Hyperoptic's ZTE-made 1Gbps routers had hyper-hardcoded hyper-root hyper-password

Firmware updates pushed out to up to 400,000 subscribers

A security vulnerability has been found in Brit broadband biz Hyperoptic's home routers that exposes tens of thousands of its subscribers to hackers.

The gigabit provider's routers are made by ZTE, the Chinese electronics giant that American and British spy agencies have sounded an alarm over. The United States has also imposed a ban on American companies selling components to ZTE and other Chinese network gear makers.

In November, infosec outfit Context IS alerted consumer-rights charity Which? to critical vulnerabilities found in the Hyperoptic broadband home router H298N. These bugs can be exploited to gain control of the device, change its firewall and security settings, change the administrative password, and generally cause havoc.

All a victim has to do is click on a link, for example in an email or message, while on the same local network as the router, to trigger exploitation: the URL takes the victim to a webpage that abuses a hardcoded root password in the router.

"The combination of a hardcoded root account and a DNS rebinding vulnerability allows an internet-based attacker to compromise all customer routers of UK ISP Hyperoptic via a malicious webpage," Context IS said in an advisory on Tuesday. "The vulnerabilities are present on both “HyperHub” router models, the ZTE H298N and the newer ZTE H298A, affecting hundreds of thousands of devices."

By hijacking the routers, attackers could also turn them into a part of a powerful botnet, given Hyperoptic's speeds of up to 1Gbps.

According to the Which? article more than 400,000 customers may have been affected. However, as pointed out by ISP Review, the actual subscriber figure is more likely to be closer to 100,000.

Daniel Cater, the security researcher at Context IS who discovered the flaw, said: “This has implications for the customers’ own data, but also if an attacker compromises enough routers of an ISP, the threat is elevated and has the potential to impact national security, such as via mass surveillance or DDoS attacks against critical infrastructure.

“Recent announcements from the [National Cyber Security Centre] have shown that attacks such as this against other ISPs and routers are not hypothetical. All ISPs should take this seriously, and invest in thoroughly testing their consumer devices and their infrastructure if they are not already doing so.”

Hyperoptic secured all its ZTE routers in December 2017 once it was alerted to the problem, said a spokeswoman. It then rolled out a more permanent fix, upgrading the firmware in all customer routers in April 2018. The fix was to basically set individual root passwords for the devices.

She said: "We have no evidence nor reports of any customers affected, and all customer routers are now secured against it."

Separate research from Broadband Genie found as many as 82 per cent of punters have never changed the password and security setting on their routers. ®

Similar topics

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022