Hyperoptic's ZTE-made 1Gbps routers had hyper-hardcoded hyper-root hyper-password
Firmware updates pushed out to up to 400,000 subscribers
A security vulnerability has been found in Brit broadband biz Hyperoptic's home routers that exposes tens of thousands of its subscribers to hackers.
The gigabit provider's routers are made by ZTE, the Chinese electronics giant that American and British spy agencies have sounded an alarm over. The United States has also imposed a ban on American companies selling components to ZTE and other Chinese network gear makers.
In November, infosec outfit Context IS alerted consumer-rights charity Which? to critical vulnerabilities found in the Hyperoptic broadband home router H298N. These bugs can be exploited to gain control of the device, change its firewall and security settings, change the administrative password, and generally cause havoc.
All a victim has to do is click on a link, for example in an email or message, while on the same local network as the router, to trigger exploitation: the URL takes the victim to a webpage that abuses a hardcoded root password in the router.
"The combination of a hardcoded root account and a DNS rebinding vulnerability allows an internet-based attacker to compromise all customer routers of UK ISP Hyperoptic via a malicious webpage," Context IS said in an advisory on Tuesday. "The vulnerabilities are present on both “HyperHub” router models, the ZTE H298N and the newer ZTE H298A, affecting hundreds of thousands of devices."
By hijacking the routers, attackers could also turn them into a part of a powerful botnet, given Hyperoptic's speeds of up to 1Gbps.
According to the Which? article more than 400,000 customers may have been affected. However, as pointed out by ISP Review, the actual subscriber figure is more likely to be closer to 100,000.
Daniel Cater, the security researcher at Context IS who discovered the flaw, said: “This has implications for the customers’ own data, but also if an attacker compromises enough routers of an ISP, the threat is elevated and has the potential to impact national security, such as via mass surveillance or DDoS attacks against critical infrastructure.
“Recent announcements from the [National Cyber Security Centre] have shown that attacks such as this against other ISPs and routers are not hypothetical. All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”
Hyperoptic secured all its ZTE routers in December 2017 once it was alerted to the problem, said a spokeswoman. It then rolled out a more permanent fix, upgrading the firmware in all customer routers in April 2018. The fix was to basically set individual root passwords for the devices.
She said: "We have no evidence nor reports of any customers affected, and all customer routers are now secured against it."
Separate research from Broadband Genie found as many as 82 per cent of punters have never changed the password and security setting on their routers. ®