FRITZ!OS release.

Update 20.10.2017
AVM released first updates for wireless repeaters and WiFi/powerline products:
> More information

Update 19.10.2017
Multiple WPA2 weaknesses were made public on 16 October 2017. Almost all indicated attacks target wireless LAN clients. All attacks would have to occur within a close range of the targeted wireless LAN.

All AVM products that are solely used as wireless access points are not affected, for example FRITZ!Boxes on broadband connections (DSL, cable, WAN, etc.). AVM products that are used as wireless LAN clients are affected by some of the indicated possibilities.

Overview:
FRITZ!Box on a broadband connection used as a wireless access point (preconfigured and common operating mode): no update necessary
FRITZ!Box with wireless LAN uplink to another router (deviating from the preset, rarely used operating mode): upcoming update recommended

FRITZ!WLAN Repeater used as a wireless bridge (preconfigured and common operating mode): upcoming update recommended
FRITZ!WLAN Repeater used as a LAN bridge (deviating from the preset, rarely used operating mode): no update necessary

FRITZ!Powerline supporting WiFi used as a powerline bridge (powerline uplink) (preconfigured and common operating mode): no update necessary
FRITZ!Powerline supporting WiFi used as a wireless bridge (wireless LAN uplink) (deviating from the preset, rarely used operating mode): upcoming update recommended

The security of the wireless home network depends on the secure connection of each wireless device included. Based on the internationally used CVSS classification, the WPA2 weakness was rated at 5.4 (medium) and is therefore considered a minor problem. AVM strongly recommends to deploy the provided updates from manufacturers for all wireless LAN clients (for example notebook or Android smartphone)

Update 17.10.2017
> WPA2 flaw – FRITZ!Box on broadband connections are secure

Report from 16.10.2017
Several media have reported about a leak in the WPA2 protocol of wireless networks today. WPA is relevant for all wireless LAN products from smartphone to router all the way to IP cameras. So far there have been no attacks reported, which could only occur in a direct wireless environment. More details are needed to fully assess the situation. Besides Krack, internet connections via HTTPS pages (online banking, Google, Facebook, etc.) are secureley encrypted.

If necessary, AVM will provide an update as always. Please find the statement from the Wi-Fi Alliance > here.

05.10.2017

Security leaks in DNS server software Dnsmasq - FRITZ!Box not affected

Media outlets reported about several security leaks in the DNS server software Dnsmasq.

FRITZ!Box is not affected, since AVM does not use the Dnsmasq software in FRITZ!OS.

04.07.2017

Information on home network devices under IPv6

After visiting a malicious website for a longer period it could be possible – under very unlikely circumstances – that information about home network devices (only device name, Mac and IP address) are visible when using devices with an activated IPv6 connection. Access is not possible. The risk is very low (CVSS v3: 3.1, low). This point will be fixed in the upcoming versions.

19.04.2017

FRITZ!OS 6.83 increases robustness

The current version FRITZ!OS 6.83 fixes a weakness of the outdated FRITZ!OS version 6.80/6.81. Under certain circumstances a restart could have occurred. No misuse was reported. The version 6.80/6.81 was already completely replaced by the version 6.83 via auto update.

28.11.2016

Attacks on the Deutsche Telekom network - FRITZ!Box secure

Media outlets have reported about a worldwide hacker attack on Internet routers. In Germany, this lead to disruptions in Speedport routers from the Deutsche Telekom.

FRITZ!Box models are not affected by the attacks.

10.11.2016

Certificate exchange for cable routers

In the course of a certificate exchange, AVM has been using new and improved manufacturer certificates since 2015. Older certificates were exchanged by software updates from cable providers. Users don't have to do anything. Misuse of older certificates was not reported.

27.10.2016

Dirty Cow in Linux - FRITZ!Box not affected

The FRITZ!Box perfectly secure due to regular security updates. Concerning CVE-2016-5195 (Dirty Cow), we currently see no affect on the security level of the FRITZ!Box firmware.

07.06.2016

Telephone fraud with routers

Recently there have been a few cases of fraudulent use of telephone services connecting through routers. Concerning the FRITZ!Box, this can only be done through rarely used configurations and mostly occurs in combination with older FRITZ!OS versions at this point. AVM is continuously increasing the features and security standards of the FRITZ!Box and generally advises the use of the latest version, right now being FRITZ!OS 6.50 or higher. The current version can be checked and updated over the user interface.

The latest update for FRITZ!Box cable models is supplied by the cable providers.

You can find additional security tips in the Guide section.

03.03.2016

DROWN attacks, SSLv2: avm.de and myfritz.net not affected

Neither is the currently implemented SSL/TLS in the FRITZ!Box.

SSLv2 was only used for an externally hosted server that was responsible for a rarely visited subdomain of avm.de until recently. This was fixed the same day the DROWN possibility was released.

17.02.2016

Security breach through glibc in Linux network functions – FRITZ!Box not affected

Media like arstechnica.com and bbc.com have reported about a security leak in Linux networks via the glibc library.

FRITZ!Box is not affected, since AVM does not use glibc in FRITZ!OS.

23.12.2015

Infrastructure leak in cable network and cable modem – FRITZ!Box not affected

Media outlets have reported about a security leak in the infrastructure of cable networks as well as in cable modems. Through the leak it was possible to download profiles and passwords of modems from other customers.

FRITZ!Box is not affected by this security breach.

According to statements from Vodafone/Kabel Deutschland the leak has been closed by protection filters uploaded in mid December.

20.05.2015

Security breach through NetUSB – FRITZ!Box not affected

Media outlets are now reporting about a vulnerable service that is being used to execute arbitrary code on the router. The reports concern the service "USB Over IP", which routers use to access devices like USB printers in the local network. The driver that has been compromised is called NetUSB.

The FRITZ!Box is not affected by the exploited security flaw, as it never uses the NetUSB driver.

FRITZ!Box products, both hard and software, are all developed in house by AVM. Regular, free updates to the FRITZ!OS operating system are integral to the FRITZ!Box concept and keep all devices up to date with the current state of technology.

06.01.2015

Security breach through Rompager – FRITZ! products not affected

At the recent 31. Chaos Communication Congress, it was announced that the HTTP server Rompager showed multiple security leaks. FRITZ! products are not affected by this.

The HTTP server Rompager is a software used on many routers from other manufacturers to provide certain protocols. Among others, the security breach allows strangers to take over administration rights on affected routers. Please find more information on this topic and a list of affected devices under this link.

Reporting security topics

Do you have suggestions about how to improve the security of our products? Then please contact us at security@avm.de. We will get back to you via email should we have follow-up questions. Apart from that, please excuse that you will not get an individualized reply. For safe transmission of sensitive data, we advise you to encrypt emails to security@avm.de using the PGP Key by AVM.

Should you require assistance concerning technical questions, our Support Desk will be glad to assist you.

Please consider our security information about updates as well.